fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
29s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exeAnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid	Process
1860	AnyDesk.exe
1860	AnyDesk.exe
4348	AnyDesk.exe
4348	AnyDesk.exe
5052	AnyDesk.exe
5052	AnyDesk.exe
3748	AnyDesk.exe
3748	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
5052	AnyDesk.exe
5052	AnyDesk.exe
5052	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
5052	AnyDesk.exe
5052	AnyDesk.exe
5052	AnyDesk.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 4348 wrote to memory of 1860	4348	AnyDesk.exe	84
PID 4348 wrote to memory of 1860	4348	AnyDesk.exe	84
PID 4348 wrote to memory of 1860	4348	AnyDesk.exe	84
PID 4348 wrote to memory of 5052	4348	AnyDesk.exe	85
PID 4348 wrote to memory of 5052	4348	AnyDesk.exe	85
PID 4348 wrote to memory of 5052	4348	AnyDesk.exe	85
PID 4348 wrote to memory of 3748	4348	AnyDesk.exe	95
PID 4348 wrote to memory of 3748	4348	AnyDesk.exe	95
PID 4348 wrote to memory of 3748	4348	AnyDesk.exe	95

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5052
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --frontend
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
14044f27c0b8c3ead69f4f7543bea2dd

SHA1
e92a9f767c613dfaec567ddebde118b8a1b4f79c

SHA256
27e6c9975bfc0fb14f99579b1060b87c1f87d5c2e57d8c4288ac7ce979a19d29

SHA512
9e382c26b4b44e564e23448c35967878111dab67af0db64b9d93bb2bc60d03437c9b3ea3eec70ef0653d16ddbe3236ac56d2985aeba6e036b0e053c7c9a2aeba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
14044f27c0b8c3ead69f4f7543bea2dd

SHA1
e92a9f767c613dfaec567ddebde118b8a1b4f79c

SHA256
27e6c9975bfc0fb14f99579b1060b87c1f87d5c2e57d8c4288ac7ce979a19d29

SHA512
9e382c26b4b44e564e23448c35967878111dab67af0db64b9d93bb2bc60d03437c9b3ea3eec70ef0653d16ddbe3236ac56d2985aeba6e036b0e053c7c9a2aeba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
27KB

MD5
80c9bf478f2a2fd1f5f11c4cc47a327b

SHA1
1e438dd2d3870d561b38f6d318908e5f1f1439cd

SHA256
01202a65b7635a6ec2c5807faa91fc2f0f23999ce71ee745fc2ff52ebf643848

SHA512
833fcb1a3f48f3cea8fb39b9b4091163818cfb50df3d41582a68775001f8651591000a23e472c7218169e4be7b16a3b029cbe0be0b6062b9a7d1b516ca6ce1fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3d28554022131e47fc18caed61fff05c

SHA1
c70e894cb8a91884bf7591b1069406587f903e8f

SHA256
e412327c6e9a2cc0782f444bf7ca3c62fce3f086569e82a72bca8832f1b3743d

SHA512
63cd147402a4b8f06ec9edf829fb59bc2292d0a88b3772699849ad4f5b043d9c646bc21649326d1e659e6d5e3fad59669f18f5fab1f54ce85fb3aac810797613

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3d28554022131e47fc18caed61fff05c

SHA1
c70e894cb8a91884bf7591b1069406587f903e8f

SHA256
e412327c6e9a2cc0782f444bf7ca3c62fce3f086569e82a72bca8832f1b3743d

SHA512
63cd147402a4b8f06ec9edf829fb59bc2292d0a88b3772699849ad4f5b043d9c646bc21649326d1e659e6d5e3fad59669f18f5fab1f54ce85fb3aac810797613

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d57d0e5262be1e8c0dec7c680d233cb

SHA1
2bf8d4b5242d79a6d1f05a05c53e669fd5624639

SHA256
cf765a115ed5c92337f0c9244ae2e568623167bbf86f840265257577b600fc35

SHA512
e67b6cab6ff20fd73f948fb16f54b1c25702497d7323f6144b3e1b4fbd044cb64a4556f3208c65b8a1dd4003758014dca140516bfb49b606bbc59567298d3891

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d57d0e5262be1e8c0dec7c680d233cb

SHA1
2bf8d4b5242d79a6d1f05a05c53e669fd5624639

SHA256
cf765a115ed5c92337f0c9244ae2e568623167bbf86f840265257577b600fc35

SHA512
e67b6cab6ff20fd73f948fb16f54b1c25702497d7323f6144b3e1b4fbd044cb64a4556f3208c65b8a1dd4003758014dca140516bfb49b606bbc59567298d3891

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c0abfcb84441df005f02caeaf8823835

SHA1
c5f7c8f2c3bdddf5b1fcfe48c85dd24ce52022f5

SHA256
7d8de22b8c376c33a30b51859c58e17b7578ebfe68b16ea3a194ecbfdfa74d79

SHA512
a9279c13f721709f4d09183032ed7a5466c16e6d9d8810ba2ad2f6467e3ee23e8fa1fc96ac215c9e67ada291f420f9a5cca31d384ca34008462129d09426c6b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c0abfcb84441df005f02caeaf8823835

SHA1
c5f7c8f2c3bdddf5b1fcfe48c85dd24ce52022f5

SHA256
7d8de22b8c376c33a30b51859c58e17b7578ebfe68b16ea3a194ecbfdfa74d79

SHA512
a9279c13f721709f4d09183032ed7a5466c16e6d9d8810ba2ad2f6467e3ee23e8fa1fc96ac215c9e67ada291f420f9a5cca31d384ca34008462129d09426c6b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d57d0e5262be1e8c0dec7c680d233cb

SHA1
2bf8d4b5242d79a6d1f05a05c53e669fd5624639

SHA256
cf765a115ed5c92337f0c9244ae2e568623167bbf86f840265257577b600fc35

SHA512
e67b6cab6ff20fd73f948fb16f54b1c25702497d7323f6144b3e1b4fbd044cb64a4556f3208c65b8a1dd4003758014dca140516bfb49b606bbc59567298d3891

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c0abfcb84441df005f02caeaf8823835

SHA1
c5f7c8f2c3bdddf5b1fcfe48c85dd24ce52022f5

SHA256
7d8de22b8c376c33a30b51859c58e17b7578ebfe68b16ea3a194ecbfdfa74d79

SHA512
a9279c13f721709f4d09183032ed7a5466c16e6d9d8810ba2ad2f6467e3ee23e8fa1fc96ac215c9e67ada291f420f9a5cca31d384ca34008462129d09426c6b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c0abfcb84441df005f02caeaf8823835

SHA1
c5f7c8f2c3bdddf5b1fcfe48c85dd24ce52022f5

SHA256
7d8de22b8c376c33a30b51859c58e17b7578ebfe68b16ea3a194ecbfdfa74d79

SHA512
a9279c13f721709f4d09183032ed7a5466c16e6d9d8810ba2ad2f6467e3ee23e8fa1fc96ac215c9e67ada291f420f9a5cca31d384ca34008462129d09426c6b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf37ecfaf727cc60933561dbef7e1c16

SHA1
27c2082b5012852fb9d07ea5594d4a500608822d

SHA256
cc1d0ddaa12f89c63560eea94af229f941828e79d070b126de9dbb21aa76fb5b

SHA512
ecea7a6c290ef8b405a4e6d3b6f9cf0c62d5eb5b9cee5a1e247f458da363ca47ea72181c44fa141f9888f43c47543f5a084559add0ab9aef3969ff626d5ba3c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf37ecfaf727cc60933561dbef7e1c16

SHA1
27c2082b5012852fb9d07ea5594d4a500608822d

SHA256
cc1d0ddaa12f89c63560eea94af229f941828e79d070b126de9dbb21aa76fb5b

SHA512
ecea7a6c290ef8b405a4e6d3b6f9cf0c62d5eb5b9cee5a1e247f458da363ca47ea72181c44fa141f9888f43c47543f5a084559add0ab9aef3969ff626d5ba3c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
660c0771af05beb2f55598a1ae29e6f2

SHA1
02bcf6b67248571a4cf4529919c338bf26f9c273

SHA256
07b7991403b9a8ff760cbeedcc36a86ddd4f0af6fc7bd1184a61f468c820e606

SHA512
70154dd9accbbf5d007552b328910251d5e99b937b889d5048618c692ff0eedce9d9a205849a9318d988c63697a456eb52419a290fb289096f53113baee742d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
660c0771af05beb2f55598a1ae29e6f2

SHA1
02bcf6b67248571a4cf4529919c338bf26f9c273

SHA256
07b7991403b9a8ff760cbeedcc36a86ddd4f0af6fc7bd1184a61f468c820e606

SHA512
70154dd9accbbf5d007552b328910251d5e99b937b889d5048618c692ff0eedce9d9a205849a9318d988c63697a456eb52419a290fb289096f53113baee742d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
660c0771af05beb2f55598a1ae29e6f2

SHA1
02bcf6b67248571a4cf4529919c338bf26f9c273

SHA256
07b7991403b9a8ff760cbeedcc36a86ddd4f0af6fc7bd1184a61f468c820e606

SHA512
70154dd9accbbf5d007552b328910251d5e99b937b889d5048618c692ff0eedce9d9a205849a9318d988c63697a456eb52419a290fb289096f53113baee742d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a045682acf97024a8a9efe31a0711bbd

SHA1
4499eb492dce66db06bbaae1fd1eb9f25a9a5572

SHA256
ad8ec0abb5f29c638d5ab11223e81a511e9a46758be35091c7e9d2e339f32115

SHA512
117739ea265a52953da6be9be2eb093faddfff94dfd959e2d248369dd31628d33c36375da7c071abe66bf01e4f47bdfcd21377bffca68f8e47f259c50851a40b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
418df82adbcc51759dc4127df9abe6d9

SHA1
21fa0cc8c43cfc7aea5db426589298a769954269

SHA256
3d4979b835f4753f01fd8ba55c54bb3f311564885007c75b9435542d7ffd4369

SHA512
0603f15d0e97ba57a6b3b0a750badce8eab47af7d4e022617ee2e4d229740cdd5d3a8d24702c75b01d529e4d28a7fdaaa69e4d71e780ebe9439fde6950baaaf2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1fe3fe3d545df432bafe8216b6541667

SHA1
944c59f0f5e7a8c875db23a2addd6be18c2d3c15

SHA256
d32e16f67cfae61729cd4b806ca4abb596c7f09ee4b5b807988d2cc85f0f537f

SHA512
9c70da7972860ece3a5d3becf96d062ce4e5240fac707233cd0f4db86cac945a82ad12166ba9088a33b39ee89bcf3143cf674e6d92b4eb7c217c090fcfe4b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1fe3fe3d545df432bafe8216b6541667

SHA1
944c59f0f5e7a8c875db23a2addd6be18c2d3c15

SHA256
d32e16f67cfae61729cd4b806ca4abb596c7f09ee4b5b807988d2cc85f0f537f

SHA512
9c70da7972860ece3a5d3becf96d062ce4e5240fac707233cd0f4db86cac945a82ad12166ba9088a33b39ee89bcf3143cf674e6d92b4eb7c217c090fcfe4b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1fe3fe3d545df432bafe8216b6541667

SHA1
944c59f0f5e7a8c875db23a2addd6be18c2d3c15

SHA256
d32e16f67cfae61729cd4b806ca4abb596c7f09ee4b5b807988d2cc85f0f537f

SHA512
9c70da7972860ece3a5d3becf96d062ce4e5240fac707233cd0f4db86cac945a82ad12166ba9088a33b39ee89bcf3143cf674e6d92b4eb7c217c090fcfe4b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1fe3fe3d545df432bafe8216b6541667

SHA1
944c59f0f5e7a8c875db23a2addd6be18c2d3c15

SHA256
d32e16f67cfae61729cd4b806ca4abb596c7f09ee4b5b807988d2cc85f0f537f

SHA512
9c70da7972860ece3a5d3becf96d062ce4e5240fac707233cd0f4db86cac945a82ad12166ba9088a33b39ee89bcf3143cf674e6d92b4eb7c217c090fcfe4b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1fe3fe3d545df432bafe8216b6541667

SHA1
944c59f0f5e7a8c875db23a2addd6be18c2d3c15

SHA256
d32e16f67cfae61729cd4b806ca4abb596c7f09ee4b5b807988d2cc85f0f537f

SHA512
9c70da7972860ece3a5d3becf96d062ce4e5240fac707233cd0f4db86cac945a82ad12166ba9088a33b39ee89bcf3143cf674e6d92b4eb7c217c090fcfe4b1ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
d94210a82f7a5f79a91e8948ea95c862

SHA1
611711a28f1f8b9f13bf35383ee3156d6dd6036a

SHA256
11733ff5a1aa4af2b373fbd291d0003d68a2043dcd66bd0c7bb815b740b7a117

SHA512
01559eb2ad2487eb6195d946fb1508a913f09c11cc1871e055380215ad88b40ac2ae2a905c39b9d89f4c4c52e198e503fef9a1e5125a48f49e4a128c6be1a986

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
048355c45bf2025d8cc7823d8cff4dca

SHA1
728a42270b89016ec3fb46fa4e3a3c1dcf33bade

SHA256
c7a1899d30ee82548cacd960f216d98331a58f57696834e1a35d2426b151ed06

SHA512
caffa9202292bdc9d99baaac3690acde8639e2a08dc040071bd55247774f877ec6e41ec6c70787a125eb891258b407b409823bc12faba6ecf091ef90f09054d3

Download Submit
memory/1860-148-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/1860-291-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/1860-348-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/3748-315-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/3748-337-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/3748-354-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/3748-338-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3748-297-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/4348-270-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/4348-151-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4348-152-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/4348-133-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/4348-343-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/4348-138-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/5052-149-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/5052-162-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/5052-349-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download
memory/5052-292-0x00000000006F0000-0x000000000176E000-memory.dmp

Filesize
16.5MB

Download