b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2200	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2876	AnyDesk.exe
2876	AnyDesk.exe
2876	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2876	AnyDesk.exe
2876	AnyDesk.exe
2876	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2200	2472	AnyDesk.exe	28
PID 2472 wrote to memory of 2200	2472	AnyDesk.exe	28
PID 2472 wrote to memory of 2200	2472	AnyDesk.exe	28
PID 2472 wrote to memory of 2200	2472	AnyDesk.exe	28
PID 2472 wrote to memory of 2876	2472	AnyDesk.exe	29
PID 2472 wrote to memory of 2876	2472	AnyDesk.exe	29
PID 2472 wrote to memory of 2876	2472	AnyDesk.exe	29
PID 2472 wrote to memory of 2876	2472	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
27894f201dfc1ab4babbe67c8ac9d3c9

SHA1
5cd357327b608532df1963db5888b7e9b5d2e52c

SHA256
58adde8aa56c3e44c68a094944f31fed9432f7d0734e160d21f8c58f6d1d67ab

SHA512
a06abe602136ea5d08e7b7e3a4082604599219ede3e433ac7eef5ec6246133a2ccdbc33b6fbca63efa0d9bf6abcef6861b4f6ab1f1c5879bdba4ff9bfe8f841e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
27894f201dfc1ab4babbe67c8ac9d3c9

SHA1
5cd357327b608532df1963db5888b7e9b5d2e52c

SHA256
58adde8aa56c3e44c68a094944f31fed9432f7d0734e160d21f8c58f6d1d67ab

SHA512
a06abe602136ea5d08e7b7e3a4082604599219ede3e433ac7eef5ec6246133a2ccdbc33b6fbca63efa0d9bf6abcef6861b4f6ab1f1c5879bdba4ff9bfe8f841e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
94ab3a8dfc6a67b25e56001e1dc98782

SHA1
6ab8029e5e4c376327548408504d2270b2c0fcb7

SHA256
bb9f7b99588d940bb39f5f48e29bf8fae4dd023b922a62bfe99a32f150a0c967

SHA512
c8700ba2054d864e17731a691246b1ab8abae9a0ad0471297b2c05d5b179190954c10c3574d11f807be7d0a5e76c86f7cd32d1e1e7a254a8c37e9b965e954726

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
8ee54e72ef80843c62606b02a12a97a2

SHA1
52f2347ec212f06003eeee4fdce418f92f2e4346

SHA256
c427d4bc2d9831fff973006e1ed18b5ad5fa29e4f77f4d90c95fe024ec835d12

SHA512
9f316071c0556b5190a13506d10702cc58c923b10d85fb4f965f7c88b2bfdeac46f0bf9de631429dedefc41b2d55d99e877733c1910726a1a9c6f93f20ab4c59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
fbfb98dd45482e152e46102e0bafff75

SHA1
2d48a484680c6721dfa8658158639bb48a501f8d

SHA256
42061bb4230b9768989fc2c3550c918a3f89cce48e0678e7f9e19ba87bdadc93

SHA512
78a7b9386a2da880ab5b8456a74405c039ef03cbf198524c0b8bdae73f5e930e12f2e8a17109cc16f1e95dd60ac7f0b08564ab968794958b3d69061183b73c59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
fbfb98dd45482e152e46102e0bafff75

SHA1
2d48a484680c6721dfa8658158639bb48a501f8d

SHA256
42061bb4230b9768989fc2c3550c918a3f89cce48e0678e7f9e19ba87bdadc93

SHA512
78a7b9386a2da880ab5b8456a74405c039ef03cbf198524c0b8bdae73f5e930e12f2e8a17109cc16f1e95dd60ac7f0b08564ab968794958b3d69061183b73c59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/2200-85-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2200-121-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2200-143-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2200-111-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2200-150-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2200-154-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2472-81-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/2472-77-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2472-54-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2472-83-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2472-55-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2472-80-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/2472-79-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/2472-76-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/2472-78-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2472-57-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2472-94-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2472-82-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/2472-73-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2472-75-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/2472-67-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2472-74-0x0000000003720000-0x0000000003721000-memory.dmp

Filesize
4KB

Download
memory/2472-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2472-68-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/2876-112-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download
memory/2876-93-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2876-86-0x00000000012C0000-0x0000000001ED2000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing