fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk(1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk(1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk(1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk(1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk(1).exe

pid	Process
228	AnyDesk(1).exe
228	AnyDesk(1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk(1).exe

pid	Process
4432	AnyDesk(1).exe
4432	AnyDesk(1).exe
4432	AnyDesk(1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk(1).exe

pid	Process
4432	AnyDesk(1).exe
4432	AnyDesk(1).exe
4432	AnyDesk(1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk(1).exe

description	pid	Process	procid_target
PID 3984 wrote to memory of 228	3984	AnyDesk(1).exe	85
PID 3984 wrote to memory of 228	3984	AnyDesk(1).exe	85
PID 3984 wrote to memory of 228	3984	AnyDesk(1).exe	85
PID 3984 wrote to memory of 4432	3984	AnyDesk(1).exe	86
PID 3984 wrote to memory of 4432	3984	AnyDesk(1).exe	86
PID 3984 wrote to memory of 4432	3984	AnyDesk(1).exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk(1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk(1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\AnyDesk(1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk(1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Users\Admin\AppData\Local\Temp\AnyDesk(1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk(1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
2442faebd2e0fafcfe6f861174e6820e

SHA1
1f927385cac0809677a29f7988234afbb4e89325

SHA256
543fab1bed8bacb9d4dfefa6f527662a2f316321b87a990e95807bfbf371f545

SHA512
6c33d6ebaa1052a5750d0541844aaa1aa1b93dd72fa6ef551b7af668a1715962bff1d5efe99ccbdbe4f39f0e06182836235653611b3093bf19cfb531ad4aebcd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
11123ecf15c8e00323a7e0947611c518

SHA1
81ceb052c086eb8cfdaf207ae7d7880394ab13fa

SHA256
f7c68a74ff26b76544753170b863f70521d53511590a2c3a12ce6784e48c34be

SHA512
0f64c1f70091dec81566141898ecdc84bf92c693ed32c0e670815220ec0748596c2bbfe3d12b1067580c50d1addba77a841ebaaec57afa91b43e110b561bbe09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2c3ccdeca371f4a71d8c7046348fc1e2

SHA1
ac4367763638dbd6ac55eaec79cf0ff7e13e8edc

SHA256
ff322ada7e0ba8f5b5de6344a84d754f0af1fdfea81a0fb7fee3d2aa615fda8b

SHA512
e34da842ab6943924806a7aaf6350cd9b67566a81b30191876db1ac8ad30247d7907600c036d8464ddc1d82952daf7062df2a9a8ea316ed099c8b894d5218b9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2c3ccdeca371f4a71d8c7046348fc1e2

SHA1
ac4367763638dbd6ac55eaec79cf0ff7e13e8edc

SHA256
ff322ada7e0ba8f5b5de6344a84d754f0af1fdfea81a0fb7fee3d2aa615fda8b

SHA512
e34da842ab6943924806a7aaf6350cd9b67566a81b30191876db1ac8ad30247d7907600c036d8464ddc1d82952daf7062df2a9a8ea316ed099c8b894d5218b9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c26aa1a5a71f716baa7799c5a0c29eaa

SHA1
aee961efcf9f3eb531ccc6cc3e9c6fdb9362571e

SHA256
390b820182d8f78539df1b5cdbcceb0874327b5a60325a07abddcb819c2307ae

SHA512
739dd87af6e633083795b428830540c246cd4f661abdb647b7d89a69a1e290eb2daaaace6ae5041e7185d94f744a922bdb7dd8d9fab9bff94a33dc21b4d10382

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c26aa1a5a71f716baa7799c5a0c29eaa

SHA1
aee961efcf9f3eb531ccc6cc3e9c6fdb9362571e

SHA256
390b820182d8f78539df1b5cdbcceb0874327b5a60325a07abddcb819c2307ae

SHA512
739dd87af6e633083795b428830540c246cd4f661abdb647b7d89a69a1e290eb2daaaace6ae5041e7185d94f744a922bdb7dd8d9fab9bff94a33dc21b4d10382

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c26aa1a5a71f716baa7799c5a0c29eaa

SHA1
aee961efcf9f3eb531ccc6cc3e9c6fdb9362571e

SHA256
390b820182d8f78539df1b5cdbcceb0874327b5a60325a07abddcb819c2307ae

SHA512
739dd87af6e633083795b428830540c246cd4f661abdb647b7d89a69a1e290eb2daaaace6ae5041e7185d94f744a922bdb7dd8d9fab9bff94a33dc21b4d10382

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c26aa1a5a71f716baa7799c5a0c29eaa

SHA1
aee961efcf9f3eb531ccc6cc3e9c6fdb9362571e

SHA256
390b820182d8f78539df1b5cdbcceb0874327b5a60325a07abddcb819c2307ae

SHA512
739dd87af6e633083795b428830540c246cd4f661abdb647b7d89a69a1e290eb2daaaace6ae5041e7185d94f744a922bdb7dd8d9fab9bff94a33dc21b4d10382

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c26aa1a5a71f716baa7799c5a0c29eaa

SHA1
aee961efcf9f3eb531ccc6cc3e9c6fdb9362571e

SHA256
390b820182d8f78539df1b5cdbcceb0874327b5a60325a07abddcb819c2307ae

SHA512
739dd87af6e633083795b428830540c246cd4f661abdb647b7d89a69a1e290eb2daaaace6ae5041e7185d94f744a922bdb7dd8d9fab9bff94a33dc21b4d10382

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83ca810cc5467d49daf4a780b287c702

SHA1
e9a9aae7a610ee005daf102252841eab01b372b7

SHA256
7128094b58d2934bd5a646384c695fd6cd1a3db463006c003f26caf79077f1b3

SHA512
9323ddca8a7fb82234961ea7f49803e481d2371e9f9f0b1b87bab53fa7479da48d54db08d0334847d89fddd9a780551a9953b4e89e6b99f25921d81ecdfc28e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c26aa1a5a71f716baa7799c5a0c29eaa

SHA1
aee961efcf9f3eb531ccc6cc3e9c6fdb9362571e

SHA256
390b820182d8f78539df1b5cdbcceb0874327b5a60325a07abddcb819c2307ae

SHA512
739dd87af6e633083795b428830540c246cd4f661abdb647b7d89a69a1e290eb2daaaace6ae5041e7185d94f744a922bdb7dd8d9fab9bff94a33dc21b4d10382

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
094f64b0ea6e76ad04ff88fbfe6e0282

SHA1
1c7af6bfa6f207e461e288126e8039c586d49691

SHA256
9eac64d18d990f6098d5a5aafda2ffaa8082f90278b486fbcfd13abb31c9947e

SHA512
b7948eb26b4d5fc3ee059af671318845b49ae87f7197903090714a664b8c958fda2c94b6b2a111af61ef05735c9de424d8a21aafa4f10cf92aded743c73b0f2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
094f64b0ea6e76ad04ff88fbfe6e0282

SHA1
1c7af6bfa6f207e461e288126e8039c586d49691

SHA256
9eac64d18d990f6098d5a5aafda2ffaa8082f90278b486fbcfd13abb31c9947e

SHA512
b7948eb26b4d5fc3ee059af671318845b49ae87f7197903090714a664b8c958fda2c94b6b2a111af61ef05735c9de424d8a21aafa4f10cf92aded743c73b0f2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
451f72c8b7baa7db56fbbb05de3b525d

SHA1
86c9ee28558a1d9b8919f05bf8ac4c3b52da4aac

SHA256
5ec679001dd385749b5adcb079ab74d2ea8201e0131c48af5eb38e5f07d8becc

SHA512
1ff9da6e26a3c2781abcd1a53881e227bab3068dc04ac7af0b19740bea49f1cce71fa405d19fefa75b58a9dd62c42fc87ba708445183c2943459f181be2a03bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
451f72c8b7baa7db56fbbb05de3b525d

SHA1
86c9ee28558a1d9b8919f05bf8ac4c3b52da4aac

SHA256
5ec679001dd385749b5adcb079ab74d2ea8201e0131c48af5eb38e5f07d8becc

SHA512
1ff9da6e26a3c2781abcd1a53881e227bab3068dc04ac7af0b19740bea49f1cce71fa405d19fefa75b58a9dd62c42fc87ba708445183c2943459f181be2a03bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
451f72c8b7baa7db56fbbb05de3b525d

SHA1
86c9ee28558a1d9b8919f05bf8ac4c3b52da4aac

SHA256
5ec679001dd385749b5adcb079ab74d2ea8201e0131c48af5eb38e5f07d8becc

SHA512
1ff9da6e26a3c2781abcd1a53881e227bab3068dc04ac7af0b19740bea49f1cce71fa405d19fefa75b58a9dd62c42fc87ba708445183c2943459f181be2a03bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f4f648823f3e23bd07f963624920f67d

SHA1
5a47b52ba155e31234499ee13ffded8bda5d7101

SHA256
2031c3b65aa8c16541e8c1cf9525fac79770fc5f51994efeb2a55f324d05e1e5

SHA512
f9105d1013a750c646323a2442576e1ce6913c14ddc503b480140fb3fd1c43dc55eb2f1cc4ab63144dcdfcfa390ef467493a616eb467a056022c1bfe85b9fa90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e8cce44cd5a00249545cac34526667ca

SHA1
17c1446ec5a622c2c7a99d35f464633fb669cc2c

SHA256
c45107fb67b36cf4ad353c7a91078e6825378f9ad79355d3c24832cf8dbd15cf

SHA512
b970d665734e9ee097b218ae3985b5e199e8a472f88a76c44ff5da08a057e7de52072f88cf7950d9165cde332226d27af602328a54c9e7101d19f7e680f2981a

Download Submit
memory/228-148-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/228-264-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/228-509-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/228-376-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/228-267-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/228-292-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/3984-242-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/3984-138-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/3984-266-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/3984-133-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/3984-152-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/3984-153-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4432-233-0x0000000001AD0000-0x0000000001AD1000-memory.dmp

Filesize
4KB

Download
memory/4432-265-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/4432-510-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download
memory/4432-149-0x0000000000170000-0x00000000011EE000-memory.dmp

Filesize
16.5MB

Download