7ab5e5fc448bae685606379dc8bb15a63d42683fd81ad118bc5cc40248849a9f

Analysis

max time kernel
149s
max time network
116s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/04/2023, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

3e0abb8a339194027c3e5d8f75dd568d
SHA1

f49baeea7d2a1c467a6505f27a0124b45d26f61f
SHA256

7ab5e5fc448bae685606379dc8bb15a63d42683fd81ad118bc5cc40248849a9f
SHA512

f2bce29e4acd6e3027a30d386a74879ebabb328803e84a2df6aff9ec54933ce7c111b8b447325c37ae3f36e236c573fe4a47a67bfebb3f0d3116b6e21a926a61
SSDEEP

49152:SDvwCpukOImpN6XoNU9Ckh3vcAWfSHo6wgXeSdaEo8qgVX6pkmxEqpRMo2Q0X299:S8VBIMeoNLC+gwQPNo8qgECepxdYiW9c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1412	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1316	AnyDesk.exe
1316	AnyDesk.exe
1316	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1316	AnyDesk.exe
1316	AnyDesk.exe
1316	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1412	1704	AnyDesk.exe	27
PID 1704 wrote to memory of 1412	1704	AnyDesk.exe	27
PID 1704 wrote to memory of 1412	1704	AnyDesk.exe	27
PID 1704 wrote to memory of 1412	1704	AnyDesk.exe	27
PID 1704 wrote to memory of 1316	1704	AnyDesk.exe	28
PID 1704 wrote to memory of 1316	1704	AnyDesk.exe	28
PID 1704 wrote to memory of 1316	1704	AnyDesk.exe	28
PID 1704 wrote to memory of 1316	1704	AnyDesk.exe	28

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
0ab201d1dd98e62e8375b4815bbdcc74

SHA1
3575d5189eebadd247eb68d2e6f1709681212a07

SHA256
45b42b4a94cdfc2e1bee066bd65fd2083679ef22747c45d7f126a37170034d78

SHA512
690dd0fc4a4c5b35d5f1828c593cf4f198788f14b1f74610cead4ad328e31110456e5956963810ff58819e04a00d064e9bde972c18e36dfbefd94b3bd6e8fbca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
0ab201d1dd98e62e8375b4815bbdcc74

SHA1
3575d5189eebadd247eb68d2e6f1709681212a07

SHA256
45b42b4a94cdfc2e1bee066bd65fd2083679ef22747c45d7f126a37170034d78

SHA512
690dd0fc4a4c5b35d5f1828c593cf4f198788f14b1f74610cead4ad328e31110456e5956963810ff58819e04a00d064e9bde972c18e36dfbefd94b3bd6e8fbca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5c096357c6da06b4ebafdb630116df59

SHA1
8480148c876e1d2ea798c025f88218ef1f08ee1a

SHA256
ff8492974c4336ff3a3b04a8d38583110343fdc4aa74510a599f8561c1998f78

SHA512
939dc28a6874a7b3da49d7cd1cca93d22a9ec19179400bb95f6e6a29b29fb3fcbdbf487083b8272b9983f0154064a9fb6bc1f707d5b0abe91065fd071e1fa60e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5c096357c6da06b4ebafdb630116df59

SHA1
8480148c876e1d2ea798c025f88218ef1f08ee1a

SHA256
ff8492974c4336ff3a3b04a8d38583110343fdc4aa74510a599f8561c1998f78

SHA512
939dc28a6874a7b3da49d7cd1cca93d22a9ec19179400bb95f6e6a29b29fb3fcbdbf487083b8272b9983f0154064a9fb6bc1f707d5b0abe91065fd071e1fa60e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c4065342397da18be592c57e8f49ea99

SHA1
ac4779616e7e86d59413dbed781c0e0ef39531d0

SHA256
0f570ca15fa9159e59d8ee6554c1978164b155c09d35591101e1117ec7756ff3

SHA512
cdfb18ff5e3c0cb4880249262f79030b4c9b6e5ccf3409144688fa390d955ae4fa122593a6fd3a6edbd86affb4fbc3fff9a054f7997f1afb01a01b3d1621a305

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c4065342397da18be592c57e8f49ea99

SHA1
ac4779616e7e86d59413dbed781c0e0ef39531d0

SHA256
0f570ca15fa9159e59d8ee6554c1978164b155c09d35591101e1117ec7756ff3

SHA512
cdfb18ff5e3c0cb4880249262f79030b4c9b6e5ccf3409144688fa390d955ae4fa122593a6fd3a6edbd86affb4fbc3fff9a054f7997f1afb01a01b3d1621a305

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c4065342397da18be592c57e8f49ea99

SHA1
ac4779616e7e86d59413dbed781c0e0ef39531d0

SHA256
0f570ca15fa9159e59d8ee6554c1978164b155c09d35591101e1117ec7756ff3

SHA512
cdfb18ff5e3c0cb4880249262f79030b4c9b6e5ccf3409144688fa390d955ae4fa122593a6fd3a6edbd86affb4fbc3fff9a054f7997f1afb01a01b3d1621a305

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5bf7f12f968fea70e078e77e1446c3da

SHA1
726fd78837279f6c53a50081c2f960ac82bd2dfa

SHA256
270ddd522118a1b1c205222715be4fd232b329fddb7b2adb0e6844b305c891ab

SHA512
8366e5f14b1a74c9e984ecac9ffc2bf89095f4229a6b2035c9b0f9394faca8698f20f671add9c3dd3c387a9aebe33539cfa22bac0dc7213f9f21a7761fc408ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c4065342397da18be592c57e8f49ea99

SHA1
ac4779616e7e86d59413dbed781c0e0ef39531d0

SHA256
0f570ca15fa9159e59d8ee6554c1978164b155c09d35591101e1117ec7756ff3

SHA512
cdfb18ff5e3c0cb4880249262f79030b4c9b6e5ccf3409144688fa390d955ae4fa122593a6fd3a6edbd86affb4fbc3fff9a054f7997f1afb01a01b3d1621a305

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6286d1c384e469a42b7295152c04387e

SHA1
949927b80e2e89edbc238bf9dbc72a1facd8ce4e

SHA256
1bd049a24cd253bb6b7914fd732ea34d0725528441fb0fec3fef910fd1e45c8d

SHA512
4f291dd8d1336a12640795f6c4e9571fff1b18629e33fc4eaa54163965c6d0cc9d6279d252058b9ecb67b9fee162d15fdaecd591de2f361bc063a94e2cb907f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf7af73dfd95b87fc0d8156be2ef59a1

SHA1
a0cbcdc9bb7f66cd217096fea4d2ddd5a1962f87

SHA256
1bdf4118c8963f7b1f35e43a1ab74ac9b7e563fd02aa5933ac06e9fed35b55b9

SHA512
8caef4172dee5b025b30377d379474d51655633bcf97fbdf319f07a88dca233bd687a45eeeeeede718bc81e6335c3532fa1c0adeb56054128a33cbc625089312

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf7af73dfd95b87fc0d8156be2ef59a1

SHA1
a0cbcdc9bb7f66cd217096fea4d2ddd5a1962f87

SHA256
1bdf4118c8963f7b1f35e43a1ab74ac9b7e563fd02aa5933ac06e9fed35b55b9

SHA512
8caef4172dee5b025b30377d379474d51655633bcf97fbdf319f07a88dca233bd687a45eeeeeede718bc81e6335c3532fa1c0adeb56054128a33cbc625089312

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fe6fa66de4ecb3c19c60beeab5c01400

SHA1
878c7ef3d9c36a9ab53d4ec0c7d18105fa47d39c

SHA256
4033ffbc50216b598914c84013c7e3055d58f3836ba6fada12d72b634d2b850f

SHA512
47edbb926888fdb3c8876bfa925e44d6bfd48d1b35ca0e756b3dd7171bb8cb236659a1ff14b666ef10111a2a1f072fe36ef36f3707774e64eba1bb59a1a346a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fffe4dd4609667ad2f7d896729519959

SHA1
79da329e6918da776641a58e2a7baf0100c7f529

SHA256
d679b0af2c83b2cade209da83621bc1f31a29586044e24080543e5ca8f49f696

SHA512
fade1b7ecf621bdb7b31303a987265aef3fe51e7939eafb3fde368cf549c99da766369164d1a69e0ac64756efa7179b56dee8b17f0d104df2c88a0e41552ef92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fffe4dd4609667ad2f7d896729519959

SHA1
79da329e6918da776641a58e2a7baf0100c7f529

SHA256
d679b0af2c83b2cade209da83621bc1f31a29586044e24080543e5ca8f49f696

SHA512
fade1b7ecf621bdb7b31303a987265aef3fe51e7939eafb3fde368cf549c99da766369164d1a69e0ac64756efa7179b56dee8b17f0d104df2c88a0e41552ef92

Download Submit
memory/1316-79-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1316-69-0x0000000000CF0000-0x0000000001D3C000-memory.dmp

Filesize
16.3MB

Download
memory/1412-70-0x0000000000CF0000-0x0000000001D3C000-memory.dmp

Filesize
16.3MB

Download
memory/1704-54-0x0000000000CF0000-0x0000000001D3C000-memory.dmp

Filesize
16.3MB

Download
memory/1704-72-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1704-71-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/1704-56-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download