d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

General

Target

AnyDesk.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
SSDEEP

49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	AnyDesk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2828	AnyDesk.exe
2828	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2828	AnyDesk.exe
2828	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2232	2384	AnyDesk.exe	28
PID 2384 wrote to memory of 2232	2384	AnyDesk.exe	28
PID 2384 wrote to memory of 2232	2384	AnyDesk.exe	28
PID 2384 wrote to memory of 2232	2384	AnyDesk.exe	28
PID 2384 wrote to memory of 2828	2384	AnyDesk.exe	29
PID 2384 wrote to memory of 2828	2384	AnyDesk.exe	29
PID 2384 wrote to memory of 2828	2384	AnyDesk.exe	29
PID 2384 wrote to memory of 2828	2384	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1848d14fe8b94aaaeff353b7cf2289f1

SHA1
4f163649559610c7e49fd46f26db0cb1213b1b66

SHA256
c92c5a45aa28e5dd7c852dae2cf50c1e8d7b243d0b2fd2e6bf5b1cfb112bd183

SHA512
87c6b37dff029ecdf10f2c89c24611d33b3ae231dfb084a0cd27f47de328347722d7fdc064057ebc23631bad6175a7c8f7b26e1aaf4902694cfc318ff3dc5303

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1848d14fe8b94aaaeff353b7cf2289f1

SHA1
4f163649559610c7e49fd46f26db0cb1213b1b66

SHA256
c92c5a45aa28e5dd7c852dae2cf50c1e8d7b243d0b2fd2e6bf5b1cfb112bd183

SHA512
87c6b37dff029ecdf10f2c89c24611d33b3ae231dfb084a0cd27f47de328347722d7fdc064057ebc23631bad6175a7c8f7b26e1aaf4902694cfc318ff3dc5303

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/2232-85-0x0000000000980000-0x00000000015B5000-memory.dmp

Filesize
12.2MB

Download
memory/2232-108-0x0000000000980000-0x00000000015B5000-memory.dmp

Filesize
12.2MB

Download
memory/2384-79-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/2384-83-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2384-77-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2384-74-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2384-75-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2384-78-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/2384-55-0x0000000000980000-0x00000000015B5000-memory.dmp

Filesize
12.2MB

Download
memory/2384-82-0x0000000003B70000-0x0000000003B71000-memory.dmp

Filesize
4KB

Download
memory/2384-81-0x0000000003B30000-0x0000000003B31000-memory.dmp

Filesize
4KB

Download
memory/2384-76-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2384-80-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2384-73-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/2384-57-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2384-72-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/2384-71-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2384-94-0x0000000000980000-0x00000000015B5000-memory.dmp

Filesize
12.2MB

Download
memory/2384-67-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2828-92-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2828-86-0x0000000000980000-0x00000000015B5000-memory.dmp

Filesize
12.2MB

Download
memory/2828-109-0x0000000000980000-0x00000000015B5000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing