fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
160s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-03-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4680	AnyDesk (1).exe
4680	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4688	AnyDesk (1).exe
4688	AnyDesk (1).exe
4688	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4688	AnyDesk (1).exe
4688	AnyDesk (1).exe
4688	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 4808 wrote to memory of 4680	4808	AnyDesk (1).exe	83
PID 4808 wrote to memory of 4680	4808	AnyDesk (1).exe	83
PID 4808 wrote to memory of 4680	4808	AnyDesk (1).exe	83
PID 4808 wrote to memory of 4688	4808	AnyDesk (1).exe	84
PID 4808 wrote to memory of 4688	4808	AnyDesk (1).exe	84
PID 4808 wrote to memory of 4688	4808	AnyDesk (1).exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
2a5d418cc4dd480e82cfce94f8343f4d

SHA1
a3c6f4e2938d2fc9ac2754b76e7417d34934cbb0

SHA256
ed3f7a163cda0eafd11f1341dda234ad7f64624dce1689ed92ef28df6ff76057

SHA512
b4c514e0a29e0eacbd81e1bd610cd7dfe8289a56c4c24e307d33dca258d59d3b308650e2683f81a74ffd7b271db7fba3f60a8975aa63d645696576ea3c61cdea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
9c54bb307b3a87af1e84f37db8727e75

SHA1
9513a7ca07505341b98a2a1510dc32e2bbf0807f

SHA256
92199783116a4e11f9b19812c6b8b4ce91d3a02a25086b187efab2375a77317f

SHA512
1c17a305a461deb3e9b6e65cf5a3cfdd7fd3ff2fe69d54f15c19419560b76c3201ec752aedbacb1aa3c3cfed9c01679d772c9a95c42373aa78b29382bc299aaf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
44cf37b01ed52cc54193b7b51c13736b

SHA1
b42e8134d8acf9e4583000160fe72d2c38b90362

SHA256
d93e64770a0f0c5a42f84139bd32ec3b11cce216d0c66a063e82a980b550dace

SHA512
3ac51ce7fe9458985fa43922c448ca28b95550a10f3083a64d2c7c3b6d04f05a2789df3597817954223ebecbcfe604f8f9d0cd2bf8f4429ec0049ce7bb4ce4ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
44cf37b01ed52cc54193b7b51c13736b

SHA1
b42e8134d8acf9e4583000160fe72d2c38b90362

SHA256
d93e64770a0f0c5a42f84139bd32ec3b11cce216d0c66a063e82a980b550dace

SHA512
3ac51ce7fe9458985fa43922c448ca28b95550a10f3083a64d2c7c3b6d04f05a2789df3597817954223ebecbcfe604f8f9d0cd2bf8f4429ec0049ce7bb4ce4ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90994c06f3f14f4073066af0b44045eb

SHA1
df07cb46a8132c1223fbf6b4d0c605104efddac1

SHA256
5ef805cfd0e167f40e0c02fcef2d3c0363d475aa00ec232da8500e5fa15f451c

SHA512
c24eab5fd8e3b0c65281729a2b9ab0c555ca99d653343e2f15db83242404c275e14a52b4e47439cd5fc324c912d978a902f758af338e3947bacb5ed75c8e7f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90994c06f3f14f4073066af0b44045eb

SHA1
df07cb46a8132c1223fbf6b4d0c605104efddac1

SHA256
5ef805cfd0e167f40e0c02fcef2d3c0363d475aa00ec232da8500e5fa15f451c

SHA512
c24eab5fd8e3b0c65281729a2b9ab0c555ca99d653343e2f15db83242404c275e14a52b4e47439cd5fc324c912d978a902f758af338e3947bacb5ed75c8e7f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90994c06f3f14f4073066af0b44045eb

SHA1
df07cb46a8132c1223fbf6b4d0c605104efddac1

SHA256
5ef805cfd0e167f40e0c02fcef2d3c0363d475aa00ec232da8500e5fa15f451c

SHA512
c24eab5fd8e3b0c65281729a2b9ab0c555ca99d653343e2f15db83242404c275e14a52b4e47439cd5fc324c912d978a902f758af338e3947bacb5ed75c8e7f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90994c06f3f14f4073066af0b44045eb

SHA1
df07cb46a8132c1223fbf6b4d0c605104efddac1

SHA256
5ef805cfd0e167f40e0c02fcef2d3c0363d475aa00ec232da8500e5fa15f451c

SHA512
c24eab5fd8e3b0c65281729a2b9ab0c555ca99d653343e2f15db83242404c275e14a52b4e47439cd5fc324c912d978a902f758af338e3947bacb5ed75c8e7f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90994c06f3f14f4073066af0b44045eb

SHA1
df07cb46a8132c1223fbf6b4d0c605104efddac1

SHA256
5ef805cfd0e167f40e0c02fcef2d3c0363d475aa00ec232da8500e5fa15f451c

SHA512
c24eab5fd8e3b0c65281729a2b9ab0c555ca99d653343e2f15db83242404c275e14a52b4e47439cd5fc324c912d978a902f758af338e3947bacb5ed75c8e7f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0a7ea897eb54bff43c8c30a7b2dc9664

SHA1
43b7205b23fff37d72f4939b508a630008ce01a4

SHA256
db91dba1e32543bc3d215afb58eb18da326023ea6bd31ed2378a8bea67aa02a0

SHA512
6795bf86e8ff99c05bcdda3a2ee34ad7ae536164a7a6d57caa0d0893721e8aa5e29e00295d8398f2becfcb9d9773a3de644efe35629beb57ca28f339c89b28d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90994c06f3f14f4073066af0b44045eb

SHA1
df07cb46a8132c1223fbf6b4d0c605104efddac1

SHA256
5ef805cfd0e167f40e0c02fcef2d3c0363d475aa00ec232da8500e5fa15f451c

SHA512
c24eab5fd8e3b0c65281729a2b9ab0c555ca99d653343e2f15db83242404c275e14a52b4e47439cd5fc324c912d978a902f758af338e3947bacb5ed75c8e7f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1079cb25819026e644806de1b9e1f9d7

SHA1
e92e47d10e57a92dca1701bee98e12a12c609219

SHA256
d4279254ef20ecd4c1874ab52a66209a86538177cc81b466bcc29bfddf1e29e7

SHA512
137afa2e594375998008d3e8d42340950aa42a8efb080998cfe43ed1761453652c2319d308325e3b69a17672ef5e684941dff7a0d862aab6cc52490063a974d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1079cb25819026e644806de1b9e1f9d7

SHA1
e92e47d10e57a92dca1701bee98e12a12c609219

SHA256
d4279254ef20ecd4c1874ab52a66209a86538177cc81b466bcc29bfddf1e29e7

SHA512
137afa2e594375998008d3e8d42340950aa42a8efb080998cfe43ed1761453652c2319d308325e3b69a17672ef5e684941dff7a0d862aab6cc52490063a974d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9428aa2200bd0c0a862144707cf5c032

SHA1
c9154ed08e91195dbcb5a00f888d9cbe5149b422

SHA256
107b3e9633c8fd0b950d9a23387aaaf777401f6a63a787dfa1ba7f06c0f558c7

SHA512
f2ff99dc12238273e6c1ec5ab734a385e6dd060ce1512fbafe65258d45aa123fc037f21243974b1bfaa77ffc0ba016d396ff240a7de94021f465c4158570cca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9428aa2200bd0c0a862144707cf5c032

SHA1
c9154ed08e91195dbcb5a00f888d9cbe5149b422

SHA256
107b3e9633c8fd0b950d9a23387aaaf777401f6a63a787dfa1ba7f06c0f558c7

SHA512
f2ff99dc12238273e6c1ec5ab734a385e6dd060ce1512fbafe65258d45aa123fc037f21243974b1bfaa77ffc0ba016d396ff240a7de94021f465c4158570cca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9428aa2200bd0c0a862144707cf5c032

SHA1
c9154ed08e91195dbcb5a00f888d9cbe5149b422

SHA256
107b3e9633c8fd0b950d9a23387aaaf777401f6a63a787dfa1ba7f06c0f558c7

SHA512
f2ff99dc12238273e6c1ec5ab734a385e6dd060ce1512fbafe65258d45aa123fc037f21243974b1bfaa77ffc0ba016d396ff240a7de94021f465c4158570cca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9428aa2200bd0c0a862144707cf5c032

SHA1
c9154ed08e91195dbcb5a00f888d9cbe5149b422

SHA256
107b3e9633c8fd0b950d9a23387aaaf777401f6a63a787dfa1ba7f06c0f558c7

SHA512
f2ff99dc12238273e6c1ec5ab734a385e6dd060ce1512fbafe65258d45aa123fc037f21243974b1bfaa77ffc0ba016d396ff240a7de94021f465c4158570cca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9428aa2200bd0c0a862144707cf5c032

SHA1
c9154ed08e91195dbcb5a00f888d9cbe5149b422

SHA256
107b3e9633c8fd0b950d9a23387aaaf777401f6a63a787dfa1ba7f06c0f558c7

SHA512
f2ff99dc12238273e6c1ec5ab734a385e6dd060ce1512fbafe65258d45aa123fc037f21243974b1bfaa77ffc0ba016d396ff240a7de94021f465c4158570cca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8874fed708ed4c50201ca10efde6b3f8

SHA1
fc7bfcfbb42da252b4a45c43674aaf23b8b327b4

SHA256
e0a2ebb1ebb99f57843b717b8b401aa63a889dab705e06bca48115a86a038c06

SHA512
8f5393427b9f9da44826e79639d5c9febe02b683618aeacb88ffebd4e26d9849b6e8d515d6d2e5b45406398f140eaebd35026644ed0e7fdce2a4e9e3ade77781

Download Submit
memory/4680-316-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4680-534-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4680-704-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4680-141-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4680-295-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4680-378-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4688-215-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4688-142-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4688-535-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4688-296-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4688-705-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4808-152-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4808-153-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4808-288-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4808-133-0x0000000000930000-0x00000000019AE000-memory.dmp

Filesize
16.5MB

Download
memory/4808-135-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download