b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
432	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
660	AnyDesk.exe
660	AnyDesk.exe
660	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
660	AnyDesk.exe
660	AnyDesk.exe
660	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 432	1352	AnyDesk.exe	28
PID 1352 wrote to memory of 432	1352	AnyDesk.exe	28
PID 1352 wrote to memory of 432	1352	AnyDesk.exe	28
PID 1352 wrote to memory of 432	1352	AnyDesk.exe	28
PID 1352 wrote to memory of 660	1352	AnyDesk.exe	29
PID 1352 wrote to memory of 660	1352	AnyDesk.exe	29
PID 1352 wrote to memory of 660	1352	AnyDesk.exe	29
PID 1352 wrote to memory of 660	1352	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
e0ffbcfcc4380f08d3408043f465c21c

SHA1
190076881ddca89f9fb8c508597ea86b677fa7f9

SHA256
429bc91c8f8309e70a930a582977d549539bba64b5640100f8e7f63b58427db5

SHA512
8d3d6f2177a5f6cfc0d4a8bbbafb99362bce0dd88903046b18d2f2c6ee2e050757f69f54b8ccdce45159a030c02e7e2c16b2c6160424c67cc85d5bd455c0cdfc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
989d86b2a40705b95b91bab0b3e897e6

SHA1
5556a8aaf9115c49ea4d9cc3e1dbc1c1f668ad00

SHA256
a1832dd0ab890f9ca59354b4bf900acb9c9f9fbf07fcd349198d1a982a4f13a3

SHA512
9510385bab3043af43c179f45071bab99d0da5f2bcc09b57ff02295c0f675fe47ed9bdfb8088957d2e2e2548e55bba656b5cd706f4ea48b9c291d4fff7627a3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
92e4e2bd190335d5dcd1e56e5a2b5afb

SHA1
d387057997dd28597c37f04feafb799b0390732c

SHA256
ad7ca91d7a5590e3ee3a7afd396586e7dc9812b9e140c06121dfc24e55bd781b

SHA512
a3ff95e5eaa9cc20932fdbf350f36d9ac588c73da7d71fc9495e6a359a558da37e5f86cc4c3e3fa38a36f997bb7f6843eade525c5326fe0ba772e95dcccd85c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
414e522cf24fc3e7912144f9d4180b61

SHA1
cd30325b4449c25c2cf9ed805825000b5a58c4e8

SHA256
8d09372d8af221d8da47dd75d416c7c3635319de962c51886343a9bfa546671c

SHA512
5265c3d6096bf284bdcce3e649e7a7b4d4d6eb2fd117a8167ae467c9a9dfcc583a040f7435c9d8a69190f4b4c034fb4b84893d7925a5e3468e63150a88d13a0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
327B

MD5
c9dd7cd7d7e671ae03f309ef24800de0

SHA1
7de12e834e065a6772b9827a487cb1ee6bee64b9

SHA256
54117256762caa5b44d812bd70bcfe8a908d40a608ca6a575d150048e5cb0506

SHA512
1305feaf7845d8b8d90a35a5fb866cae0a87219fbe2be40de1baa16157d18552aeb77f5b85395e3bc1484cfabfe223e5fa4a71ce458b5ffcc861671f26da354d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
92e4e2bd190335d5dcd1e56e5a2b5afb

SHA1
d387057997dd28597c37f04feafb799b0390732c

SHA256
ad7ca91d7a5590e3ee3a7afd396586e7dc9812b9e140c06121dfc24e55bd781b

SHA512
a3ff95e5eaa9cc20932fdbf350f36d9ac588c73da7d71fc9495e6a359a558da37e5f86cc4c3e3fa38a36f997bb7f6843eade525c5326fe0ba772e95dcccd85c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/432-71-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-136-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-158-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-128-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-122-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-161-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-164-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-109-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/432-167-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/660-131-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/660-116-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/660-70-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/1352-87-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1352-95-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/1352-106-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/1352-54-0x00000000009E0000-0x00000000015F2000-memory.dmp

Filesize
12.1MB

Download
memory/1352-85-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1352-80-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1352-82-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1352-117-0x0000000002D10000-0x0000000002D11000-memory.dmp

Filesize
4KB

Download
memory/1352-81-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/1352-79-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/1352-76-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/1352-77-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1352-78-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1352-72-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1352-75-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1352-69-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1352-56-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing