fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/03/2023, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1388	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
568	AnyDesk (1).exe
568	AnyDesk (1).exe
568	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
568	AnyDesk (1).exe
568	AnyDesk (1).exe
568	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 1388	1676	AnyDesk (1).exe	28
PID 1676 wrote to memory of 1388	1676	AnyDesk (1).exe	28
PID 1676 wrote to memory of 1388	1676	AnyDesk (1).exe	28
PID 1676 wrote to memory of 1388	1676	AnyDesk (1).exe	28
PID 1676 wrote to memory of 568	1676	AnyDesk (1).exe	29
PID 1676 wrote to memory of 568	1676	AnyDesk (1).exe	29
PID 1676 wrote to memory of 568	1676	AnyDesk (1).exe	29
PID 1676 wrote to memory of 568	1676	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
64a6e22f023c38bba0e4cf89a1fd5bd8

SHA1
56ec54bac82cf7a45043ff5c2d9f255817a90b36

SHA256
5df453f032380c105d77465912db1aaefd91d57c387ae27a910ee620e817c5d1

SHA512
19d0a75af4e27fb55d3cb6c382bf92df89c9b14581fe9d40ef58309e06c29134dffff34336a03bec94dabf2ed8cd9c6811a21c6b8db9379a6185a5a2d50c53f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
3fc843de0451e0da3ce35408a52dc486

SHA1
735f24b8936a69c61d3f1250aa56496a27c62202

SHA256
ba55520a0d6a084346a3e3cd39a99e4eff808aacb0deefe56c5329650fc85ad9

SHA512
5cc1f350c64c766074f5956fbd159c9b74f9ea0e2654708b445b96abf2201c4047d1d211a166987ba5767a5f57e52636f3db011cc216a2f1f2cb6d22dba9f295

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ed607811b5942541bce0b210d58ad043

SHA1
6f04a6d28b49e6f9dbf25000f272db80cd18e58f

SHA256
d6af105d80e2bb7093ddf4ece95ee3a97fa670d7d02595d60bd94410a7ede11c

SHA512
13458e2d2a6b136c0033a48802e7d37f1c4e9806e20ff58c2cea4382be7d3404c3e995e5c08ed748ce5b90a678ab8573026ece237489500f272ef866ed019d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ed607811b5942541bce0b210d58ad043

SHA1
6f04a6d28b49e6f9dbf25000f272db80cd18e58f

SHA256
d6af105d80e2bb7093ddf4ece95ee3a97fa670d7d02595d60bd94410a7ede11c

SHA512
13458e2d2a6b136c0033a48802e7d37f1c4e9806e20ff58c2cea4382be7d3404c3e995e5c08ed748ce5b90a678ab8573026ece237489500f272ef866ed019d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e2d51311309b345a48979e29ac4b77a8

SHA1
69db3af5cacd55f6dbc41e5539cbabfe23692b63

SHA256
155cb3ec13055fa54b3982e4a64b3d6189195d13ef1476dc1aae8f986f833d02

SHA512
dfc30ccdc1abc29a5c97af8670088966832f9b56df5e5151a34dda60e0da099f6d7583bf039949bda5142f3347613f619411f7aafd163b127e63de30a765f2c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e2d51311309b345a48979e29ac4b77a8

SHA1
69db3af5cacd55f6dbc41e5539cbabfe23692b63

SHA256
155cb3ec13055fa54b3982e4a64b3d6189195d13ef1476dc1aae8f986f833d02

SHA512
dfc30ccdc1abc29a5c97af8670088966832f9b56df5e5151a34dda60e0da099f6d7583bf039949bda5142f3347613f619411f7aafd163b127e63de30a765f2c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4941e8062f46a24982d0835246095dae

SHA1
d5c751a3192b95144c6c702fd7ae852eba2cc09f

SHA256
9b603ea8b483b7d2523fc3c99cd22ed10e0f532804181b6a2a50306f6103fda2

SHA512
bba1a20e4c8eec497a5ca11de119f127aeafffd02ecb30d5ce0e62a5ffd78816facf294a0fdf779990a91d37f2ca1d8b6b2246fdb4204f8b84b407971e38f761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e2d51311309b345a48979e29ac4b77a8

SHA1
69db3af5cacd55f6dbc41e5539cbabfe23692b63

SHA256
155cb3ec13055fa54b3982e4a64b3d6189195d13ef1476dc1aae8f986f833d02

SHA512
dfc30ccdc1abc29a5c97af8670088966832f9b56df5e5151a34dda60e0da099f6d7583bf039949bda5142f3347613f619411f7aafd163b127e63de30a765f2c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e2d51311309b345a48979e29ac4b77a8

SHA1
69db3af5cacd55f6dbc41e5539cbabfe23692b63

SHA256
155cb3ec13055fa54b3982e4a64b3d6189195d13ef1476dc1aae8f986f833d02

SHA512
dfc30ccdc1abc29a5c97af8670088966832f9b56df5e5151a34dda60e0da099f6d7583bf039949bda5142f3347613f619411f7aafd163b127e63de30a765f2c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4941e8062f46a24982d0835246095dae

SHA1
d5c751a3192b95144c6c702fd7ae852eba2cc09f

SHA256
9b603ea8b483b7d2523fc3c99cd22ed10e0f532804181b6a2a50306f6103fda2

SHA512
bba1a20e4c8eec497a5ca11de119f127aeafffd02ecb30d5ce0e62a5ffd78816facf294a0fdf779990a91d37f2ca1d8b6b2246fdb4204f8b84b407971e38f761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e2d51311309b345a48979e29ac4b77a8

SHA1
69db3af5cacd55f6dbc41e5539cbabfe23692b63

SHA256
155cb3ec13055fa54b3982e4a64b3d6189195d13ef1476dc1aae8f986f833d02

SHA512
dfc30ccdc1abc29a5c97af8670088966832f9b56df5e5151a34dda60e0da099f6d7583bf039949bda5142f3347613f619411f7aafd163b127e63de30a765f2c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4941e8062f46a24982d0835246095dae

SHA1
d5c751a3192b95144c6c702fd7ae852eba2cc09f

SHA256
9b603ea8b483b7d2523fc3c99cd22ed10e0f532804181b6a2a50306f6103fda2

SHA512
bba1a20e4c8eec497a5ca11de119f127aeafffd02ecb30d5ce0e62a5ffd78816facf294a0fdf779990a91d37f2ca1d8b6b2246fdb4204f8b84b407971e38f761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e2d51311309b345a48979e29ac4b77a8

SHA1
69db3af5cacd55f6dbc41e5539cbabfe23692b63

SHA256
155cb3ec13055fa54b3982e4a64b3d6189195d13ef1476dc1aae8f986f833d02

SHA512
dfc30ccdc1abc29a5c97af8670088966832f9b56df5e5151a34dda60e0da099f6d7583bf039949bda5142f3347613f619411f7aafd163b127e63de30a765f2c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4941e8062f46a24982d0835246095dae

SHA1
d5c751a3192b95144c6c702fd7ae852eba2cc09f

SHA256
9b603ea8b483b7d2523fc3c99cd22ed10e0f532804181b6a2a50306f6103fda2

SHA512
bba1a20e4c8eec497a5ca11de119f127aeafffd02ecb30d5ce0e62a5ffd78816facf294a0fdf779990a91d37f2ca1d8b6b2246fdb4204f8b84b407971e38f761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4941e8062f46a24982d0835246095dae

SHA1
d5c751a3192b95144c6c702fd7ae852eba2cc09f

SHA256
9b603ea8b483b7d2523fc3c99cd22ed10e0f532804181b6a2a50306f6103fda2

SHA512
bba1a20e4c8eec497a5ca11de119f127aeafffd02ecb30d5ce0e62a5ffd78816facf294a0fdf779990a91d37f2ca1d8b6b2246fdb4204f8b84b407971e38f761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4941e8062f46a24982d0835246095dae

SHA1
d5c751a3192b95144c6c702fd7ae852eba2cc09f

SHA256
9b603ea8b483b7d2523fc3c99cd22ed10e0f532804181b6a2a50306f6103fda2

SHA512
bba1a20e4c8eec497a5ca11de119f127aeafffd02ecb30d5ce0e62a5ffd78816facf294a0fdf779990a91d37f2ca1d8b6b2246fdb4204f8b84b407971e38f761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
31cac39015798950b8fc15c818739bf0

SHA1
b2b76e1951d2b3e5310522444b9ec7e0bfceefa5

SHA256
a322e2d688f4035fe703dd326146ea76de6848810edb213cd9ec3e54e8ef9811

SHA512
4d693a8e7ae0c0f1e857e75e432eecaf2f8226fc967ce69708df94c92ce32d44c19723422689d81fe1d94370d36ea9d315f52bbbd83f4ce7747c08285d609cc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
68a908331854fa04d38c34b8e2b73b91

SHA1
6969e96d940f2c0cd2b88cb1ce879910405cbfa7

SHA256
361780c316671a94a67c5b3feafbfe325a60901252804bbc1c5333035c3b8fc6

SHA512
1bc39e6807bd30641ff45acb97a5d9f347ff072e9dde5d862afb27981464582f40835ba8fad5b8ccdbdaafefbf64748fd7d92fa86a2bb98dc8c5d51a526b2352

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
68a908331854fa04d38c34b8e2b73b91

SHA1
6969e96d940f2c0cd2b88cb1ce879910405cbfa7

SHA256
361780c316671a94a67c5b3feafbfe325a60901252804bbc1c5333035c3b8fc6

SHA512
1bc39e6807bd30641ff45acb97a5d9f347ff072e9dde5d862afb27981464582f40835ba8fad5b8ccdbdaafefbf64748fd7d92fa86a2bb98dc8c5d51a526b2352

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
15f1e4cc3547f786a2bdb75b963eacfc

SHA1
d2d89272f9aaf61907e1086042e54a91ce4ce108

SHA256
088b28e97b3e7af64158e09ccd681adc3d44b5e4db8f6d818e43db9dc0626ce2

SHA512
2f723ad3a5a4d632b801e47911092ba7bd84dea9fea5ead8de121535c1d4ac49dac31619621620c682c06340a497daab37b10d1ffb561b32505e2b6767527c73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
422200a0e4217a8b991f8097968255e2

SHA1
d3e426689316a710be8c7b3b916112a22bb228c8

SHA256
4915c1b21f97539b57a0caac8b9925beb0b5304cb8a1e28e9ef4912785c5a32c

SHA512
3f62b0b04d66f87d118685611a7154e530a9e3325fc5191a3bb78954500fae8f84eb176a9c739eb469663d38d6bf0b09b27cb2b770b8503a300c98190fa10a82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
422200a0e4217a8b991f8097968255e2

SHA1
d3e426689316a710be8c7b3b916112a22bb228c8

SHA256
4915c1b21f97539b57a0caac8b9925beb0b5304cb8a1e28e9ef4912785c5a32c

SHA512
3f62b0b04d66f87d118685611a7154e530a9e3325fc5191a3bb78954500fae8f84eb176a9c739eb469663d38d6bf0b09b27cb2b770b8503a300c98190fa10a82

Download Submit
memory/568-235-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/568-485-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/568-63-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/568-177-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/568-84-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1388-234-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/1388-304-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/1388-176-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/1388-62-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/1388-484-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/1676-54-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download
memory/1676-74-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1676-73-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1676-56-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1676-173-0x0000000000D20000-0x0000000001D9E000-memory.dmp

Filesize
16.5MB

Download