fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
103s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
3300	AnyDesk.exe
3300	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
2800	AnyDesk.exe
2800	AnyDesk.exe
2800	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
2800	AnyDesk.exe
2800	AnyDesk.exe
2800	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 3636 wrote to memory of 3300	3636	AnyDesk.exe	86
PID 3636 wrote to memory of 3300	3636	AnyDesk.exe	86
PID 3636 wrote to memory of 3300	3636	AnyDesk.exe	86
PID 3636 wrote to memory of 2800	3636	AnyDesk.exe	87
PID 3636 wrote to memory of 2800	3636	AnyDesk.exe	87
PID 3636 wrote to memory of 2800	3636	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3300
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
ac3f955781ff9767eef9a377fe58dba2

SHA1
d80106183648c7e01f320a7fd8e35f75374fc95d

SHA256
9b68f8c7c1ba453b151f40209e6c7cb3c5c22c78fb720069d8a25c68592e531f

SHA512
5b0ad5ca45ea4803d7ad3083541e332d914cb936f7b562b51b903a39f7155a0560d76f088d54901f63f5d3d826c7bbca5b851a397d05bae9a9a1dcc551d01687

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
ac3f955781ff9767eef9a377fe58dba2

SHA1
d80106183648c7e01f320a7fd8e35f75374fc95d

SHA256
9b68f8c7c1ba453b151f40209e6c7cb3c5c22c78fb720069d8a25c68592e531f

SHA512
5b0ad5ca45ea4803d7ad3083541e332d914cb936f7b562b51b903a39f7155a0560d76f088d54901f63f5d3d826c7bbca5b851a397d05bae9a9a1dcc551d01687

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
449cb4677833c0aaf44650b7f4103ec1

SHA1
8bad7ff3d2eaa31020b7867696731c7df7285c1f

SHA256
772ff3bd86f79751198b49c830c419f54fe4c4f87aeacf5b018551e84bd1b7ff

SHA512
58bf0e3adfec138fd8f73f9a616561f59d104ca84c83e686d693f74ec9fb2627bcb8fe7ab3eaf245ef506429727c1c2421771cd3f9714ab1319c99c3f2d893dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
449cb4677833c0aaf44650b7f4103ec1

SHA1
8bad7ff3d2eaa31020b7867696731c7df7285c1f

SHA256
772ff3bd86f79751198b49c830c419f54fe4c4f87aeacf5b018551e84bd1b7ff

SHA512
58bf0e3adfec138fd8f73f9a616561f59d104ca84c83e686d693f74ec9fb2627bcb8fe7ab3eaf245ef506429727c1c2421771cd3f9714ab1319c99c3f2d893dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
be33d517ffce9c33442da767c2db69ef

SHA1
f7de573a31d1bfc3d4fb88171df15d25414da2a4

SHA256
7ffd0fa9f7c917f3e855223f3775a0e2f897c73daa0037327561ac99916f56a5

SHA512
05e44b08a94392046b3dcb34ce3ceb4a94804f56be10b60ad7c39e34e38c22ec08a9d06e02e6b1f74754751d3c470693b00936bdccfabbb1a3eac1caa87d2a0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84c89fd0a318157c7a415c31e8a20b8a

SHA1
891f60d0f02a6a10cb93f4563913bb6dec299ea7

SHA256
73700e6c51e5510a302090f0abe97bee985862d99cc6526ef04a2a86c8b6f064

SHA512
33369b5344b86bd2679a9bf00948730f1da33cc37286007a95f3cd0a1f724c555fc5f2d31ba54fd1afdc988550d44d1a503070957668bc48004078b4aef1b7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84c89fd0a318157c7a415c31e8a20b8a

SHA1
891f60d0f02a6a10cb93f4563913bb6dec299ea7

SHA256
73700e6c51e5510a302090f0abe97bee985862d99cc6526ef04a2a86c8b6f064

SHA512
33369b5344b86bd2679a9bf00948730f1da33cc37286007a95f3cd0a1f724c555fc5f2d31ba54fd1afdc988550d44d1a503070957668bc48004078b4aef1b7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
be33d517ffce9c33442da767c2db69ef

SHA1
f7de573a31d1bfc3d4fb88171df15d25414da2a4

SHA256
7ffd0fa9f7c917f3e855223f3775a0e2f897c73daa0037327561ac99916f56a5

SHA512
05e44b08a94392046b3dcb34ce3ceb4a94804f56be10b60ad7c39e34e38c22ec08a9d06e02e6b1f74754751d3c470693b00936bdccfabbb1a3eac1caa87d2a0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84c89fd0a318157c7a415c31e8a20b8a

SHA1
891f60d0f02a6a10cb93f4563913bb6dec299ea7

SHA256
73700e6c51e5510a302090f0abe97bee985862d99cc6526ef04a2a86c8b6f064

SHA512
33369b5344b86bd2679a9bf00948730f1da33cc37286007a95f3cd0a1f724c555fc5f2d31ba54fd1afdc988550d44d1a503070957668bc48004078b4aef1b7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84c89fd0a318157c7a415c31e8a20b8a

SHA1
891f60d0f02a6a10cb93f4563913bb6dec299ea7

SHA256
73700e6c51e5510a302090f0abe97bee985862d99cc6526ef04a2a86c8b6f064

SHA512
33369b5344b86bd2679a9bf00948730f1da33cc37286007a95f3cd0a1f724c555fc5f2d31ba54fd1afdc988550d44d1a503070957668bc48004078b4aef1b7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
be33d517ffce9c33442da767c2db69ef

SHA1
f7de573a31d1bfc3d4fb88171df15d25414da2a4

SHA256
7ffd0fa9f7c917f3e855223f3775a0e2f897c73daa0037327561ac99916f56a5

SHA512
05e44b08a94392046b3dcb34ce3ceb4a94804f56be10b60ad7c39e34e38c22ec08a9d06e02e6b1f74754751d3c470693b00936bdccfabbb1a3eac1caa87d2a0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84c89fd0a318157c7a415c31e8a20b8a

SHA1
891f60d0f02a6a10cb93f4563913bb6dec299ea7

SHA256
73700e6c51e5510a302090f0abe97bee985862d99cc6526ef04a2a86c8b6f064

SHA512
33369b5344b86bd2679a9bf00948730f1da33cc37286007a95f3cd0a1f724c555fc5f2d31ba54fd1afdc988550d44d1a503070957668bc48004078b4aef1b7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
be33d517ffce9c33442da767c2db69ef

SHA1
f7de573a31d1bfc3d4fb88171df15d25414da2a4

SHA256
7ffd0fa9f7c917f3e855223f3775a0e2f897c73daa0037327561ac99916f56a5

SHA512
05e44b08a94392046b3dcb34ce3ceb4a94804f56be10b60ad7c39e34e38c22ec08a9d06e02e6b1f74754751d3c470693b00936bdccfabbb1a3eac1caa87d2a0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84c89fd0a318157c7a415c31e8a20b8a

SHA1
891f60d0f02a6a10cb93f4563913bb6dec299ea7

SHA256
73700e6c51e5510a302090f0abe97bee985862d99cc6526ef04a2a86c8b6f064

SHA512
33369b5344b86bd2679a9bf00948730f1da33cc37286007a95f3cd0a1f724c555fc5f2d31ba54fd1afdc988550d44d1a503070957668bc48004078b4aef1b7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
be33d517ffce9c33442da767c2db69ef

SHA1
f7de573a31d1bfc3d4fb88171df15d25414da2a4

SHA256
7ffd0fa9f7c917f3e855223f3775a0e2f897c73daa0037327561ac99916f56a5

SHA512
05e44b08a94392046b3dcb34ce3ceb4a94804f56be10b60ad7c39e34e38c22ec08a9d06e02e6b1f74754751d3c470693b00936bdccfabbb1a3eac1caa87d2a0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9a209c2d2f217f23f64aa1e29a9bdedb

SHA1
4cd1af0d9f6bfc7835c8a147038a4c6a01c501ac

SHA256
3942c934ec1a93c08e6b65dfb6ac84f114355cd970036b0ee0a2b689e17ff338

SHA512
dac1d6a70894b4d234a036312a0469871455fcece2a496fe9e4280528ab531b04c616bdf905cbecac32eb0c63c3fb08034fea4ea8a57c6adb554014770dbe35a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9a209c2d2f217f23f64aa1e29a9bdedb

SHA1
4cd1af0d9f6bfc7835c8a147038a4c6a01c501ac

SHA256
3942c934ec1a93c08e6b65dfb6ac84f114355cd970036b0ee0a2b689e17ff338

SHA512
dac1d6a70894b4d234a036312a0469871455fcece2a496fe9e4280528ab531b04c616bdf905cbecac32eb0c63c3fb08034fea4ea8a57c6adb554014770dbe35a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e5f26e16098808194b1a1b0c001b83f

SHA1
8a14e55703656318f0506dd1ba5d0e6a5242e8b0

SHA256
a6cd32e15fa8ca24ae8f7da36c5a93b8773658023aee311d17e68f98f73693c7

SHA512
d981681c1cf6465ee41f366e4966b4ce0a5678440be590c214a91adc415578dde1803c5e12af5280fbffc99bc34eb8a172cde1e202ac38be19fdda57659c3061

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e5f26e16098808194b1a1b0c001b83f

SHA1
8a14e55703656318f0506dd1ba5d0e6a5242e8b0

SHA256
a6cd32e15fa8ca24ae8f7da36c5a93b8773658023aee311d17e68f98f73693c7

SHA512
d981681c1cf6465ee41f366e4966b4ce0a5678440be590c214a91adc415578dde1803c5e12af5280fbffc99bc34eb8a172cde1e202ac38be19fdda57659c3061

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e5f26e16098808194b1a1b0c001b83f

SHA1
8a14e55703656318f0506dd1ba5d0e6a5242e8b0

SHA256
a6cd32e15fa8ca24ae8f7da36c5a93b8773658023aee311d17e68f98f73693c7

SHA512
d981681c1cf6465ee41f366e4966b4ce0a5678440be590c214a91adc415578dde1803c5e12af5280fbffc99bc34eb8a172cde1e202ac38be19fdda57659c3061

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6ffc71bd1d25bb93ca3cf82713e37b73

SHA1
88f6c6fbcb0d1c6aeb401ce6d72e3178ac90fa9b

SHA256
65615e21107fe0c888c9a50fad11182d409795591127bcf00a42b5b23eb6cbae

SHA512
8bd526128d88b49a25544c401882c867fa441ed83d5900eb2503aba677f1916a65865c347d5c6ddeae2eeda65e0f4c767a31717a34e24413535714dbd1aa3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6ffc71bd1d25bb93ca3cf82713e37b73

SHA1
88f6c6fbcb0d1c6aeb401ce6d72e3178ac90fa9b

SHA256
65615e21107fe0c888c9a50fad11182d409795591127bcf00a42b5b23eb6cbae

SHA512
8bd526128d88b49a25544c401882c867fa441ed83d5900eb2503aba677f1916a65865c347d5c6ddeae2eeda65e0f4c767a31717a34e24413535714dbd1aa3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6ffc71bd1d25bb93ca3cf82713e37b73

SHA1
88f6c6fbcb0d1c6aeb401ce6d72e3178ac90fa9b

SHA256
65615e21107fe0c888c9a50fad11182d409795591127bcf00a42b5b23eb6cbae

SHA512
8bd526128d88b49a25544c401882c867fa441ed83d5900eb2503aba677f1916a65865c347d5c6ddeae2eeda65e0f4c767a31717a34e24413535714dbd1aa3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6ffc71bd1d25bb93ca3cf82713e37b73

SHA1
88f6c6fbcb0d1c6aeb401ce6d72e3178ac90fa9b

SHA256
65615e21107fe0c888c9a50fad11182d409795591127bcf00a42b5b23eb6cbae

SHA512
8bd526128d88b49a25544c401882c867fa441ed83d5900eb2503aba677f1916a65865c347d5c6ddeae2eeda65e0f4c767a31717a34e24413535714dbd1aa3c1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4320c66966e25e82e8296ae055191bcd

SHA1
55e268cf3b9cbca03dd0d8305d0e62783a9d4963

SHA256
3939368aa13120745fb7ad081e213b7add37beec5a78779cef340daecb0588a4

SHA512
fc17d4662b0e3f6fc95c3474af65e0d8327e9a878f1248f51226d2e55fb962603c3e303c0cc1516faa62045b386f4bc1ef2d4d1178a385f7f9711f3af8d307de

Download Submit
memory/2800-522-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/2800-149-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/2800-173-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/2800-307-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3300-306-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3300-327-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3300-388-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3300-148-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3300-521-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3636-153-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3636-152-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/3636-133-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3636-135-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/3636-496-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download
memory/3636-252-0x00000000005C0000-0x000000000163E000-memory.dmp

Filesize
16.5MB

Download