fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/03/2023, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1268	AnyDesk.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1140	AnyDesk.exe
1140	AnyDesk.exe
1140	AnyDesk.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1140	AnyDesk.exe
1140	AnyDesk.exe
1140	AnyDesk.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1268	1680	AnyDesk.exe	28
PID 1680 wrote to memory of 1268	1680	AnyDesk.exe	28
PID 1680 wrote to memory of 1268	1680	AnyDesk.exe	28
PID 1680 wrote to memory of 1268	1680	AnyDesk.exe	28
PID 1680 wrote to memory of 1140	1680	AnyDesk.exe	29
PID 1680 wrote to memory of 1140	1680	AnyDesk.exe	29
PID 1680 wrote to memory of 1140	1680	AnyDesk.exe	29
PID 1680 wrote to memory of 1140	1680	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1140

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
c04b2e1d086503cfca058a358be3c430

SHA1
e9f41c9664180b4fcd81a35ca69cdb9d49a6d094

SHA256
e881597835580460ead7ee1473da6e4321449a454e3ce5d6138579c3c14eafd7

SHA512
93e1738013cb25f80529b236ab664ca517a26c32ebaa0c4c86752aa7c42352dbeccfe594eea740d2109702b7b5fe6cd93617f8a3906be636666cd8c108a1c509

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
c04b2e1d086503cfca058a358be3c430

SHA1
e9f41c9664180b4fcd81a35ca69cdb9d49a6d094

SHA256
e881597835580460ead7ee1473da6e4321449a454e3ce5d6138579c3c14eafd7

SHA512
93e1738013cb25f80529b236ab664ca517a26c32ebaa0c4c86752aa7c42352dbeccfe594eea740d2109702b7b5fe6cd93617f8a3906be636666cd8c108a1c509

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cdc5f542da63a5576316e85b933a887a

SHA1
533bef48ff1325fed222ca7ebe283f8bac137dfc

SHA256
c4b733e2e1a763c26dc2022aaff8e8a115b781dbb7790eb2ba2396fa2ddbb3f9

SHA512
6a21a4a6dbfa0ca483eb64858aaed9c48a04e9f306a8cc9b8dcb88fdedd30ee799318baa451798d0690b7796be76a25e6a23846ce8453a8f257ef07d7fac7562

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cdc5f542da63a5576316e85b933a887a

SHA1
533bef48ff1325fed222ca7ebe283f8bac137dfc

SHA256
c4b733e2e1a763c26dc2022aaff8e8a115b781dbb7790eb2ba2396fa2ddbb3f9

SHA512
6a21a4a6dbfa0ca483eb64858aaed9c48a04e9f306a8cc9b8dcb88fdedd30ee799318baa451798d0690b7796be76a25e6a23846ce8453a8f257ef07d7fac7562

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
724c1b931cfb6bd4c01b39a7c4b14ca3

SHA1
0f69c43c049dd14d16b266dfd49e1c773b208170

SHA256
f510515ef635942776b6ded5805ee2a980b88ed25c23f8ef2a8e17285ceeaac1

SHA512
99e3cc6953a2b7f6495f505168bd3f52f46831cd27930631dba01247234e63b8d2f55609e088f5f1207a30bd94052ad4605597ff96b9feb99b2b6e3f58d8607c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
724c1b931cfb6bd4c01b39a7c4b14ca3

SHA1
0f69c43c049dd14d16b266dfd49e1c773b208170

SHA256
f510515ef635942776b6ded5805ee2a980b88ed25c23f8ef2a8e17285ceeaac1

SHA512
99e3cc6953a2b7f6495f505168bd3f52f46831cd27930631dba01247234e63b8d2f55609e088f5f1207a30bd94052ad4605597ff96b9feb99b2b6e3f58d8607c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
724c1b931cfb6bd4c01b39a7c4b14ca3

SHA1
0f69c43c049dd14d16b266dfd49e1c773b208170

SHA256
f510515ef635942776b6ded5805ee2a980b88ed25c23f8ef2a8e17285ceeaac1

SHA512
99e3cc6953a2b7f6495f505168bd3f52f46831cd27930631dba01247234e63b8d2f55609e088f5f1207a30bd94052ad4605597ff96b9feb99b2b6e3f58d8607c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
724c1b931cfb6bd4c01b39a7c4b14ca3

SHA1
0f69c43c049dd14d16b266dfd49e1c773b208170

SHA256
f510515ef635942776b6ded5805ee2a980b88ed25c23f8ef2a8e17285ceeaac1

SHA512
99e3cc6953a2b7f6495f505168bd3f52f46831cd27930631dba01247234e63b8d2f55609e088f5f1207a30bd94052ad4605597ff96b9feb99b2b6e3f58d8607c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
90ae06fbfb3da085964dd0ac0956eafb

SHA1
a97a3b85891e135b7866acdac8aa55c39136b6e7

SHA256
833cac107cbfc2310e1e6bb7175d31801e5f4422ff725ff43fc3e4b01887a2b7

SHA512
ce92ed99cce845976d80be956d8beb8d53b061916b0e9d1b766de40275e8e358c0dff045e4c6fb3f4af989585117d8a165c41303e9fb3241cec03335643f8127

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
724c1b931cfb6bd4c01b39a7c4b14ca3

SHA1
0f69c43c049dd14d16b266dfd49e1c773b208170

SHA256
f510515ef635942776b6ded5805ee2a980b88ed25c23f8ef2a8e17285ceeaac1

SHA512
99e3cc6953a2b7f6495f505168bd3f52f46831cd27930631dba01247234e63b8d2f55609e088f5f1207a30bd94052ad4605597ff96b9feb99b2b6e3f58d8607c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
724c1b931cfb6bd4c01b39a7c4b14ca3

SHA1
0f69c43c049dd14d16b266dfd49e1c773b208170

SHA256
f510515ef635942776b6ded5805ee2a980b88ed25c23f8ef2a8e17285ceeaac1

SHA512
99e3cc6953a2b7f6495f505168bd3f52f46831cd27930631dba01247234e63b8d2f55609e088f5f1207a30bd94052ad4605597ff96b9feb99b2b6e3f58d8607c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5f233bf42bce9470ed7cd1286113be5e

SHA1
528891b54f352de37ec0ca99e96c3b50270e6955

SHA256
f21afcc1f17697faf427f7d812c4f1951d8c037cd9b75afb8ed131a708eee92e

SHA512
848a2a0f2c5a8b093a82837b9c2010eac450245fd5f25c39af5d9ffd521cac8a5178c58d0889cb38aa9c68118bc58198bc33280195bd55d2e314a7894448caed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5f233bf42bce9470ed7cd1286113be5e

SHA1
528891b54f352de37ec0ca99e96c3b50270e6955

SHA256
f21afcc1f17697faf427f7d812c4f1951d8c037cd9b75afb8ed131a708eee92e

SHA512
848a2a0f2c5a8b093a82837b9c2010eac450245fd5f25c39af5d9ffd521cac8a5178c58d0889cb38aa9c68118bc58198bc33280195bd55d2e314a7894448caed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5f233bf42bce9470ed7cd1286113be5e

SHA1
528891b54f352de37ec0ca99e96c3b50270e6955

SHA256
f21afcc1f17697faf427f7d812c4f1951d8c037cd9b75afb8ed131a708eee92e

SHA512
848a2a0f2c5a8b093a82837b9c2010eac450245fd5f25c39af5d9ffd521cac8a5178c58d0889cb38aa9c68118bc58198bc33280195bd55d2e314a7894448caed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
29cee1e85a3df05bd1e9eff62c14169d

SHA1
8dc4ed78721926bfc1e3f0b0d942d3ef91bf21f4

SHA256
db48de99fd71ddddbb2e41279138cf8981fa6d4f9820435c77eb8b99dc314c4d

SHA512
f6d750a7bc7636a90b4eb2ceb2ebc20cfb7fb09621d0d8899e03026063e323111498e0d62f3c6e0c039cba37e15a92486b05cc02d4a43517c30933edb53e7a38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ddf2bfd90c2c8ea070f7a4bb6169fb33

SHA1
5a54f5757ba79a86f4361b05f54c07ba1d69f133

SHA256
792ece9e3a6e839b4a9bb1c7d28c98a710a4fceb67ac9465758e667ddaddf753

SHA512
e57c6e407f4736a44fe009d5ac45350fe3711efb19d6ba34b5f7c82e5afd44c16ca0d0a0ea8318467336b04cb0c5f713bed6b53a69b978d3c157063b50f25454

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ddf2bfd90c2c8ea070f7a4bb6169fb33

SHA1
5a54f5757ba79a86f4361b05f54c07ba1d69f133

SHA256
792ece9e3a6e839b4a9bb1c7d28c98a710a4fceb67ac9465758e667ddaddf753

SHA512
e57c6e407f4736a44fe009d5ac45350fe3711efb19d6ba34b5f7c82e5afd44c16ca0d0a0ea8318467336b04cb0c5f713bed6b53a69b978d3c157063b50f25454

Download Submit
memory/1140-70-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1140-491-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1140-94-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1140-224-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1268-305-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1268-238-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1268-289-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1268-223-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1268-69-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1268-490-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1532-315-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1532-318-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1680-54-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1680-56-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1680-176-0x0000000000130000-0x00000000011AE000-memory.dmp

Filesize
16.5MB

Download
memory/1680-73-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1680-74-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download