fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
66s
max time network
43s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1944	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1196	AnyDesk.exe
1196	AnyDesk.exe
1196	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1196	AnyDesk.exe
1196	AnyDesk.exe
1196	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1368 wrote to memory of 1944	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 1944	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 1944	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 1944	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 1196	1368	AnyDesk.exe	29
PID 1368 wrote to memory of 1196	1368	AnyDesk.exe	29
PID 1368 wrote to memory of 1196	1368	AnyDesk.exe	29
PID 1368 wrote to memory of 1196	1368	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
5090be9f9347424457974a69bbd46cda

SHA1
ca79d4b892a206ac73cb4a642dc0b46a83dd22f6

SHA256
b5e54c10bc860d4e30068af5feafbee498d7ea2d4bb08fd5d3273c0ea35ef46c

SHA512
cbf5e7d2b4deb87741422579730f7840d5e46829d389a3f8f2000d692d7360aea2497378286e25be40bb6177bb3719d6da282bfd5f29022f091de701473711cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
5090be9f9347424457974a69bbd46cda

SHA1
ca79d4b892a206ac73cb4a642dc0b46a83dd22f6

SHA256
b5e54c10bc860d4e30068af5feafbee498d7ea2d4bb08fd5d3273c0ea35ef46c

SHA512
cbf5e7d2b4deb87741422579730f7840d5e46829d389a3f8f2000d692d7360aea2497378286e25be40bb6177bb3719d6da282bfd5f29022f091de701473711cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5ef214e90d0365bbeb7a1d65839faee4

SHA1
f69b9cf30c3e097259cdbbb94cdc9b185ce6cd57

SHA256
1e1f34ae738dcf2c790acccb1bfecb8b3c57622341702c619928d497c73c1ae4

SHA512
507a228514d31e1bca602ae87e75bebe331a177e2ab5af01c58de653ac4d356d5a30431c4d89cda0924d8da9192c7d4bdb25438a31656bc1348c3ba7d8b8df12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5ef214e90d0365bbeb7a1d65839faee4

SHA1
f69b9cf30c3e097259cdbbb94cdc9b185ce6cd57

SHA256
1e1f34ae738dcf2c790acccb1bfecb8b3c57622341702c619928d497c73c1ae4

SHA512
507a228514d31e1bca602ae87e75bebe331a177e2ab5af01c58de653ac4d356d5a30431c4d89cda0924d8da9192c7d4bdb25438a31656bc1348c3ba7d8b8df12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5a2b77a6ea5c234bbeff37eb90154b5a

SHA1
cb9d6339e9eb877bf72330fe8e150ef22ba1f4eb

SHA256
c5e98f0e5b76cf3c7868db39477ab3879203c67e393fafa6857ca6f49f1c0e0f

SHA512
d3b89203bc67922cd0795e6718fc90e6afb0748f8126234697d68056438e04fcf1f72025dd4214ece3558a363d49ed75c7fb3e55f1a124ce55fa1b9ad9b7e5f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5a2b77a6ea5c234bbeff37eb90154b5a

SHA1
cb9d6339e9eb877bf72330fe8e150ef22ba1f4eb

SHA256
c5e98f0e5b76cf3c7868db39477ab3879203c67e393fafa6857ca6f49f1c0e0f

SHA512
d3b89203bc67922cd0795e6718fc90e6afb0748f8126234697d68056438e04fcf1f72025dd4214ece3558a363d49ed75c7fb3e55f1a124ce55fa1b9ad9b7e5f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5a2b77a6ea5c234bbeff37eb90154b5a

SHA1
cb9d6339e9eb877bf72330fe8e150ef22ba1f4eb

SHA256
c5e98f0e5b76cf3c7868db39477ab3879203c67e393fafa6857ca6f49f1c0e0f

SHA512
d3b89203bc67922cd0795e6718fc90e6afb0748f8126234697d68056438e04fcf1f72025dd4214ece3558a363d49ed75c7fb3e55f1a124ce55fa1b9ad9b7e5f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fb46dc09dec332f5b2412a23022d86f4

SHA1
9d0ba0eeb73c19b6a07837eb860be22b97c328d7

SHA256
22cabf935d1389f4cbe2801dc59d94d0efa86ac19a96eca32eba0dbaf75e6a6b

SHA512
61c022f97247098e470f825a589deab66378b4a74b5bd14b1489631332736b9d9cd6ec48719af1b74fc65934079283e716f878729725defe25401a2852d2dfb5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fb46dc09dec332f5b2412a23022d86f4

SHA1
9d0ba0eeb73c19b6a07837eb860be22b97c328d7

SHA256
22cabf935d1389f4cbe2801dc59d94d0efa86ac19a96eca32eba0dbaf75e6a6b

SHA512
61c022f97247098e470f825a589deab66378b4a74b5bd14b1489631332736b9d9cd6ec48719af1b74fc65934079283e716f878729725defe25401a2852d2dfb5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5a2b77a6ea5c234bbeff37eb90154b5a

SHA1
cb9d6339e9eb877bf72330fe8e150ef22ba1f4eb

SHA256
c5e98f0e5b76cf3c7868db39477ab3879203c67e393fafa6857ca6f49f1c0e0f

SHA512
d3b89203bc67922cd0795e6718fc90e6afb0748f8126234697d68056438e04fcf1f72025dd4214ece3558a363d49ed75c7fb3e55f1a124ce55fa1b9ad9b7e5f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fb46dc09dec332f5b2412a23022d86f4

SHA1
9d0ba0eeb73c19b6a07837eb860be22b97c328d7

SHA256
22cabf935d1389f4cbe2801dc59d94d0efa86ac19a96eca32eba0dbaf75e6a6b

SHA512
61c022f97247098e470f825a589deab66378b4a74b5bd14b1489631332736b9d9cd6ec48719af1b74fc65934079283e716f878729725defe25401a2852d2dfb5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5a2b77a6ea5c234bbeff37eb90154b5a

SHA1
cb9d6339e9eb877bf72330fe8e150ef22ba1f4eb

SHA256
c5e98f0e5b76cf3c7868db39477ab3879203c67e393fafa6857ca6f49f1c0e0f

SHA512
d3b89203bc67922cd0795e6718fc90e6afb0748f8126234697d68056438e04fcf1f72025dd4214ece3558a363d49ed75c7fb3e55f1a124ce55fa1b9ad9b7e5f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fb46dc09dec332f5b2412a23022d86f4

SHA1
9d0ba0eeb73c19b6a07837eb860be22b97c328d7

SHA256
22cabf935d1389f4cbe2801dc59d94d0efa86ac19a96eca32eba0dbaf75e6a6b

SHA512
61c022f97247098e470f825a589deab66378b4a74b5bd14b1489631332736b9d9cd6ec48719af1b74fc65934079283e716f878729725defe25401a2852d2dfb5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ddc322f9ac89e888b63d5ab4d4ad279f

SHA1
9dd1095469d5a9458a3a4598f2336c562ba1a6f4

SHA256
80660be6f4755298f06e6e35d788e1dc9cf9a8e5dae1380e8cfe3a7123d7a1c0

SHA512
ee1fad3429e093fde21ddc93f76cfe4fb64989c04d84b8118f2bc24b444250c2c9b0aafcbae3430f41cde0a15019f6c27dbef311f413678517775995db4c7f61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
77e7d0cb5492f3decca632a9712e2ee0

SHA1
265041e38f1eebd8adeaf7850db2ef51a9a93ffe

SHA256
66bb6bbecc3030e0cd4d61a7cc38e9a074f6445462ca4d51b720481108c759a2

SHA512
bcf1855decdb2976daa550dcb125509f08faee8a94a12fc6714060a2217e083f460bb9d1c55a1c421ee9f4c8bebd4c3592f44bfcecd6d2a8b1f9e772791ffc4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
77e7d0cb5492f3decca632a9712e2ee0

SHA1
265041e38f1eebd8adeaf7850db2ef51a9a93ffe

SHA256
66bb6bbecc3030e0cd4d61a7cc38e9a074f6445462ca4d51b720481108c759a2

SHA512
bcf1855decdb2976daa550dcb125509f08faee8a94a12fc6714060a2217e083f460bb9d1c55a1c421ee9f4c8bebd4c3592f44bfcecd6d2a8b1f9e772791ffc4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7eb40aa78da62e651712966d2dfefdf

SHA1
3154ded9cb72eec621f5af4aac68cf8608871552

SHA256
4b4ce3df976141869447367d722908659e114117fd7fd78f076757fbd3f55abb

SHA512
74cc3bdbef6a5ec12cda6311377359f60aa138bc4f6cdc98580d1c908d2760f0e97a94fde19267f0279f80f6af2b4b75edd6ef48f7a9a467a236001a8731c0c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cfd2464601c8d4077f80588e003e7351

SHA1
e427218e74736e9d1205729382c3307a8ab8229d

SHA256
b25162fdc6e99345c6d1c55bf674d9887a59305f0f22672cb5648e800f03434f

SHA512
6f6d842807b366e1941d75783e0f582e6745e24995a5e91f6923d21fc48cba19671331b262c5e9ada1ccce72b0ea55af6bf8bf9516e5d6618998dbe1995e3479

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cfd2464601c8d4077f80588e003e7351

SHA1
e427218e74736e9d1205729382c3307a8ab8229d

SHA256
b25162fdc6e99345c6d1c55bf674d9887a59305f0f22672cb5648e800f03434f

SHA512
6f6d842807b366e1941d75783e0f582e6745e24995a5e91f6923d21fc48cba19671331b262c5e9ada1ccce72b0ea55af6bf8bf9516e5d6618998dbe1995e3479

Download Submit
memory/1196-102-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1196-230-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1196-62-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1368-91-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1368-187-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1368-54-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1368-101-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1368-56-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1944-63-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1944-228-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1944-242-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download
memory/1944-318-0x0000000001030000-0x00000000020AE000-memory.dmp

Filesize
16.5MB

Download