d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2023 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
SSDEEP

49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

1932 AnyDesk.exe
1932 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

1832 AnyDesk.exe
1832 AnyDesk.exe
1832 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

1832 AnyDesk.exe
1832 AnyDesk.exe
1832 AnyDesk.exe

pid	process
1932	AnyDesk.exe
1932	AnyDesk.exe

pid	process
1832	AnyDesk.exe
1832	AnyDesk.exe
1832	AnyDesk.exe

pid	process
1832	AnyDesk.exe
1832	AnyDesk.exe
1832	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 1524 wrote to memory of 1932	1524	AnyDesk.exe	AnyDesk.exe
PID 1524 wrote to memory of 1932	1524	AnyDesk.exe	AnyDesk.exe
PID 1524 wrote to memory of 1932	1524	AnyDesk.exe	AnyDesk.exe
PID 1524 wrote to memory of 1832	1524	AnyDesk.exe	AnyDesk.exe
PID 1524 wrote to memory of 1832	1524	AnyDesk.exe	AnyDesk.exe
PID 1524 wrote to memory of 1832	1524	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
d2c9549ac8ea212181058d7961b0f949

SHA1
4a902466224a50cc05f9f3eb9ae1dcb3272d2386

SHA256
b4a1d29fe4e405f4dff5922c71c78dfc21304193b9d3db19e9b3a403d9f87ac8

SHA512
8afeadbee82eae74f586799f27ffbe9fcdbce39d8733a774d31fcc10b00ede600ccb7ec04e262478e1a8a0da39f5546af14fe3b08179d910cc7734525167a81b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
d2c9549ac8ea212181058d7961b0f949

SHA1
4a902466224a50cc05f9f3eb9ae1dcb3272d2386

SHA256
b4a1d29fe4e405f4dff5922c71c78dfc21304193b9d3db19e9b3a403d9f87ac8

SHA512
8afeadbee82eae74f586799f27ffbe9fcdbce39d8733a774d31fcc10b00ede600ccb7ec04e262478e1a8a0da39f5546af14fe3b08179d910cc7734525167a81b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8d8a7fcd43078eb8d59ece49583cb5a5

SHA1
c68598be9d714d74a2a468d915675e07b0f07f82

SHA256
ff54091b559822775cc61b83ba46256bd456ed959975da6dbf080f5971ba7745

SHA512
5c0aa1072717899d747c700ed4065073fab3dfa66993eb38753b2b49a55a608527b09c7d931fa3757bf25f08fabea7e003de6e510ef8f2d48fc716330dfa1648

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
f58bbb87f1887b6e1205b5a48f39286b

SHA1
69b9ca4f55b6b6960db41c853e21aaee98846e8c

SHA256
717de67ab941fcd336ee3885262260f930a69f37ac0a44230296acafd8beb298

SHA512
728129c46fbdd130aaba01a6e1af2cd82babbef45e6991d8744a63d95c22cba5802166a936052d67d88c93f57991d00619c53b7a445682a0b2a68687b5420a52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
f58bbb87f1887b6e1205b5a48f39286b

SHA1
69b9ca4f55b6b6960db41c853e21aaee98846e8c

SHA256
717de67ab941fcd336ee3885262260f930a69f37ac0a44230296acafd8beb298

SHA512
728129c46fbdd130aaba01a6e1af2cd82babbef45e6991d8744a63d95c22cba5802166a936052d67d88c93f57991d00619c53b7a445682a0b2a68687b5420a52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
a715e52efc666a14e0d8252783054709

SHA1
8986d87270f284cc1bd86f6b80586c82c1322e6b

SHA256
8812c1ccac559bc73a8aaad661796b3cb154e6d2409b4e375b910b3d81621e61

SHA512
ec87cc26f0645e87fc32618061a75d67c9ad524ed9d0ad69c4bb608094bf8b20867654d745ba2a94a83698622e45920bc9db86913941bec0ff03b0ed8af56e71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
a715e52efc666a14e0d8252783054709

SHA1
8986d87270f284cc1bd86f6b80586c82c1322e6b

SHA256
8812c1ccac559bc73a8aaad661796b3cb154e6d2409b4e375b910b3d81621e61

SHA512
ec87cc26f0645e87fc32618061a75d67c9ad524ed9d0ad69c4bb608094bf8b20867654d745ba2a94a83698622e45920bc9db86913941bec0ff03b0ed8af56e71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1524-161-0x0000000004560000-0x0000000004561000-memory.dmp

Filesize
4KB

Download
memory/1524-155-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/1524-154-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/1524-157-0x0000000006A10000-0x0000000006A11000-memory.dmp

Filesize
4KB

Download
memory/1524-158-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/1524-159-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/1524-160-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/1524-133-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1524-162-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/1524-204-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1524-134-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1524-167-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1524-136-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/1524-156-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/1524-153-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/1524-146-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/1524-152-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/1524-148-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/1524-147-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1832-172-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1832-165-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1832-207-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1932-163-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1932-164-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1932-205-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download
memory/1932-215-0x0000000000B00000-0x0000000001735000-memory.dmp

Filesize
12.2MB

Download