fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
2748	AnyDesk (1).exe
2748	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
2288	AnyDesk (1).exe
2288	AnyDesk (1).exe
2288	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
2288	AnyDesk (1).exe
2288	AnyDesk (1).exe
2288	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 372 wrote to memory of 2748	372	AnyDesk (1).exe	86
PID 372 wrote to memory of 2748	372	AnyDesk (1).exe	86
PID 372 wrote to memory of 2748	372	AnyDesk (1).exe	86
PID 372 wrote to memory of 2288	372	AnyDesk (1).exe	87
PID 372 wrote to memory of 2288	372	AnyDesk (1).exe	87
PID 372 wrote to memory of 2288	372	AnyDesk (1).exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
eecf99f46c07ef4ffb5f8a206132d981

SHA1
e0c9e37103b29d9c1cfc72dc1c266fdf6dff508c

SHA256
f38ce521a27838a3a0fd22d816b9117d6f2e1b4307e18a5ae00fc8a5b7853fb6

SHA512
94902320726561e4844bce1cf5f121d908c7f25ea75be339f0f6fef7fc61417ef241f363beb36e6fd0d38fa509dfda18b43cbd0d9d2af46e2e34e49467177f83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
eecf99f46c07ef4ffb5f8a206132d981

SHA1
e0c9e37103b29d9c1cfc72dc1c266fdf6dff508c

SHA256
f38ce521a27838a3a0fd22d816b9117d6f2e1b4307e18a5ae00fc8a5b7853fb6

SHA512
94902320726561e4844bce1cf5f121d908c7f25ea75be339f0f6fef7fc61417ef241f363beb36e6fd0d38fa509dfda18b43cbd0d9d2af46e2e34e49467177f83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ee81558bb6c804de16c39090d82675a5

SHA1
72f82308c129abcd6f247883ae62d96edb53b3de

SHA256
177d5430d40c95eb701fd744462f62d3974901f1bac8aedd9a927b74148402c1

SHA512
29405fe8cca080a5580cdbf9c4490143fb2e7eb2f8e5f1e08478f8339605973eed8bbdd55cfbb91b4d9061a583a81e73629b1319ec24a27069107da8e2120d5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ee81558bb6c804de16c39090d82675a5

SHA1
72f82308c129abcd6f247883ae62d96edb53b3de

SHA256
177d5430d40c95eb701fd744462f62d3974901f1bac8aedd9a927b74148402c1

SHA512
29405fe8cca080a5580cdbf9c4490143fb2e7eb2f8e5f1e08478f8339605973eed8bbdd55cfbb91b4d9061a583a81e73629b1319ec24a27069107da8e2120d5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f52d3eec1ba2f745970a97081ecaa3f7

SHA1
326162af7cbbd56df3d5158fae8b1ed941742956

SHA256
05ed4c466da86626630b418cd04a935d1125d3f66b1ddaef7d88e5afcb171a70

SHA512
c87f46a0128f04f9c185c41975f283c86043e5c3949ee1ca92cd621b79d4133444b23c2d3e8ed1ecb21c2a93b446ce8ff61de8740817a9b919592df9f544ff95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f52d3eec1ba2f745970a97081ecaa3f7

SHA1
326162af7cbbd56df3d5158fae8b1ed941742956

SHA256
05ed4c466da86626630b418cd04a935d1125d3f66b1ddaef7d88e5afcb171a70

SHA512
c87f46a0128f04f9c185c41975f283c86043e5c3949ee1ca92cd621b79d4133444b23c2d3e8ed1ecb21c2a93b446ce8ff61de8740817a9b919592df9f544ff95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f52d3eec1ba2f745970a97081ecaa3f7

SHA1
326162af7cbbd56df3d5158fae8b1ed941742956

SHA256
05ed4c466da86626630b418cd04a935d1125d3f66b1ddaef7d88e5afcb171a70

SHA512
c87f46a0128f04f9c185c41975f283c86043e5c3949ee1ca92cd621b79d4133444b23c2d3e8ed1ecb21c2a93b446ce8ff61de8740817a9b919592df9f544ff95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f52d3eec1ba2f745970a97081ecaa3f7

SHA1
326162af7cbbd56df3d5158fae8b1ed941742956

SHA256
05ed4c466da86626630b418cd04a935d1125d3f66b1ddaef7d88e5afcb171a70

SHA512
c87f46a0128f04f9c185c41975f283c86043e5c3949ee1ca92cd621b79d4133444b23c2d3e8ed1ecb21c2a93b446ce8ff61de8740817a9b919592df9f544ff95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f52d3eec1ba2f745970a97081ecaa3f7

SHA1
326162af7cbbd56df3d5158fae8b1ed941742956

SHA256
05ed4c466da86626630b418cd04a935d1125d3f66b1ddaef7d88e5afcb171a70

SHA512
c87f46a0128f04f9c185c41975f283c86043e5c3949ee1ca92cd621b79d4133444b23c2d3e8ed1ecb21c2a93b446ce8ff61de8740817a9b919592df9f544ff95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
739835a6e8de6a3aa1af6f7f548013ef

SHA1
65b9bc50511d5a04d3c9b35fe8e79eb615f1772e

SHA256
066bb26aebed713ca26c0b83c6527228b9f96a01b1f73b0e599cc88ea6ae22e7

SHA512
9dc4d36313771050cfc103713c636750a0b2cf73eb7a53f016076790dad6ac01f3b6a3aede51c83aa0832232c46c66f29708adc8fc3868caca8d532615007a77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f52d3eec1ba2f745970a97081ecaa3f7

SHA1
326162af7cbbd56df3d5158fae8b1ed941742956

SHA256
05ed4c466da86626630b418cd04a935d1125d3f66b1ddaef7d88e5afcb171a70

SHA512
c87f46a0128f04f9c185c41975f283c86043e5c3949ee1ca92cd621b79d4133444b23c2d3e8ed1ecb21c2a93b446ce8ff61de8740817a9b919592df9f544ff95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3378a9969978ca09080443aa910b7032

SHA1
94566ef92292a20ec4115f407e5731a05b8f64b2

SHA256
8e42e934b2457093062ce13216c58b5b1173c62db9b33e1138ba2a9a0b129f6d

SHA512
383f6eb1b3d646f7786edd00cc4955a97be192fb207fe75cbc6ca6163666f7ae26f47005fa0b7fb06e5730730a32d5b2702677d13a0fbf05d447c5f10864d607

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3378a9969978ca09080443aa910b7032

SHA1
94566ef92292a20ec4115f407e5731a05b8f64b2

SHA256
8e42e934b2457093062ce13216c58b5b1173c62db9b33e1138ba2a9a0b129f6d

SHA512
383f6eb1b3d646f7786edd00cc4955a97be192fb207fe75cbc6ca6163666f7ae26f47005fa0b7fb06e5730730a32d5b2702677d13a0fbf05d447c5f10864d607

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d14ed242476d72a721e791055cd7de4

SHA1
24845ee2390f4ef82f8bd54a3a10eb231a60a334

SHA256
a792dabe52b281647668ae224450e3f0f0d213d53a2768abd482d0afaed3f4d1

SHA512
eef0190a811c701e703c2678aa96b7648eaacb96a2773b80aeb997201d3ee610fea137b12cf0cd813bab84d9de2b5dcc804e072b06dc91d4cacc6284666b707e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d14ed242476d72a721e791055cd7de4

SHA1
24845ee2390f4ef82f8bd54a3a10eb231a60a334

SHA256
a792dabe52b281647668ae224450e3f0f0d213d53a2768abd482d0afaed3f4d1

SHA512
eef0190a811c701e703c2678aa96b7648eaacb96a2773b80aeb997201d3ee610fea137b12cf0cd813bab84d9de2b5dcc804e072b06dc91d4cacc6284666b707e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d14ed242476d72a721e791055cd7de4

SHA1
24845ee2390f4ef82f8bd54a3a10eb231a60a334

SHA256
a792dabe52b281647668ae224450e3f0f0d213d53a2768abd482d0afaed3f4d1

SHA512
eef0190a811c701e703c2678aa96b7648eaacb96a2773b80aeb997201d3ee610fea137b12cf0cd813bab84d9de2b5dcc804e072b06dc91d4cacc6284666b707e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d14ed242476d72a721e791055cd7de4

SHA1
24845ee2390f4ef82f8bd54a3a10eb231a60a334

SHA256
a792dabe52b281647668ae224450e3f0f0d213d53a2768abd482d0afaed3f4d1

SHA512
eef0190a811c701e703c2678aa96b7648eaacb96a2773b80aeb997201d3ee610fea137b12cf0cd813bab84d9de2b5dcc804e072b06dc91d4cacc6284666b707e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4d4f4a498716be76593610384c2c572e

SHA1
6965e4dd0e183a9429524fdb38a1f702779c8929

SHA256
1f1f4b7c70aaa45070fbe9817df6ce6d012a8a77654cf7df44d4b6b47250c1cb

SHA512
f650d465539b81fcb2a058eb7e3bbce1df3e43a45d84732a7bf40df651cab1ef71692b0f7107d8ee62bd92b318c3786d1a1df7370073157b28bfdd7feeeb0dfe

Download Submit
memory/372-140-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/372-244-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/372-161-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/372-160-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/372-133-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2288-141-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2288-295-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2288-162-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2288-512-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2288-711-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2748-315-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2748-378-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2748-511-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2748-292-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2748-143-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download
memory/2748-710-0x00000000005E0000-0x000000000165E000-memory.dmp

Filesize
16.5MB

Download