4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97

General

Target

AnyDesk6.0.7个人版.exe
Size

3.5MB
MD5

365aa18cadc5b80a9b5ca5950690c7f8
SHA1

16c33a2907264382715fba2061e4ff803a41c629
SHA256

4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97
SHA512

c774e56c89f999a18aebec9f479f57f06213f2453238385aa4eb63adb081dff2da6fe424b1261424068a8af8435be3b6a173cd7c24ab248dedd1f5c6a700c3a1
SSDEEP

98304:+QMMzSE4J8JcFFLbx4e0PK+80wbZ/A8xL2G:tM6SQPKzA8xLz

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk6.0.7个人版.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk6.0.7个人版.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1160	AnyDesk6.0.7个人版.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
296	AnyDesk6.0.7个人版.exe
296	AnyDesk6.0.7个人版.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
296	AnyDesk6.0.7个人版.exe
296	AnyDesk6.0.7个人版.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1160	680	AnyDesk6.0.7个人版.exe	28
PID 680 wrote to memory of 1160	680	AnyDesk6.0.7个人版.exe	28
PID 680 wrote to memory of 1160	680	AnyDesk6.0.7个人版.exe	28
PID 680 wrote to memory of 1160	680	AnyDesk6.0.7个人版.exe	28
PID 680 wrote to memory of 296	680	AnyDesk6.0.7个人版.exe	29
PID 680 wrote to memory of 296	680	AnyDesk6.0.7个人版.exe	29
PID 680 wrote to memory of 296	680	AnyDesk6.0.7个人版.exe	29
PID 680 wrote to memory of 296	680	AnyDesk6.0.7个人版.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
62e0ae8de790fbde61c8bc928757a13f

SHA1
9e36c5f2af4e9d1833c75f96d8333b3ef45addcc

SHA256
790c142361808d4ea9812395237bb39fe58127c72d540550da07c290aa784d47

SHA512
eed178b5572a3433cb5b3ad41a16f7f4606104c9a28e76858aa10cff562de079db2b6f0cc0a1e01124c411eba0014e940eb1c069f006584d57a0c36745774d2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
62e0ae8de790fbde61c8bc928757a13f

SHA1
9e36c5f2af4e9d1833c75f96d8333b3ef45addcc

SHA256
790c142361808d4ea9812395237bb39fe58127c72d540550da07c290aa784d47

SHA512
eed178b5572a3433cb5b3ad41a16f7f4606104c9a28e76858aa10cff562de079db2b6f0cc0a1e01124c411eba0014e940eb1c069f006584d57a0c36745774d2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/296-107-0x00000000010B0000-0x0000000001E24000-memory.dmp

Filesize
13.5MB

Download
memory/296-69-0x00000000010B0000-0x0000000001E24000-memory.dmp

Filesize
13.5MB

Download
memory/296-102-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/680-89-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/680-85-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/680-79-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/680-73-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/680-74-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/680-54-0x00000000010B0000-0x0000000001E24000-memory.dmp

Filesize
13.5MB

Download
memory/680-88-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/680-87-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/680-86-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/680-75-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/680-84-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/680-83-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/680-82-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/680-80-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

Filesize
4KB

Download
memory/680-56-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/680-103-0x00000000010B0000-0x0000000001E24000-memory.dmp

Filesize
13.5MB

Download
memory/1160-104-0x00000000010B0000-0x0000000001E24000-memory.dmp

Filesize
13.5MB

Download
memory/1160-70-0x00000000010B0000-0x0000000001E24000-memory.dmp

Filesize
13.5MB

Download

Analysis

Sharing