fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
68s
max time network
51s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1152	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid	Process
1660	AnyDesk.exe
1660	AnyDesk.exe
1520	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AnyDesk.exe

pid	Process
1660	AnyDesk.exe
1660	AnyDesk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1520 wrote to memory of 1152	1520	AnyDesk.exe	27
PID 1520 wrote to memory of 1152	1520	AnyDesk.exe	27
PID 1520 wrote to memory of 1152	1520	AnyDesk.exe	27
PID 1520 wrote to memory of 1152	1520	AnyDesk.exe	27
PID 1520 wrote to memory of 1660	1520	AnyDesk.exe	28
PID 1520 wrote to memory of 1660	1520	AnyDesk.exe	28
PID 1520 wrote to memory of 1660	1520	AnyDesk.exe	28
PID 1520 wrote to memory of 1660	1520	AnyDesk.exe	28
PID 1520 wrote to memory of 844	1520	AnyDesk.exe	29
PID 1520 wrote to memory of 844	1520	AnyDesk.exe	29
PID 1520 wrote to memory of 844	1520	AnyDesk.exe	29
PID 1520 wrote to memory of 844	1520	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --frontend
  2⤵
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
13KB

MD5
6d623d8f57fa561f76360357347276b7

SHA1
6bf83172a4357273c517c1ee137696bcddf8ec32

SHA256
a41ad84d90b66d4be8ba8abf0fd3f32e9b6de6f40bb0d262b61013b831f1369e

SHA512
117792716e4677ee4f5e092617c13843181b7a870d8458687666af1e4f5de9f690f422cd1a2bc2705da3e9d6a2487b80ac1e472046c594aae69e3ffe37c6fbf8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
1f6d6901b75dc423b24b72edd72e488e

SHA1
a361cdc5c3483bcfc37441f83c8fd24ddf97af57

SHA256
e24f07219e54fcbc437ae2b522fe7d4b3b690271c8f94dc86f175a7d09f2eb1b

SHA512
6391a43b939f8c95d2cb2deec30017db98fc10e37b674356bb52b66a44cda246f0d471b6462bd04f012611ebae503a6c3aae4f46ce8f09e3ecbc3eb78d2d40f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
1f6d6901b75dc423b24b72edd72e488e

SHA1
a361cdc5c3483bcfc37441f83c8fd24ddf97af57

SHA256
e24f07219e54fcbc437ae2b522fe7d4b3b690271c8f94dc86f175a7d09f2eb1b

SHA512
6391a43b939f8c95d2cb2deec30017db98fc10e37b674356bb52b66a44cda246f0d471b6462bd04f012611ebae503a6c3aae4f46ce8f09e3ecbc3eb78d2d40f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ccb551662e7c1238382e18cdeaec700d

SHA1
5ad395c288814e605c020cc9066d6e3f1a6b0706

SHA256
bff587cd608d66dc6cdba2f62a1a0258aea138457ccff9681a7ded4309ce587b

SHA512
a873bc263ee8431e25bdda232ea8b74a5afac9b823f505e41376f33d1a4607452d073547c16a9e838a67dd93854cd066cf029b4ba37f6745272a6dfe2b324256

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
869012ec7d8e1d82ddc909dee26e26a8

SHA1
1a5c3054be20f76551015274aaaa258864dcde30

SHA256
f84d57df4ef2ca893fc4d4f6802545c92cb716691d89d834f4b5a776c708968b

SHA512
b324828d1a6231e63fab5236892dc1d3aabf3de98d046a5060ace592bfa099f03b8a5f9341ccb71d97ae47e399758485480aca943cb28b7d178f07debcb5b973

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fd9673be339e3762ae6834d3867ebe92

SHA1
893d01bd37e586f02b493f59da0fd01483cf04cf

SHA256
96d529093ba5ab0bdaf039deb1889d4c01496736cb12d886115abeadc5c82c4d

SHA512
c9f9a8246414e72910c633e0b95df6c8ff5d47248367ea6fc4ed8985d3808cde9dd5b4cc6a5624b5ba9e3cc224db20f7f762d710f826660953895b0b8e1161ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4695a05517c300e5b78dd9573fe5c86e

SHA1
12ce1841c85c6fd1328a68e5bda019f01c774934

SHA256
6049168ad07a4fd065e94b3f550e6614c804b88f74d268f0704c50fd8a298e76

SHA512
c8969231352b287c2a7cfeac563910d96e56ac4d96d1a03be54cf625641e6985d263350200ba397cde014af7348a65fc5850e83c4c151f43753905764546c91f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4695a05517c300e5b78dd9573fe5c86e

SHA1
12ce1841c85c6fd1328a68e5bda019f01c774934

SHA256
6049168ad07a4fd065e94b3f550e6614c804b88f74d268f0704c50fd8a298e76

SHA512
c8969231352b287c2a7cfeac563910d96e56ac4d96d1a03be54cf625641e6985d263350200ba397cde014af7348a65fc5850e83c4c151f43753905764546c91f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
843b1a1b6a9053e004a5ea94b2db0232

SHA1
367ea425cb23c922d6e9036e4e44fe07ffdbc629

SHA256
57e746b4210a45e555e177a389a390f55776b96997d6e71d2ed6c9b7a539f111

SHA512
fbb449f95977e4894ef08502bf468c18cf21b6a8bfb059441b6395b93838a61319093733164d1ec722d759fbb551a56004ac7db7973869f2b87cf051c5b0c058

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
843b1a1b6a9053e004a5ea94b2db0232

SHA1
367ea425cb23c922d6e9036e4e44fe07ffdbc629

SHA256
57e746b4210a45e555e177a389a390f55776b96997d6e71d2ed6c9b7a539f111

SHA512
fbb449f95977e4894ef08502bf468c18cf21b6a8bfb059441b6395b93838a61319093733164d1ec722d759fbb551a56004ac7db7973869f2b87cf051c5b0c058

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
347f57d9c4c0cb9137959a588065fdc4

SHA1
e49608a1b53c917f9755df5eb3f047201264ded5

SHA256
bc0d430a073c80dd56804d3675052097b1509157ffad2c2b231b780c60522f8f

SHA512
2dfa929f93e647c7988f3fc95c91d304a4fe8295d3f021c0e2dd9ad3c79a9e436e9d31052afaa21bdd6b22eb68ee8f8d009f9881e8c2bc5907e6c19eca6ef8de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AY4P2N2XQE6C8N6HDD03.temp

Filesize
3KB

MD5
347f57d9c4c0cb9137959a588065fdc4

SHA1
e49608a1b53c917f9755df5eb3f047201264ded5

SHA256
bc0d430a073c80dd56804d3675052097b1509157ffad2c2b231b780c60522f8f

SHA512
2dfa929f93e647c7988f3fc95c91d304a4fe8295d3f021c0e2dd9ad3c79a9e436e9d31052afaa21bdd6b22eb68ee8f8d009f9881e8c2bc5907e6c19eca6ef8de

Download Submit
memory/844-158-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/844-151-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/844-96-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/844-157-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/844-159-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/1152-71-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1152-94-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1152-147-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1520-72-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1520-54-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1520-56-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1520-90-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1520-70-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/1660-63-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1660-150-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1660-95-0x0000000000850000-0x00000000018CE000-memory.dmp

Filesize
16.5MB

Download
memory/1660-89-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download