b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4252	AnyDesk.exe
4252	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4256	AnyDesk.exe
4256	AnyDesk.exe
4256	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4256	AnyDesk.exe
4256	AnyDesk.exe
4256	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4252	4244	AnyDesk.exe	66
PID 4244 wrote to memory of 4252	4244	AnyDesk.exe	66
PID 4244 wrote to memory of 4252	4244	AnyDesk.exe	66
PID 4244 wrote to memory of 4256	4244	AnyDesk.exe	67
PID 4244 wrote to memory of 4256	4244	AnyDesk.exe	67
PID 4244 wrote to memory of 4256	4244	AnyDesk.exe	67

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
82770713d0bdfeb719a936ef4fcc680c

SHA1
1274739c01ff8e446d7392fb8f205b552948636d

SHA256
18b15e6927e461e07b44803bc6400399b5d2ecc420c9bc59d4416094f9db2337

SHA512
6e1ba7e95353da55eba47435a8c1316d7d1ff1d4023622b2a64d4f173c31e331379a49fa6235130b2bc34dfcf0e3c4ed86a9a2fbe24ee5fbde2e16900b29f9f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
82770713d0bdfeb719a936ef4fcc680c

SHA1
1274739c01ff8e446d7392fb8f205b552948636d

SHA256
18b15e6927e461e07b44803bc6400399b5d2ecc420c9bc59d4416094f9db2337

SHA512
6e1ba7e95353da55eba47435a8c1316d7d1ff1d4023622b2a64d4f173c31e331379a49fa6235130b2bc34dfcf0e3c4ed86a9a2fbe24ee5fbde2e16900b29f9f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
38807eb749b93e49551c668939e608d8

SHA1
2bcf5bd41ae235bb09d5065f2f4d58888f9738a7

SHA256
14766941a650c2cfb20879c19123a940b028a343693fd2ea7c6d26759116cf5e

SHA512
14df8853355eaacc96d95c52c8af14bda054504211fa2f3c2e0975c8fc7033bdf4aa668d898e5c9ac8b2eaa669fa429ab03105cbc133d716ba994892b7bf20e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
51b77982a31f12fa641f12e4f2b55e5c

SHA1
5f4388da15bd908c100134ce17fa1a44caf256be

SHA256
f8ff8a07da047e80483ad17d4146cda96e60385f53e88eef53507986e8420823

SHA512
2a356de186e9a22fa8933c98e949678af6c5ae2433606776b5d1f74cf9395a1799d9570438d499ce63122d85468ca9baa03ddde88db911f976075c32d837275d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
51b77982a31f12fa641f12e4f2b55e5c

SHA1
5f4388da15bd908c100134ce17fa1a44caf256be

SHA256
f8ff8a07da047e80483ad17d4146cda96e60385f53e88eef53507986e8420823

SHA512
2a356de186e9a22fa8933c98e949678af6c5ae2433606776b5d1f74cf9395a1799d9570438d499ce63122d85468ca9baa03ddde88db911f976075c32d837275d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
14cb8ea4f3b9194bb3fa5a70dd103ccb

SHA1
2f677ed204f76990a866c4bb4fdec37c41f1f126

SHA256
bf068d3af9bfe984f1d2d2c973af3aa0cc23d44c5f2aae68952128b8af58a3c4

SHA512
c0eae8b332c1ecb6777d19a46b9d2a0c18981e8a398d26a176f97f008f3acadfdb7f32176a38f4da8e23b0f47f4a57b88dc376539c641190a9bd34e40d721d16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
47571354e57cc426b407d6de5196dcde

SHA1
9dd39b1e1df0a98ad560e7de0ffab884da24cef3

SHA256
35b413e25fe6a26ca178fcc21a88cab0f1343dee8a57617d7dcecddb1d5fad45

SHA512
82f9ea1656a252095f653c2fc2ac097f5e8230df47870a419a33b9d899f84576c27ada32f82482ae6c36dfa6ddd7da44b00eab622756369d0ca668a1d8be5aa3

Download Submit
memory/4244-136-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/4244-129-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4244-137-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/4244-170-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4244-139-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/4244-142-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/4244-118-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/4244-144-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/4244-146-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/4244-147-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/4244-148-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4244-116-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4244-134-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/4244-135-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/4244-128-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4244-130-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/4244-138-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/4252-140-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4252-171-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4252-174-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4252-177-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4256-166-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/4256-141-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4256-172-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing