fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1256	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1416	AnyDesk.exe
1416	AnyDesk.exe
1416	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1416	AnyDesk.exe
1416	AnyDesk.exe
1416	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1040 wrote to memory of 1256	1040	AnyDesk.exe	28
PID 1040 wrote to memory of 1256	1040	AnyDesk.exe	28
PID 1040 wrote to memory of 1256	1040	AnyDesk.exe	28
PID 1040 wrote to memory of 1256	1040	AnyDesk.exe	28
PID 1040 wrote to memory of 1416	1040	AnyDesk.exe	29
PID 1040 wrote to memory of 1416	1040	AnyDesk.exe	29
PID 1040 wrote to memory of 1416	1040	AnyDesk.exe	29
PID 1040 wrote to memory of 1416	1040	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
c2c36bff84724990628253a50791258a

SHA1
be597cd956bfa295a980f4aa73593b2cb136947c

SHA256
3d5ff59447677ba4204f1d140b04b8a87d00307d7b0507f6dff2c0d2f6f4206c

SHA512
664d9a4ff79d4fdc3b8d821e3575552bf26b63eb564a6f27c49504d7f89f176bd0ab9d923df17ffcc9f485f72340ca9cb15bf1e3bc4b279c235d0f4c2a33e48a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
529cf0919131a21e8355501106272c63

SHA1
369253d6b373487510ac92d511bf94effb105a7f

SHA256
3eeed8afe79520b16680c4cfb719e2ae3020c428d748b91a2fb57d54251291e1

SHA512
b86c021466c89e910be7aec01fce20410e67911bd33efecff3aea510658ab9fab5a0b1e2a34f6f01de53fcd1b2dd324223d6ead953de3ecd11bc40373cb465f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
aa96feffe3bd07e9b2c460e0d1ae72d3

SHA1
133fce36ed9331e4ea4c5dd681d7f6d68bda46a6

SHA256
5c9a36767ea84735c27745105640a22296d04fab086b9f1a4f6ca36bc19c79db

SHA512
ae069188c40d67978d3a70b348fe38aa847b8f21368f2dd86508325a03cad04470009b93901eb06ce045975e14934cbf502d85e91c7dab6adc0faa6d3e2dda3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
aa96feffe3bd07e9b2c460e0d1ae72d3

SHA1
133fce36ed9331e4ea4c5dd681d7f6d68bda46a6

SHA256
5c9a36767ea84735c27745105640a22296d04fab086b9f1a4f6ca36bc19c79db

SHA512
ae069188c40d67978d3a70b348fe38aa847b8f21368f2dd86508325a03cad04470009b93901eb06ce045975e14934cbf502d85e91c7dab6adc0faa6d3e2dda3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd1427a1d1c8b002ab2c7a25994e146b

SHA1
f5ab70a0e7e2752897002a47f07f9836ca592f65

SHA256
a73499b9698ed71be4dd9d09be64d00f5dd52b15e6b4a079d538caf9f714820c

SHA512
87cf339c044c3b521469a3a22dc9c2150f01dd81691f34e963615505bef4d2f93819c54c89973decc45a095ff921cae25a785794cd75f492fa602cf5962910e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1cff73f6434859d82b0f30e4dc653c44

SHA1
8dcebd50fce4dd63f3ca82df993867041a462936

SHA256
6c4db808c2717696c2e08e66320cc3101313b3b35cfd7b4e1b46355cb669634d

SHA512
61db3beee3775a56ad72f986b5ea8d330fcef25f8d2d2eb09978c4053d5fd0d19867d434d1cbf0b0dda38676a77ef7b71e116f6a34b5c37cb1b7e3b18724c34d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
27db2020c8b8e8e3c16e3e3d357ecfd8

SHA1
0ad35b44ec77fbd6c4365d48802c98d84069a06e

SHA256
2e0dded99e00a26c4818dd10c748c931f4ac685191986e583d901fb75ee8b5a1

SHA512
bb08ce9310a830468aa115d4188d1767757637fc7157e453db0165d7d3947f1962653907dd288ddb7bc147911e51ae5f15daf75301f94b6c52f1b59f2c896c4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d62777dd95011f4f844a50d35be9a2cb

SHA1
1a8975ee3e8d55a93bfdd965c2a8728ac21e7902

SHA256
fe1023a566f60d5193520b849e34fa2375b086a0162186b555d66d0aeed772d5

SHA512
2529047b92746b03f5e2d0d9bf371626e54567cd4464f799d56c048d48dc18e1f98068a3c3c9d023bf65b7de67cc3da5a444adccb72f695a9d2485ec32dff592

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d858f0eeed496726fe81d3ab190a78cb

SHA1
9d36b826b91acf0c1bfd6e389923b0fcdb9ab1dc

SHA256
26e63e0678c109a518cca70a24d2187e4e0d397a398a181d8b159c260f69456c

SHA512
6b886189bd1029c61b525682069445c34f1a2bb844706fde5615904ac0f835f238e3136d6189a32dacbc5dcaae203dabd9f3ce83245cbfbc7f2afab995883d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d858f0eeed496726fe81d3ab190a78cb

SHA1
9d36b826b91acf0c1bfd6e389923b0fcdb9ab1dc

SHA256
26e63e0678c109a518cca70a24d2187e4e0d397a398a181d8b159c260f69456c

SHA512
6b886189bd1029c61b525682069445c34f1a2bb844706fde5615904ac0f835f238e3136d6189a32dacbc5dcaae203dabd9f3ce83245cbfbc7f2afab995883d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4d5538b449c10edfd5db867003d64273

SHA1
47355830ac06d876485d68e2ea3de54b65645214

SHA256
ca54da7ccd1dab7e2ad58f46cbba31d956257fcf78d925959c9a862e77cbe35e

SHA512
f366b1b71dd35d69202ec254c395062195a957923c857ded6382fad51f12c21a5305907505f2ed3abe24f0936900a39750fead829150338c4d064e6f1339a3e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2989833ebcb902abe53f6b8dad45ea58

SHA1
8ffab5221b130f44419ba24656ec4e628b8c2da1

SHA256
2243d37323809d17db8bf467fa43a86ac5f5878b06178b1ba8b8e5e878e47a4e

SHA512
67862b2133376a4dc41a2feb2d282c581c124b74f135563ca802e37d5a9aa29b2a4e43463cfbaef19e4d677dbb031a269fc392e90f9d091964aae10cf3917e5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2989833ebcb902abe53f6b8dad45ea58

SHA1
8ffab5221b130f44419ba24656ec4e628b8c2da1

SHA256
2243d37323809d17db8bf467fa43a86ac5f5878b06178b1ba8b8e5e878e47a4e

SHA512
67862b2133376a4dc41a2feb2d282c581c124b74f135563ca802e37d5a9aa29b2a4e43463cfbaef19e4d677dbb031a269fc392e90f9d091964aae10cf3917e5c

Download Submit
memory/1040-83-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/1040-54-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1040-80-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/1040-210-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1040-56-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1256-519-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1256-277-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1256-215-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1256-70-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1256-352-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1416-84-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1416-69-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1416-216-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download
memory/1416-520-0x0000000001350000-0x00000000023CE000-memory.dmp

Filesize
16.5MB

Download