fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
151s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-03-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1488	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1316	AnyDesk (1).exe
1316	AnyDesk (1).exe
1316	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1316	AnyDesk (1).exe
1316	AnyDesk (1).exe
1316	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 1104 wrote to memory of 1488	1104	AnyDesk (1).exe	28
PID 1104 wrote to memory of 1488	1104	AnyDesk (1).exe	28
PID 1104 wrote to memory of 1488	1104	AnyDesk (1).exe	28
PID 1104 wrote to memory of 1488	1104	AnyDesk (1).exe	28
PID 1104 wrote to memory of 1316	1104	AnyDesk (1).exe	29
PID 1104 wrote to memory of 1316	1104	AnyDesk (1).exe	29
PID 1104 wrote to memory of 1316	1104	AnyDesk (1).exe	29
PID 1104 wrote to memory of 1316	1104	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
bd51c5eceaa9bd49927f43b1ddc7f18a

SHA1
aaa91f971917ad2ba47e638afeb73dff2936c8d3

SHA256
860f91c5df94b15a8a8206722aa8ff8d700759842e3a1af722daa159d017961b

SHA512
a6e03b7b6be45e0c926a0c90a56e69b7cad5d8ba7bb950990d31425056818488444675740bd898ca21c4fe8ae25ffdcc3c3207e795adae4da65b0e7a4df69ec7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
bd51c5eceaa9bd49927f43b1ddc7f18a

SHA1
aaa91f971917ad2ba47e638afeb73dff2936c8d3

SHA256
860f91c5df94b15a8a8206722aa8ff8d700759842e3a1af722daa159d017961b

SHA512
a6e03b7b6be45e0c926a0c90a56e69b7cad5d8ba7bb950990d31425056818488444675740bd898ca21c4fe8ae25ffdcc3c3207e795adae4da65b0e7a4df69ec7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
55c44ce6fb26778f79810702ab7ea54e

SHA1
c32a3977e64863671a2d610995e9c763ceaca5c5

SHA256
4db805858c22361fac12868af91d02f9ffd726e3a12e6ccda4c9215c7ad0535e

SHA512
43543167734755cb5550dad819ba54d92401a8f3def30486872cefd152fa5caa4e41191212559808ce776ded2e056afadb4055548651d2164c4fb2c18dd85b25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
55c44ce6fb26778f79810702ab7ea54e

SHA1
c32a3977e64863671a2d610995e9c763ceaca5c5

SHA256
4db805858c22361fac12868af91d02f9ffd726e3a12e6ccda4c9215c7ad0535e

SHA512
43543167734755cb5550dad819ba54d92401a8f3def30486872cefd152fa5caa4e41191212559808ce776ded2e056afadb4055548651d2164c4fb2c18dd85b25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16895d1c729f7e918eba932314414dea

SHA1
109dedcc5457d935368e79928ed2e40d03c6e27f

SHA256
0402c569d965ca53d20bdb7327195646fb0c21d015c90020efea4b4f95db2e92

SHA512
2c063f42fb3e63223d5c07e6558de14493763602503c2625a111ea63ea7c553f558cfb7ee37fa0897a99664e6af2d7fb0767bf6d9995a90b9e26e5fed128163a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
26fd59f63c9ab3e67453c175e3b0ea98

SHA1
e4ff05ae1c5852a590fe1fd1c39b4693c7631c27

SHA256
4006b39493cfffa51a852737c070c5ee138d7c29f746b53e0491cb3254724320

SHA512
9eab6afe7126c28aa47fb74a213c7cbd3df0d6309207c70566c2c4c9f33268e207205b51d9e7b31814cfab97ca7581e456590d1693ed69ce683a16589017daab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3a4fb2ae5c797f7a0d318acbcd8321b3

SHA1
f46591ef738ce672470895cf6f886c81f42b3d65

SHA256
620d12a37484da041d22e0f6da6a3d59b52e597ed78c3193144b03d6a0b95553

SHA512
2349e4e6aa5e6ddff95609cb1947aff288bd74fb215edeb6f282994d923435632e770b67bed2a3018b07ca2dc9739b4496488d0c686f859f3b0bb0613d94f3ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6155fc593819b0d4351baded149476fd

SHA1
45385d8157b2a180b8e5ab5e0497214dabe8fbc9

SHA256
0b0acb22efe5df0d1271f569cdd39146bafe200345ad1c7143ef019e408e787c

SHA512
0f66dfdde985b6341c30a7d22603a9f334261dd5c433832608b206d188ac713989de7104a0a89455de65c26750109a190c35265ff39e68e63f8f19b93b14fe64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bcc452429dd38040056d55665ca76f52

SHA1
0c971abc3658d44f0f2894d83aa793610843f2f8

SHA256
db07a79a9232a6753a32828f46d1b3faee85f9c7bc9338b1ff5426516c5f6852

SHA512
2e8895f5c19c900fe40cf942a2e15548fa9c0e55c0edd27a3101551de05e7c4490bcda5581b246d67081bf696e7ec47e0cbf3457e49f8dc2e7f28534251fca7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
aca0d7f1135509f1e4d0aa1bd9dadf5b

SHA1
861de5f9d5ca90d85346af6136d73be4ee701710

SHA256
c662d939bc9ea94159c061ad88976060be2f43efd80566c6e5e6f25af3b9ea45

SHA512
951e7a8acb804454de7127a8ffe7a0aee527a45593daed74862fc8eb85bd24b41630f6b9ee1cff5aecc6aa5df526a5d3ad408a2c2827675040b17ef9c613f74d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
aca0d7f1135509f1e4d0aa1bd9dadf5b

SHA1
861de5f9d5ca90d85346af6136d73be4ee701710

SHA256
c662d939bc9ea94159c061ad88976060be2f43efd80566c6e5e6f25af3b9ea45

SHA512
951e7a8acb804454de7127a8ffe7a0aee527a45593daed74862fc8eb85bd24b41630f6b9ee1cff5aecc6aa5df526a5d3ad408a2c2827675040b17ef9c613f74d

Download Submit
memory/1104-56-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1104-82-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1104-54-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1104-186-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1104-73-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1104-74-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/1316-87-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1316-195-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1316-175-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1316-80-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1316-451-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1316-62-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-189-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-244-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-174-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-86-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-315-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-70-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download
memory/1488-450-0x0000000001010000-0x000000000208E000-memory.dmp

Filesize
16.5MB

Download