6f4a78da5c19afba57637bd344213d5ff55fb69dc343d6a6c79b0696ce53eaa0

General

Target

AnyDesk.exe
Size

2.8MB
MD5

ff6bbddc34cbd33e2501872b97c4bacd
SHA1

f2bd2d8381739149e1c624762ca557dee2164caa
SHA256

6f4a78da5c19afba57637bd344213d5ff55fb69dc343d6a6c79b0696ce53eaa0
SHA512

1c2c8505e0e5da64b6766a9a5686c8efdbc11df8085a92c25cef38c01a0034ff8dd3feb462d5d2179d9b88b86ac9002dfdd202318e6988fb8cf23431e03bae44
SSDEEP

49152:9Ll8YFwl2Wauwp8DvwNKnQUiA1FY0QYAlyBMNaI8SgQEFPPVXzVz:zcl2WWp8WLA1eCAlhd8SXEFPVp

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
460	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
516	AnyDesk.exe
516	AnyDesk.exe
516	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
516	AnyDesk.exe
516	AnyDesk.exe
516	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 460	1708	AnyDesk.exe	28
PID 1708 wrote to memory of 460	1708	AnyDesk.exe	28
PID 1708 wrote to memory of 460	1708	AnyDesk.exe	28
PID 1708 wrote to memory of 460	1708	AnyDesk.exe	28
PID 1708 wrote to memory of 516	1708	AnyDesk.exe	29
PID 1708 wrote to memory of 516	1708	AnyDesk.exe	29
PID 1708 wrote to memory of 516	1708	AnyDesk.exe	29
PID 1708 wrote to memory of 516	1708	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
fe9cea87556bd61a0dc678a3674b1c49

SHA1
149719771b9bb66b8da813ad1791213ab53c51e2

SHA256
8ffde6bc19f092fff9e12ce2df2d991a65311a6fb1f85a74229cd2e35772e2ea

SHA512
fac8a64ae75fca17b6c014b2c3085c287481d85fbd6bbda96f41b5dd1a71f43d723e35c3a62f201d58c110aef2b027340d7c5f108576d3b8f5c3f726fd5e49fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
5dcb717d1a597a24386d39d1b8601462

SHA1
52397b395da74b4e41059e8a688f83ae0f12b800

SHA256
c71425f2bb902de7118fc1bd5e611f28d8f454d9db3854cbc107f711bb92b57a

SHA512
003658e55d05a7c5424f1dc81c5ad63542722253b5fe768dac0551ac98f37712dc7bde932f5276f4e3c674ae1fbfb1177dae33e3df507d3754dce769b19764d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1c11ee1ce05d6a8eae17aa8811b34978

SHA1
7f48d4add9e72828a1050bb722de1dc21c85eacf

SHA256
312e91db21f266855d6e7b66deaab7fd85a977b93c5731fc32d1ec7fc42a4a20

SHA512
3f551ad9e86fa6b0b3ba23b3e4ffb311312491bc036b3bfbe58d5d6650d3af6c57ab04feae3a61cc949e0b36b092809f5a94726ef4bb52576a1f496561c3dc02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
f559a9f77ec71b885582b469e30cf8e3

SHA1
44ffaf76d715393eb8f39b73bdce585afe904e75

SHA256
c69a04d0edd931ec17557caffca2e06e40cf805aadcb2b8172f513aef7990ccf

SHA512
6d39fbcab24f8bf4a8b992a7dfdb7fd97ccae7223610450b20f505ad00bf9987b94e6e725bf5824e3513f10a8df2d411b22a014f97c93888eebb93a2900447f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
f92bce7a25af12dce7934f13fa5f4ee6

SHA1
88a810e00a39cd744eeadcb089fd39ff0355ddf7

SHA256
fe8a812b924b4ca91da954f1b5143b65340f3191aa3d54e087ab487f0452546c

SHA512
2d80d314f5e812f15b9912cc05bd3fbc23ec9e8daedbaa67b1a00bbabecf899f134c7fd94ad80721ccb68bdd205c3c6e7edac8a239951dcbbcc1119699817cd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/460-328-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-283-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-254-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-251-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-222-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-193-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-289-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-296-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-337-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-69-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/460-366-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/516-194-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/516-116-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/516-70-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/1708-83-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/1708-84-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/1708-82-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/1708-79-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1708-86-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/1708-180-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/1708-76-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/1708-54-0x00000000003C0000-0x0000000000F3B000-memory.dmp

Filesize
11.5MB

Download
memory/1708-85-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/1708-81-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/1708-80-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1708-77-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1708-75-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1708-73-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1708-72-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1708-78-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1708-56-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing