b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

anydesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1524	anydesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1508	anydesk.exe
1508	anydesk.exe
1508	anydesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1508	anydesk.exe
1508	anydesk.exe
1508	anydesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1524	1192	anydesk.exe	28
PID 1192 wrote to memory of 1524	1192	anydesk.exe	28
PID 1192 wrote to memory of 1524	1192	anydesk.exe	28
PID 1192 wrote to memory of 1524	1192	anydesk.exe	28
PID 1192 wrote to memory of 1508	1192	anydesk.exe	29
PID 1192 wrote to memory of 1508	1192	anydesk.exe	29
PID 1192 wrote to memory of 1508	1192	anydesk.exe	29
PID 1192 wrote to memory of 1508	1192	anydesk.exe	29

C:\Users\Admin\AppData\Local\Temp\anydesk.exe
"C:\Users\Admin\AppData\Local\Temp\anydesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
8649d555268593aeb36e9883ea43811a

SHA1
822efcffb188d18306354ebc7fac3548623b715c

SHA256
1ca02e48b5c929be846ee212ec767a360b0b84410a25b6bbe50e1e79c4349b20

SHA512
7d9cdbb820bc02c9008a135ff08fd639bbed3222e3e60042d33197273266f10c87a47b764bdf20a5fc5124046ff5c19548e95718de175c04dd03df4a6f88844a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
8649d555268593aeb36e9883ea43811a

SHA1
822efcffb188d18306354ebc7fac3548623b715c

SHA256
1ca02e48b5c929be846ee212ec767a360b0b84410a25b6bbe50e1e79c4349b20

SHA512
7d9cdbb820bc02c9008a135ff08fd639bbed3222e3e60042d33197273266f10c87a47b764bdf20a5fc5124046ff5c19548e95718de175c04dd03df4a6f88844a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b07a345d3830c3c2c5448eb53090fee0

SHA1
b434fc9636d9fac49c46d4b12f6301f7d9c41bb3

SHA256
c210f7729534604277302d6478dbb59f19c9f0abfbf3bb39241a28c57f828d13

SHA512
539da4b91473a962984e7d51659c8fa62ee033af8b3b0cdfc7736a6313722fb9c83e543b3fb3dcdc4b99534955e11a55df6680b21290d727513f80a38700a47b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
16fb981f82f12b8419e643bcf72d260b

SHA1
31908a4542c1536ff293e539c54e4ae512accc60

SHA256
0ca7ffdc96f787294aa95a0a5fc8ea951307baa949144b7e44219acfc316485f

SHA512
c27ba62ac168d82687e8420c17517c734fdb878d52e2402f093cd77fc91ec88c7dd407f9306a253fc63ee0a260ce8978b3269c5003ae89c84764aa64c269007f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
a654b8bc4a45bfcc1722c45dfcc31dba

SHA1
a7915f6cef3e00c03864900639e5214f530b03f7

SHA256
175cbd4b6cf6f7a0e62d64630c385a3a0bb82adf7696143cab0daf6a0352556a

SHA512
36710b8e8218e124fac6d567fe0ac301f6c667face21f08209545721ffb5b6014d3fea69bdf23d8b67f786d7ebca00a701a4d58b1e20cd36f05f3c6f0e7105c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
a654b8bc4a45bfcc1722c45dfcc31dba

SHA1
a7915f6cef3e00c03864900639e5214f530b03f7

SHA256
175cbd4b6cf6f7a0e62d64630c385a3a0bb82adf7696143cab0daf6a0352556a

SHA512
36710b8e8218e124fac6d567fe0ac301f6c667face21f08209545721ffb5b6014d3fea69bdf23d8b67f786d7ebca00a701a4d58b1e20cd36f05f3c6f0e7105c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1192-74-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1192-72-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1192-77-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/1192-78-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1192-80-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/1192-81-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/1192-86-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1192-85-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/1192-83-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/1192-84-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/1192-82-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/1192-132-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download
memory/1192-54-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download
memory/1192-70-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1192-56-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1192-71-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/1192-69-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1508-75-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download
memory/1508-91-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1508-134-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download
memory/1524-73-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download
memory/1524-133-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download
memory/1524-145-0x0000000000BD0000-0x00000000017E2000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing