fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
17s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
4072	AnyDesk.exe
4072	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
3632	AnyDesk.exe
3632	AnyDesk.exe
3632	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
3632	AnyDesk.exe
3632	AnyDesk.exe
3632	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 2088 wrote to memory of 4072	2088	AnyDesk.exe	80
PID 2088 wrote to memory of 4072	2088	AnyDesk.exe	80
PID 2088 wrote to memory of 4072	2088	AnyDesk.exe	80
PID 2088 wrote to memory of 3632	2088	AnyDesk.exe	81
PID 2088 wrote to memory of 3632	2088	AnyDesk.exe	81
PID 2088 wrote to memory of 3632	2088	AnyDesk.exe	81

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
c76beaa3c10e8cc832d77d9c03b1e872

SHA1
a738e89678835c84513cbe525e37722c01f814f8

SHA256
11e891b529532e7567e2c4047731daad1dcfde014466051e83e6a1eca9b8b6d7

SHA512
dea205c26d23639555d3e1d5a029dcb71220272a6dc4a8aef6e7ffa410fa8282f9c8e562ec3ac3d0623c50b206372000ca9a88cca37f303ea07976c64a7435b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
c76beaa3c10e8cc832d77d9c03b1e872

SHA1
a738e89678835c84513cbe525e37722c01f814f8

SHA256
11e891b529532e7567e2c4047731daad1dcfde014466051e83e6a1eca9b8b6d7

SHA512
dea205c26d23639555d3e1d5a029dcb71220272a6dc4a8aef6e7ffa410fa8282f9c8e562ec3ac3d0623c50b206372000ca9a88cca37f303ea07976c64a7435b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0579b7c9c71e6b9dae995fb39cab2ea9

SHA1
b2e407a7e903760742dd6b3ea0a65434e395a78c

SHA256
0f973a7cc1bfdfea83e6523de036c80e049f1d132fdfb7746f42b9170d5084e3

SHA512
2c32496535e90da4d0aa3e573d6674b397486a1047f442bb174919ead6b6faa8c861163013d0ca00ce833bf9fff6e831e23c9501c9e7a82eb9270886ee7ccae9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0579b7c9c71e6b9dae995fb39cab2ea9

SHA1
b2e407a7e903760742dd6b3ea0a65434e395a78c

SHA256
0f973a7cc1bfdfea83e6523de036c80e049f1d132fdfb7746f42b9170d5084e3

SHA512
2c32496535e90da4d0aa3e573d6674b397486a1047f442bb174919ead6b6faa8c861163013d0ca00ce833bf9fff6e831e23c9501c9e7a82eb9270886ee7ccae9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a6ff6678415579c65845668b91cec9cc

SHA1
11a3d5db52f87f8c35ab88c554cac5df5ce03b57

SHA256
a791d9bb9b6e2bfd01dc3b9d730198e0995eac7946e891c034f6e7c9d53e4c10

SHA512
c0c66f4c5b88551c14f9eb140740c7ab540d30a9eb485f41739cce41629a0f9b17520277635d5658844c050c198dbf4328db89c6d2f676ea8b3fab8efb4a7e7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a6ff6678415579c65845668b91cec9cc

SHA1
11a3d5db52f87f8c35ab88c554cac5df5ce03b57

SHA256
a791d9bb9b6e2bfd01dc3b9d730198e0995eac7946e891c034f6e7c9d53e4c10

SHA512
c0c66f4c5b88551c14f9eb140740c7ab540d30a9eb485f41739cce41629a0f9b17520277635d5658844c050c198dbf4328db89c6d2f676ea8b3fab8efb4a7e7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fd69175450be8ed78947814c2b5d0c92

SHA1
9cd4fb415982abb4bc868760f48e28d42238c7d2

SHA256
17f64ea15a450deb12c8fc04a0ff955d40d8b9f84698e9d896d6b22f9d44dd6f

SHA512
c4bb5977c99d3b42db93800c9b53f059ea09f8d63071312b0e22f5be8571cfa0878abe00aac8ada037b1cd89eee2a127bd7237203a9b296294a83f174b4cbc57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fd69175450be8ed78947814c2b5d0c92

SHA1
9cd4fb415982abb4bc868760f48e28d42238c7d2

SHA256
17f64ea15a450deb12c8fc04a0ff955d40d8b9f84698e9d896d6b22f9d44dd6f

SHA512
c4bb5977c99d3b42db93800c9b53f059ea09f8d63071312b0e22f5be8571cfa0878abe00aac8ada037b1cd89eee2a127bd7237203a9b296294a83f174b4cbc57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a6ff6678415579c65845668b91cec9cc

SHA1
11a3d5db52f87f8c35ab88c554cac5df5ce03b57

SHA256
a791d9bb9b6e2bfd01dc3b9d730198e0995eac7946e891c034f6e7c9d53e4c10

SHA512
c0c66f4c5b88551c14f9eb140740c7ab540d30a9eb485f41739cce41629a0f9b17520277635d5658844c050c198dbf4328db89c6d2f676ea8b3fab8efb4a7e7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a6ff6678415579c65845668b91cec9cc

SHA1
11a3d5db52f87f8c35ab88c554cac5df5ce03b57

SHA256
a791d9bb9b6e2bfd01dc3b9d730198e0995eac7946e891c034f6e7c9d53e4c10

SHA512
c0c66f4c5b88551c14f9eb140740c7ab540d30a9eb485f41739cce41629a0f9b17520277635d5658844c050c198dbf4328db89c6d2f676ea8b3fab8efb4a7e7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fd69175450be8ed78947814c2b5d0c92

SHA1
9cd4fb415982abb4bc868760f48e28d42238c7d2

SHA256
17f64ea15a450deb12c8fc04a0ff955d40d8b9f84698e9d896d6b22f9d44dd6f

SHA512
c4bb5977c99d3b42db93800c9b53f059ea09f8d63071312b0e22f5be8571cfa0878abe00aac8ada037b1cd89eee2a127bd7237203a9b296294a83f174b4cbc57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
31da62ccd7d156fe87bab962233f4fd9

SHA1
95e8d16a628a31c9c6b83ea45d2cda7cbe988ece

SHA256
aaf64ab2fbe1dd5bf11b2d5c8565d5fe3ae47e0ba4fae94051b24730dee4164d

SHA512
48ab3d17dd78a92218b91301e4d1a87e9a557ff9aa72e2aacd4914e6bf1da4f3609be7931264a5e38eda65dc282eb1428e3b4d1ab34ac0d4b18d45e30b8347a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
31da62ccd7d156fe87bab962233f4fd9

SHA1
95e8d16a628a31c9c6b83ea45d2cda7cbe988ece

SHA256
aaf64ab2fbe1dd5bf11b2d5c8565d5fe3ae47e0ba4fae94051b24730dee4164d

SHA512
48ab3d17dd78a92218b91301e4d1a87e9a557ff9aa72e2aacd4914e6bf1da4f3609be7931264a5e38eda65dc282eb1428e3b4d1ab34ac0d4b18d45e30b8347a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7732a63574b93603b3aa68b673dfe8d0

SHA1
41277289816a544fa371afe2377110b4172c7e45

SHA256
181359e24ad5f20a24f096b73578e0d53c547b2cc03ff97c254d13cc34779155

SHA512
05b71be000d3f90001f40995b3c846d7ad00a07c75b5196307c3cb5e5c9d1095adf87a52df47595a6bbd8ab32d220e7ab68b173a8b1fba022884b581ce53c700

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7732a63574b93603b3aa68b673dfe8d0

SHA1
41277289816a544fa371afe2377110b4172c7e45

SHA256
181359e24ad5f20a24f096b73578e0d53c547b2cc03ff97c254d13cc34779155

SHA512
05b71be000d3f90001f40995b3c846d7ad00a07c75b5196307c3cb5e5c9d1095adf87a52df47595a6bbd8ab32d220e7ab68b173a8b1fba022884b581ce53c700

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7732a63574b93603b3aa68b673dfe8d0

SHA1
41277289816a544fa371afe2377110b4172c7e45

SHA256
181359e24ad5f20a24f096b73578e0d53c547b2cc03ff97c254d13cc34779155

SHA512
05b71be000d3f90001f40995b3c846d7ad00a07c75b5196307c3cb5e5c9d1095adf87a52df47595a6bbd8ab32d220e7ab68b173a8b1fba022884b581ce53c700

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7732a63574b93603b3aa68b673dfe8d0

SHA1
41277289816a544fa371afe2377110b4172c7e45

SHA256
181359e24ad5f20a24f096b73578e0d53c547b2cc03ff97c254d13cc34779155

SHA512
05b71be000d3f90001f40995b3c846d7ad00a07c75b5196307c3cb5e5c9d1095adf87a52df47595a6bbd8ab32d220e7ab68b173a8b1fba022884b581ce53c700

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8813f16ac0831f4e4d9cd4cb654de7d9

SHA1
7228ec4025f1dd4125b8b411b81ddd45ebfbcf11

SHA256
eeb68c8f3315d155a8a131e99ed7ad6dd66b0c075a6db5f889a7946dec986ae7

SHA512
dca87bd8b346b92bf7f42943abf0ff64ae300cd32dc00b0703e8b6feeedf0674b1c2922c36f8da468d0cf0febc223647379b76a411987b6afdffbdb97fdbc7ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8813f16ac0831f4e4d9cd4cb654de7d9

SHA1
7228ec4025f1dd4125b8b411b81ddd45ebfbcf11

SHA256
eeb68c8f3315d155a8a131e99ed7ad6dd66b0c075a6db5f889a7946dec986ae7

SHA512
dca87bd8b346b92bf7f42943abf0ff64ae300cd32dc00b0703e8b6feeedf0674b1c2922c36f8da468d0cf0febc223647379b76a411987b6afdffbdb97fdbc7ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b8bdf3dfa228ea9e080b812bb24fff6d

SHA1
a1afed529c41c1cf0da3b9490d0acdded5deac10

SHA256
73b0e662750983d35ac82b017c927041483290c001d6564062e2be34cabcabc5

SHA512
eaf973c636de8a1274cb681a1576dca7b0537404b647cc3cfc4ccacc900d5a74c1519ef487df1dab1c885dcc049a6729a055ab6cfed55e8018609b927f11e8af

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a71acec4046fdfb9e62061dc14525ab9

SHA1
2196e77dbefea865a7d7f20b40e75b57e6dc47c7

SHA256
65590ae377b153ed0022d45fa783a648721926088536e050a622ac1ec551b3e9

SHA512
36f1063b3b49c4877b6678b662ec73a298b562e3bd4a6ad3caacb9c7e6ecd9f554a1b1531a3540aebcfff33721848bbbed45669b55bafccd2bb18f12374b9488

Download Submit
memory/2088-172-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/2088-135-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2088-133-0x0000000000AC0000-0x0000000001B3E000-memory.dmp

Filesize
16.5MB

Download
memory/2088-258-0x0000000000AC0000-0x0000000001B3E000-memory.dmp

Filesize
16.5MB

Download
memory/2088-170-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/3632-193-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download
memory/3632-142-0x0000000000AC0000-0x0000000001B3E000-memory.dmp

Filesize
16.5MB

Download
memory/3632-305-0x0000000000AC0000-0x0000000001B3E000-memory.dmp

Filesize
16.5MB

Download
memory/4072-149-0x0000000000AC0000-0x0000000001B3E000-memory.dmp

Filesize
16.5MB

Download
memory/4072-304-0x0000000000AC0000-0x0000000001B3E000-memory.dmp

Filesize
16.5MB

Download