fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
136s
max time network
54s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-03-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AnyDesk.exe

pid	Process
1424	AnyDesk.exe
1424	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AnyDesk.exe

pid	Process
1424	AnyDesk.exe
1424	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1536 wrote to memory of 1428	1536	AnyDesk.exe	28
PID 1536 wrote to memory of 1428	1536	AnyDesk.exe	28
PID 1536 wrote to memory of 1428	1536	AnyDesk.exe	28
PID 1536 wrote to memory of 1428	1536	AnyDesk.exe	28
PID 1536 wrote to memory of 1424	1536	AnyDesk.exe	29
PID 1536 wrote to memory of 1424	1536	AnyDesk.exe	29
PID 1536 wrote to memory of 1424	1536	AnyDesk.exe	29
PID 1536 wrote to memory of 1424	1536	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
4a1ff5097b5a7f0df82c3ff37e66e345

SHA1
b644c9ffa2f13ab6edcdb57e5a7211bbe6d67c4e

SHA256
df71dd0a2394cd168fce5f4767e4d1836561a88a29f1cd9516bbd0c32493d258

SHA512
797ec4d02cf532953da0871c07c832e01916dee53e3dbe866aeca2d7e96db4b2d083e0b240911e301480632e926615b50b7fc5465f7b422da045f3322c2124c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
4a1ff5097b5a7f0df82c3ff37e66e345

SHA1
b644c9ffa2f13ab6edcdb57e5a7211bbe6d67c4e

SHA256
df71dd0a2394cd168fce5f4767e4d1836561a88a29f1cd9516bbd0c32493d258

SHA512
797ec4d02cf532953da0871c07c832e01916dee53e3dbe866aeca2d7e96db4b2d083e0b240911e301480632e926615b50b7fc5465f7b422da045f3322c2124c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a15a5349f4b9d5f33eb17595c6d9082d

SHA1
4a5329f81f4873f990117ce62b0dc0d5502b4f92

SHA256
0aa92523290eb621b5aa8f01f5be892a25403fa46ec7b80f3e6ef5ccb5e98977

SHA512
6f952404863ec7d33ac94fa85387eece2200254bfffe5135fb1eb5881cc427bb861a286fc52fb5d6e817aa17477c8f6365088bb01efa0f6baa3854d2fa087717

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e5c8acb2095408488c7fcbb6a4e5cc26

SHA1
c696c72c269e780c2377882fe7514cb274242d99

SHA256
ef82a518cefda30781705aa2ce689a35afd348f50c2b1d99d265b1ac2b76cdd4

SHA512
886e8086e2ec84acb35b6eb7923b710ccd002174816e57f62583d0af10bc178f8d069a651ce929cbdcc989c30112055b00eb3c1630ae6a11a50762e070ae8102

Download Submit
memory/1424-69-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/1424-78-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1424-86-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/1428-70-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/1428-85-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/1536-73-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1536-71-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1536-54-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/1536-56-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1536-84-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download