b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anydesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	anydesk.exe
3416	anydesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4444	anydesk.exe
4444	anydesk.exe
4444	anydesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4444	anydesk.exe
4444	anydesk.exe
4444	anydesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 260 wrote to memory of 3416	260	anydesk.exe	84
PID 260 wrote to memory of 3416	260	anydesk.exe	84
PID 260 wrote to memory of 3416	260	anydesk.exe	84
PID 260 wrote to memory of 4444	260	anydesk.exe	85
PID 260 wrote to memory of 4444	260	anydesk.exe	85
PID 260 wrote to memory of 4444	260	anydesk.exe	85

C:\Users\Admin\AppData\Local\Temp\anydesk.exe
"C:\Users\Admin\AppData\Local\Temp\anydesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:260
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
ae66439e5e23eb38d1d261a05c2532b4

SHA1
701d5015dbe3f1302f64d7912072169a4fca5c0e

SHA256
611565ac731000fc4b97027f6ebb69acbe9190ef306e33388ceed9277687e525

SHA512
4154c9f32d287ffbb1f2e0aac3270ba36c9026a11d168a40615f12971da5cfdf7ed4cf0548c83349b1b767f5b1c597e60100b0268b025252a9ba692c96fa21e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
ae66439e5e23eb38d1d261a05c2532b4

SHA1
701d5015dbe3f1302f64d7912072169a4fca5c0e

SHA256
611565ac731000fc4b97027f6ebb69acbe9190ef306e33388ceed9277687e525

SHA512
4154c9f32d287ffbb1f2e0aac3270ba36c9026a11d168a40615f12971da5cfdf7ed4cf0548c83349b1b767f5b1c597e60100b0268b025252a9ba692c96fa21e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
27cca4184ad8ffa6fcc9501464a4f574

SHA1
e825d82fcf63bfd68c3c733c4aa876a6794d8188

SHA256
7dd44e4397113dd1eb3d31704645271bcdac20fe1bfe720e6fb57f8dab3e5acd

SHA512
e7f23c9cd5f0011f633b99ea153605add826a2ec2d6007c82cdde9916fdcaed107adbd39076f43a999e1fcfdccb47b518f36075207d13f41e34fc9fa1e9ea7ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
04ef7d477937aecdde80abbe37c157e7

SHA1
778bb84676900bd34dfac58d65739b61eedeb769

SHA256
bd2a80b9d720bd26fa1e184988c8acf6f7dedced81d3500ade96fe163d87a30f

SHA512
5587d41202e2d0cfa048e5e22a302bb9a9f4f17cc7f744bf53188e3ae79422924a50c67a77ff29d29cc21ee3833e4085718a437808ada26904cb12be6c82860b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
04ef7d477937aecdde80abbe37c157e7

SHA1
778bb84676900bd34dfac58d65739b61eedeb769

SHA256
bd2a80b9d720bd26fa1e184988c8acf6f7dedced81d3500ade96fe163d87a30f

SHA512
5587d41202e2d0cfa048e5e22a302bb9a9f4f17cc7f744bf53188e3ae79422924a50c67a77ff29d29cc21ee3833e4085718a437808ada26904cb12be6c82860b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
fbb251e7493f5edbf5dc6054a9f22047

SHA1
cce34dcf74dd6e4aa53976cf006b44bcb9cdf9bc

SHA256
c3cf14e0edcdab879d91b629389963daafa2d84950e92918a892b6d29103f163

SHA512
d47d936d7da5603dca7de8420dbd8a60e971f40163ea628a03908a0c89a27b9beff6f6e2f9a32bb5268a65e3b05997390da27f7f02011e2cd1139ff4ea8669fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
fbb251e7493f5edbf5dc6054a9f22047

SHA1
cce34dcf74dd6e4aa53976cf006b44bcb9cdf9bc

SHA256
c3cf14e0edcdab879d91b629389963daafa2d84950e92918a892b6d29103f163

SHA512
d47d936d7da5603dca7de8420dbd8a60e971f40163ea628a03908a0c89a27b9beff6f6e2f9a32bb5268a65e3b05997390da27f7f02011e2cd1139ff4ea8669fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/260-153-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/260-133-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/260-156-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/260-157-0x0000000006A40000-0x0000000006A41000-memory.dmp

Filesize
4KB

Download
memory/260-159-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/260-158-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/260-160-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/260-161-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/260-204-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/260-136-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/260-154-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/260-155-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/260-151-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/260-169-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/260-146-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/260-152-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/260-147-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/260-145-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/3416-163-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/3416-202-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/3416-211-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4444-170-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4444-203-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download
memory/4444-162-0x0000000000BC0000-0x00000000017D2000-memory.dmp

Filesize
12.1MB

Download