6f4a78da5c19afba57637bd344213d5ff55fb69dc343d6a6c79b0696ce53eaa0

General

Target

AnyDesk.exe
Size

2.8MB
MD5

ff6bbddc34cbd33e2501872b97c4bacd
SHA1

f2bd2d8381739149e1c624762ca557dee2164caa
SHA256

6f4a78da5c19afba57637bd344213d5ff55fb69dc343d6a6c79b0696ce53eaa0
SHA512

1c2c8505e0e5da64b6766a9a5686c8efdbc11df8085a92c25cef38c01a0034ff8dd3feb462d5d2179d9b88b86ac9002dfdd202318e6988fb8cf23431e03bae44
SSDEEP

49152:9Ll8YFwl2Wauwp8DvwNKnQUiA1FY0QYAlyBMNaI8SgQEFPPVXzVz:zcl2WWp8WLA1eCAlhd8SXEFPVp

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1816	AnyDesk.exe
1816	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2796	AnyDesk.exe
2796	AnyDesk.exe
2796	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2796	AnyDesk.exe
2796	AnyDesk.exe
2796	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 1816	3804	AnyDesk.exe	86
PID 3804 wrote to memory of 1816	3804	AnyDesk.exe	86
PID 3804 wrote to memory of 1816	3804	AnyDesk.exe	86
PID 3804 wrote to memory of 2796	3804	AnyDesk.exe	87
PID 3804 wrote to memory of 2796	3804	AnyDesk.exe	87
PID 3804 wrote to memory of 2796	3804	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
8ff5bb9c7d8567d13029dc1810db12d8

SHA1
222ed25e4cfa5242335692e656e20723f66f858d

SHA256
16f11be09fdae21c7746a905b9be197d0ae27af98206484c2451887ab0bdcfb7

SHA512
3141052f5f4ac30b2b82db1666a5139423ec3c0743e2e9bc946765492ffca35f6b8b5d7cc465dcbce80d3486d97baf5eb0e0d0ea5bc761736f8721ff5425ed76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
7fc5ef66f00982d0c0be721bddb2627d

SHA1
12b5556f07d51727bbee48121df81d57052dd094

SHA256
c73b50080dba6c05db40d2f11dce8ccfc67be9aeecbdaae597926db9d6b2332b

SHA512
7eeb2df5d0590e1f85e1b63cbac75498cc53f118ac7ba512cbdeb62bb281b6bcbe2c4cc93f3b27e604768544f0d7a156054b3a380a5fb25018966a418e0d5c64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
26e7e915884b7a0a5b92995350c5840c

SHA1
6f63665c8c9fef5de377ab8c2759383830403833

SHA256
b715ec76b780374bbd49e0680ab897f0fadba0caa7912a63c17af7cb499b8490

SHA512
8f4adf3dfd33098ffbbfe831e81f5b88f584c1e5e13c8462d593dea5e51e4f2e7089b5c3ce4d80bc136a574ac725ec0af16f3709ee3f136cfdbc4954102810bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
be462bb1b425f17fb9aa35adfa581c8d

SHA1
512fda5a523f212e06d7d108a34d26b27d96382f

SHA256
7cbed01802bacbc187e8f3675700962ad68967a4beced7f6416d520f4bdccda1

SHA512
44b68d696503af686e8654fd3edec23537a2dc26991db0d67a9858b708419f9a06c182cf0dd6f584eae45374b8dd31cd3691ebea1f176d50582a4dde94e35d92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
7388c4d5c570d62b30db5d2ec9b5d994

SHA1
31fe9185a3d7d8b4f4bbb62fdc6a4b7039734f3b

SHA256
94adfea00315e3714c8be4d6b001fea5d9195b9c76eefbfe8502b4b89872a1d2

SHA512
318ade0cf3ab17038fbe80d70e6e78c4e2913fb9e3cdee1b02c880e64d841f4725dc3b93e123b38ace95a4c363686924477f4e5d7a6d242d76da28a4bf6c09b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1816-188-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-227-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-218-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-212-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-204-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-200-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-197-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-194-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-191-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/1816-162-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/2796-168-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/2796-163-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/2796-189-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/3804-160-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/3804-161-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/3804-150-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/3804-149-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/3804-148-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/3804-135-0x00000000017B0000-0x00000000017B1000-memory.dmp

Filesize
4KB

Download
memory/3804-187-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/3804-133-0x00000000004A0000-0x000000000101B000-memory.dmp

Filesize
11.5MB

Download
memory/3804-152-0x00000000066B0000-0x00000000066B1000-memory.dmp

Filesize
4KB

Download
memory/3804-151-0x0000000006690000-0x0000000006691000-memory.dmp

Filesize
4KB

Download
memory/3804-153-0x00000000066C0000-0x00000000066C1000-memory.dmp

Filesize
4KB

Download
memory/3804-158-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/3804-159-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/3804-157-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/3804-156-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/3804-155-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/3804-154-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing