fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
61s
max time network
44s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid	Process
320	AnyDesk.exe
1372	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
588	AnyDesk.exe
588	AnyDesk.exe
588	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
588	AnyDesk.exe
588	AnyDesk.exe
588	AnyDesk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1372	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1372 wrote to memory of 320	1372	AnyDesk.exe	28
PID 1372 wrote to memory of 320	1372	AnyDesk.exe	28
PID 1372 wrote to memory of 320	1372	AnyDesk.exe	28
PID 1372 wrote to memory of 320	1372	AnyDesk.exe	28
PID 1372 wrote to memory of 588	1372	AnyDesk.exe	29
PID 1372 wrote to memory of 588	1372	AnyDesk.exe	29
PID 1372 wrote to memory of 588	1372	AnyDesk.exe	29
PID 1372 wrote to memory of 588	1372	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:320
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
27f3355ce68c357d8d2c9dbeb2be6754

SHA1
2e02711958b0200056eda1b02ea900b85f4eab49

SHA256
b1141432a1ba78296c11392f0d26c123f43de8057db7d5681c578089e631e6e9

SHA512
0cf2dac05fe30901d2f60679495c7ef4f9623f53245c26f17b52a97d5b3216d4354614e8aeff583012e9aa34a85d21277a2c6617ecda64032a8b4cda69e4bf5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
27f3355ce68c357d8d2c9dbeb2be6754

SHA1
2e02711958b0200056eda1b02ea900b85f4eab49

SHA256
b1141432a1ba78296c11392f0d26c123f43de8057db7d5681c578089e631e6e9

SHA512
0cf2dac05fe30901d2f60679495c7ef4f9623f53245c26f17b52a97d5b3216d4354614e8aeff583012e9aa34a85d21277a2c6617ecda64032a8b4cda69e4bf5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3b9238ec7dd0e59d884b8ad2349d9002

SHA1
d42546118b360e6067b4c95cb2f50b3b5ee7bd18

SHA256
dc30c924db0e8b912b4e91fcbffa728e92eae4fdf0d40b9c3e4b4408f1b3a5fe

SHA512
13abe5c840df1c712cecf928d8b1d0865f0f4902d3d31bfcc6d1db92fee32695293751db8c0994b1722d37f9a19dddf36ae339c90165726e472ec559450e1aa9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3b9238ec7dd0e59d884b8ad2349d9002

SHA1
d42546118b360e6067b4c95cb2f50b3b5ee7bd18

SHA256
dc30c924db0e8b912b4e91fcbffa728e92eae4fdf0d40b9c3e4b4408f1b3a5fe

SHA512
13abe5c840df1c712cecf928d8b1d0865f0f4902d3d31bfcc6d1db92fee32695293751db8c0994b1722d37f9a19dddf36ae339c90165726e472ec559450e1aa9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
db08e2f84b563aacf972c23e55db5d51

SHA1
5d3e02559802b8963a7fe9ce582b193891252ec2

SHA256
c22e6e701addf7f1d728673ae9d794e36adc0ddfbb9663d1e83a1c6618c03253

SHA512
3832b75f6fe10b9477091af234ca5a652971e29956a84261431533d7cd17257d70d5bd6c6c50f0b87e66ca9e08ef3527f8616c4e3d9eae0d4c4a33bb58544e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
db08e2f84b563aacf972c23e55db5d51

SHA1
5d3e02559802b8963a7fe9ce582b193891252ec2

SHA256
c22e6e701addf7f1d728673ae9d794e36adc0ddfbb9663d1e83a1c6618c03253

SHA512
3832b75f6fe10b9477091af234ca5a652971e29956a84261431533d7cd17257d70d5bd6c6c50f0b87e66ca9e08ef3527f8616c4e3d9eae0d4c4a33bb58544e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
db08e2f84b563aacf972c23e55db5d51

SHA1
5d3e02559802b8963a7fe9ce582b193891252ec2

SHA256
c22e6e701addf7f1d728673ae9d794e36adc0ddfbb9663d1e83a1c6618c03253

SHA512
3832b75f6fe10b9477091af234ca5a652971e29956a84261431533d7cd17257d70d5bd6c6c50f0b87e66ca9e08ef3527f8616c4e3d9eae0d4c4a33bb58544e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
39dd1821d23cba7f1a54b312cefe6104

SHA1
db72333b9a2a59084193b56fd551952c2d64bd71

SHA256
277d93c75b79744e61f0e8aeb7a744ba9b9a9f9073cc4ec7a5ea0ff2a492ca1a

SHA512
3536390af77748240a786526ac3c7e5c655b61fb70f701b3bf98ae7280335430f5a7f8587b7fe6cdaf2d42ef98319b413310fefa1a32007adf6b022f9be8ad07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
39dd1821d23cba7f1a54b312cefe6104

SHA1
db72333b9a2a59084193b56fd551952c2d64bd71

SHA256
277d93c75b79744e61f0e8aeb7a744ba9b9a9f9073cc4ec7a5ea0ff2a492ca1a

SHA512
3536390af77748240a786526ac3c7e5c655b61fb70f701b3bf98ae7280335430f5a7f8587b7fe6cdaf2d42ef98319b413310fefa1a32007adf6b022f9be8ad07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
db08e2f84b563aacf972c23e55db5d51

SHA1
5d3e02559802b8963a7fe9ce582b193891252ec2

SHA256
c22e6e701addf7f1d728673ae9d794e36adc0ddfbb9663d1e83a1c6618c03253

SHA512
3832b75f6fe10b9477091af234ca5a652971e29956a84261431533d7cd17257d70d5bd6c6c50f0b87e66ca9e08ef3527f8616c4e3d9eae0d4c4a33bb58544e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
39dd1821d23cba7f1a54b312cefe6104

SHA1
db72333b9a2a59084193b56fd551952c2d64bd71

SHA256
277d93c75b79744e61f0e8aeb7a744ba9b9a9f9073cc4ec7a5ea0ff2a492ca1a

SHA512
3536390af77748240a786526ac3c7e5c655b61fb70f701b3bf98ae7280335430f5a7f8587b7fe6cdaf2d42ef98319b413310fefa1a32007adf6b022f9be8ad07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
db08e2f84b563aacf972c23e55db5d51

SHA1
5d3e02559802b8963a7fe9ce582b193891252ec2

SHA256
c22e6e701addf7f1d728673ae9d794e36adc0ddfbb9663d1e83a1c6618c03253

SHA512
3832b75f6fe10b9477091af234ca5a652971e29956a84261431533d7cd17257d70d5bd6c6c50f0b87e66ca9e08ef3527f8616c4e3d9eae0d4c4a33bb58544e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
39dd1821d23cba7f1a54b312cefe6104

SHA1
db72333b9a2a59084193b56fd551952c2d64bd71

SHA256
277d93c75b79744e61f0e8aeb7a744ba9b9a9f9073cc4ec7a5ea0ff2a492ca1a

SHA512
3536390af77748240a786526ac3c7e5c655b61fb70f701b3bf98ae7280335430f5a7f8587b7fe6cdaf2d42ef98319b413310fefa1a32007adf6b022f9be8ad07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f3cecd33d681f55f375c2b16112bcd32

SHA1
0c20415eb5da9188444f6aaca4b74a0792266e44

SHA256
0dd1b5849ecaa5be2e87b6cef565be17372ab30034df3e4ed24d3e0c0b02fc54

SHA512
80c1b856bd1814392dc298b203ad918d6fcb7d142a6c597cd5366c41ccbcbc71ce91ddbed1dc527f9d2552d5b4775b692d34d508a4a8371f2780f61b228b9859

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d767d684e2a318462d0a109f47d1bf4

SHA1
5d41c5ec6077a097ea26c8b90cbd0b5ca1f28a66

SHA256
2add0dcf953c1d9cafdf5a4b1d9e5e2870e9eb944a0bee286a9ecd422cd4be58

SHA512
6f98da75707477e4e1850a6f0c6f5cd3d019a9ae7cb0dc243f97eebd8d57c10c958bedef4213e9db23b6c859539fecc0eaacb3036348f81a6c69462d0b5745b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d767d684e2a318462d0a109f47d1bf4

SHA1
5d41c5ec6077a097ea26c8b90cbd0b5ca1f28a66

SHA256
2add0dcf953c1d9cafdf5a4b1d9e5e2870e9eb944a0bee286a9ecd422cd4be58

SHA512
6f98da75707477e4e1850a6f0c6f5cd3d019a9ae7cb0dc243f97eebd8d57c10c958bedef4213e9db23b6c859539fecc0eaacb3036348f81a6c69462d0b5745b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bcb6354436bcc9ddd11f704495823246

SHA1
04285ce2e653cb35e81ed78cc65f37c428ea6842

SHA256
06866ce987dae1957949e40edfd61362e00ff1461daf0c20a1855a76e3670e16

SHA512
314c67490e06834624724d21ea32064230f7a03676a8e8486739c94e25b4f271be52a44d2a12b76842eff4bc04b64fe179f7be113f5fad95e75471d00cb20c80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bcb6354436bcc9ddd11f704495823246

SHA1
04285ce2e653cb35e81ed78cc65f37c428ea6842

SHA256
06866ce987dae1957949e40edfd61362e00ff1461daf0c20a1855a76e3670e16

SHA512
314c67490e06834624724d21ea32064230f7a03676a8e8486739c94e25b4f271be52a44d2a12b76842eff4bc04b64fe179f7be113f5fad95e75471d00cb20c80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
480d01349ad9c1e92d4ffb552fd36ea1

SHA1
14d849b08466d62c0af5b6c170ffa6b4b074d04d

SHA256
f3429559a34a949ff4133b45315d4310b195cfddcded7bfa1c29a9d77ee183d7

SHA512
0765d91f3004802933e8edc12493eb18d4c11a6a411978a92dc6964e9de65956c905f58e753ca54a7446070f3e3cf471c44139ca84715f3b9f3d07a4b9088fae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7080bae53749b065d3f9a2f3e5a29f2f

SHA1
644b786fe62f2d736c616735940d881dce8a34cc

SHA256
66438e0a938d2762a658d81f2b99ddbe1ab40b4473230268fce839005d69c711

SHA512
065c9817a787200724f03dd0da1b240cd5cb57db90e2c8a5b508fcf1def8c33eab239ec60c2463b3f055e6f1fedf39f701583bc511fd44be9af39f1f6f7300a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8b75b6d7e9fea858709d435551ddbc7a

SHA1
204be4d03bd9ccc20d7fe74c493273f4240b8215

SHA256
df6a1d8bdd721b882ca34fe6739e3ae9cb9e3c3f65784bc239665b5f67a851d8

SHA512
439b8015837a4d69fbf6f7f2e654631054ca1cca74a015898b26c0871f3c502aa8631d135f7be99c50c058ac4ea68eff0907f26d9d24a38758bf79343bdd9bf8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2573d1bb7b5f99d42849611bb160345e

SHA1
cae3f849e4d6970e1f3392c4fa5c8a969f366196

SHA256
68016fdae6b51d94ade0bc95274b9cf8e968df22b58c62673c004d182f68d586

SHA512
89272497cc6ff18b775f5751067c965f73021533e52d778d8fcb13eeb62f81cf98ded731ebade4ea33c99d2aed17802c3aedb47440226c5892819eb559d69d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2573d1bb7b5f99d42849611bb160345e

SHA1
cae3f849e4d6970e1f3392c4fa5c8a969f366196

SHA256
68016fdae6b51d94ade0bc95274b9cf8e968df22b58c62673c004d182f68d586

SHA512
89272497cc6ff18b775f5751067c965f73021533e52d778d8fcb13eeb62f81cf98ded731ebade4ea33c99d2aed17802c3aedb47440226c5892819eb559d69d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a49055f1919b78e6900d01af6f2796d2

SHA1
fce149e76c769878c848f6601a6491e9093fe6be

SHA256
46bedaaea93f0162dfa3290096c388b7525c0e719eba24a4452a25810f6c9323

SHA512
deebdff44d919ed4d128dbc7a9b8b0ddd82e350ca1a036f377af0b5117223ef4dcf8e188aa196c88959e1af723624d855e61d8a9771d7bc11a86f0fabfaea6f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
247eefc562328ec29e49dd6aaf01098a

SHA1
d664668fbada051e35a85a0ad3385f0e5f28d5a9

SHA256
251d285311ec7e9a04528c0e1024b51408735c608ebb604fbd37680184134150

SHA512
2d2aa3e91be9505578d4a7df3b8b8cd08d6d6c79991b56b1d735b2b4575aafbd73fbbda5f6fe54ea8e1fe98fd99501154a3c1c3e8767bb610451e93dd5be715a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
247eefc562328ec29e49dd6aaf01098a

SHA1
d664668fbada051e35a85a0ad3385f0e5f28d5a9

SHA256
251d285311ec7e9a04528c0e1024b51408735c608ebb604fbd37680184134150

SHA512
2d2aa3e91be9505578d4a7df3b8b8cd08d6d6c79991b56b1d735b2b4575aafbd73fbbda5f6fe54ea8e1fe98fd99501154a3c1c3e8767bb610451e93dd5be715a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
3336f02f8eaffc479c2a8a5243439b4b

SHA1
f4d3a7207854693b0facb640227d6265ca0b986e

SHA256
70f532e7a9d618df37e7ec9966d92e609b6a99eb30e9e3dc16a42fafe023621a

SHA512
896e3053ad7abdc6f3ff305ee294892e3d80c31e0bd0e62b9ccd8a7e16fabf219aa2b18bd0da4a6bde9ee9ee5211089e89fa2a11777e2cf92fa831f44975552b

Download Submit
memory/320-190-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/320-248-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/320-350-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/320-70-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/320-322-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/588-191-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/588-101-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/588-69-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/1372-187-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/1372-335-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/1372-276-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/1372-258-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/1372-54-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download
memory/1372-99-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1372-100-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1372-56-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1372-395-0x0000000001160000-0x00000000021DE000-memory.dmp

Filesize
16.5MB

Download