fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
4372	AnyDesk.exe
4372	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
4360	AnyDesk.exe
4360	AnyDesk.exe
4360	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
4360	AnyDesk.exe
4360	AnyDesk.exe
4360	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 3888 wrote to memory of 4372	3888	AnyDesk.exe	80
PID 3888 wrote to memory of 4372	3888	AnyDesk.exe	80
PID 3888 wrote to memory of 4372	3888	AnyDesk.exe	80
PID 3888 wrote to memory of 4360	3888	AnyDesk.exe	81
PID 3888 wrote to memory of 4360	3888	AnyDesk.exe	81
PID 3888 wrote to memory of 4360	3888	AnyDesk.exe	81

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
711c90e90c2d6de205e4f9e90042c288

SHA1
e95ddb2c72ea8ab24f555cf9b39b4ec006b82129

SHA256
ca4ab3f6e2a72cf7c420850075005af3438999372c74d1473eef74545a8b1da2

SHA512
f47ce066fda9d68785d1e4b5a4d25e779d00a520ecf28bcf6e185134520df8ad5f8d8c3080d3fc05a4528c4587cb196df82c61b789a45c802f18583ff0d9c8d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
13ef64e9b993d070f0b2c31a454ca3ec

SHA1
464b435184588c8117c53c5057f3122126a29336

SHA256
f40fadc63ac9c0c9b65370d1fb2fec16ca576cd0c7dbe737fe41aa68856757dc

SHA512
7cea0c8114e3673e680a76a698b73901a4f16f2d7d2e271e5f7398ab6d19e5374314a1a680633e13b8a8b737ba0027edcde091202af38327d66873ed3bcda0c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
23caa98cbfef2cd008c8d940b2e911df

SHA1
ea2e22826893e3573c8e2a03ebf99374e541ea7a

SHA256
e0f2d5f28750716173978f519bfbb4b917e0f52bc924658aa017eb2c2f02e526

SHA512
ff9f18e4b60b0c0a24d18e6bb2ad701a12b16e7b79a64dbf1c873140936670645b4df42be644b4a71c5ca3023b5e1c6d5cb94585c143f3f7e0fb89ae0b296533

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3e6299047bb1065f279faa5813fdef04

SHA1
c080589d6bbdc21d2fe93bd13aa6dbf794428d39

SHA256
4f0d59802b560ab70d9a4e72a23b0613b5724c3071496fe5b95387386fc68d8e

SHA512
f04f43b29354c9b5e81c5e698cdc5194be6f57ba85777abb91c0c6f20f50205303b9741113c43adde249f722f54e89c4e1467d7b88c3a645c650a1bcc80fa5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3e6299047bb1065f279faa5813fdef04

SHA1
c080589d6bbdc21d2fe93bd13aa6dbf794428d39

SHA256
4f0d59802b560ab70d9a4e72a23b0613b5724c3071496fe5b95387386fc68d8e

SHA512
f04f43b29354c9b5e81c5e698cdc5194be6f57ba85777abb91c0c6f20f50205303b9741113c43adde249f722f54e89c4e1467d7b88c3a645c650a1bcc80fa5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3e6299047bb1065f279faa5813fdef04

SHA1
c080589d6bbdc21d2fe93bd13aa6dbf794428d39

SHA256
4f0d59802b560ab70d9a4e72a23b0613b5724c3071496fe5b95387386fc68d8e

SHA512
f04f43b29354c9b5e81c5e698cdc5194be6f57ba85777abb91c0c6f20f50205303b9741113c43adde249f722f54e89c4e1467d7b88c3a645c650a1bcc80fa5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3e6299047bb1065f279faa5813fdef04

SHA1
c080589d6bbdc21d2fe93bd13aa6dbf794428d39

SHA256
4f0d59802b560ab70d9a4e72a23b0613b5724c3071496fe5b95387386fc68d8e

SHA512
f04f43b29354c9b5e81c5e698cdc5194be6f57ba85777abb91c0c6f20f50205303b9741113c43adde249f722f54e89c4e1467d7b88c3a645c650a1bcc80fa5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3e6299047bb1065f279faa5813fdef04

SHA1
c080589d6bbdc21d2fe93bd13aa6dbf794428d39

SHA256
4f0d59802b560ab70d9a4e72a23b0613b5724c3071496fe5b95387386fc68d8e

SHA512
f04f43b29354c9b5e81c5e698cdc5194be6f57ba85777abb91c0c6f20f50205303b9741113c43adde249f722f54e89c4e1467d7b88c3a645c650a1bcc80fa5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3b946a64c5b89b31f07ab032c3843018

SHA1
684ea50da9d42799cf087b53ddd0d16013d3dc65

SHA256
1c21bd53804e506e3789816bc87f82e74b4263f4ccbba2d75b277f59f41f24e2

SHA512
3382fbbc72dc7b60389ad98536b5c425c211d7115735e3b444039e4fc985a5c2eeb36b703265376c130e01fee8114ed3b770a2e19ac23f14b9a3be2822ac9f3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3e6299047bb1065f279faa5813fdef04

SHA1
c080589d6bbdc21d2fe93bd13aa6dbf794428d39

SHA256
4f0d59802b560ab70d9a4e72a23b0613b5724c3071496fe5b95387386fc68d8e

SHA512
f04f43b29354c9b5e81c5e698cdc5194be6f57ba85777abb91c0c6f20f50205303b9741113c43adde249f722f54e89c4e1467d7b88c3a645c650a1bcc80fa5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2c86083d8eb5bf3a5a67f866381e3663

SHA1
f87da2d9606aa5e4f1230124f76d3fe79404d7b4

SHA256
fae444781962f25a4fb5b5279ea7f1eb7859dac15d20fdb4ad46423a74878f79

SHA512
61992b96afa97afff8d2bcaf978972d7474189be95bc372f66a85ebb0668c1b8b15552a0150718b31ccb23d2233d04d1659983fa7ec68a3cfb9d2733fe9e197e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2c86083d8eb5bf3a5a67f866381e3663

SHA1
f87da2d9606aa5e4f1230124f76d3fe79404d7b4

SHA256
fae444781962f25a4fb5b5279ea7f1eb7859dac15d20fdb4ad46423a74878f79

SHA512
61992b96afa97afff8d2bcaf978972d7474189be95bc372f66a85ebb0668c1b8b15552a0150718b31ccb23d2233d04d1659983fa7ec68a3cfb9d2733fe9e197e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9ae69f6fc25d79ba2439cf5e71c700e5

SHA1
7ac997d8b38c8547457d001d0379a2a29468972d

SHA256
ad6a096c118c01c692f8a2f1ad8080c7573c94613b27b39387d1e7b8247df279

SHA512
37a3f71ef6b625cb7d534f09503832959c05e8dd2ab4d03572bdbdee5eddff3b92ff88426d8bcd4dbde0ac263389f03296a481452026bd030b47dcf0b4e12029

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9ae69f6fc25d79ba2439cf5e71c700e5

SHA1
7ac997d8b38c8547457d001d0379a2a29468972d

SHA256
ad6a096c118c01c692f8a2f1ad8080c7573c94613b27b39387d1e7b8247df279

SHA512
37a3f71ef6b625cb7d534f09503832959c05e8dd2ab4d03572bdbdee5eddff3b92ff88426d8bcd4dbde0ac263389f03296a481452026bd030b47dcf0b4e12029

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9ae69f6fc25d79ba2439cf5e71c700e5

SHA1
7ac997d8b38c8547457d001d0379a2a29468972d

SHA256
ad6a096c118c01c692f8a2f1ad8080c7573c94613b27b39387d1e7b8247df279

SHA512
37a3f71ef6b625cb7d534f09503832959c05e8dd2ab4d03572bdbdee5eddff3b92ff88426d8bcd4dbde0ac263389f03296a481452026bd030b47dcf0b4e12029

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1946572edc537885b132c633d3b0ec2d

SHA1
109b397e8e165f0599bd38a8cf0c04e343d17c0f

SHA256
b946dbe317616b884c1c1864d7b45d7b1784060c9965b64b792fadcbc27b52cf

SHA512
506baabbc0f2f530640c56d0474e7d1e2dd9ac7d3b60e77f2ee2679bec80c66186bbe05622bb20fe244d6dab96d5c7c48beaafb7ffe952e2f24a9fe756e2cf2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1946572edc537885b132c633d3b0ec2d

SHA1
109b397e8e165f0599bd38a8cf0c04e343d17c0f

SHA256
b946dbe317616b884c1c1864d7b45d7b1784060c9965b64b792fadcbc27b52cf

SHA512
506baabbc0f2f530640c56d0474e7d1e2dd9ac7d3b60e77f2ee2679bec80c66186bbe05622bb20fe244d6dab96d5c7c48beaafb7ffe952e2f24a9fe756e2cf2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1946572edc537885b132c633d3b0ec2d

SHA1
109b397e8e165f0599bd38a8cf0c04e343d17c0f

SHA256
b946dbe317616b884c1c1864d7b45d7b1784060c9965b64b792fadcbc27b52cf

SHA512
506baabbc0f2f530640c56d0474e7d1e2dd9ac7d3b60e77f2ee2679bec80c66186bbe05622bb20fe244d6dab96d5c7c48beaafb7ffe952e2f24a9fe756e2cf2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e24ce682c7d622e58466220d4973f92b

SHA1
9d533eb529b9c8b5e35b33129a2f2b528d0e8322

SHA256
e2fe0b47c979f4b7edba53d7e08dec9d3a6f49959ae0e9d31dea7172ad061967

SHA512
341b52522a162bf314536b963a73e526e2ff672c2b348cbadade60d5151b7f5654944663129b39c24af5f6c98426d0dbd4764e22f45888b34a5c1b460a90bc36

Download Submit
memory/3888-154-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/3888-133-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/3888-140-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3888-244-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/3888-152-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4360-149-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4360-162-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4360-294-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4360-508-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4360-704-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4372-376-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4372-314-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4372-507-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4372-148-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4372-293-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download
memory/4372-703-0x0000000000B30000-0x0000000001BAE000-memory.dmp

Filesize
16.5MB

Download