b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4112	AnyDesk.exe
4112	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4172	AnyDesk.exe
4172	AnyDesk.exe
4172	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4172	AnyDesk.exe
4172	AnyDesk.exe
4172	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4112	4068	AnyDesk.exe	86
PID 4068 wrote to memory of 4112	4068	AnyDesk.exe	86
PID 4068 wrote to memory of 4112	4068	AnyDesk.exe	86
PID 4068 wrote to memory of 4172	4068	AnyDesk.exe	87
PID 4068 wrote to memory of 4172	4068	AnyDesk.exe	87
PID 4068 wrote to memory of 4172	4068	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
12f4de51b00329060d8a2efc676ffc8d

SHA1
e67860b9e5abe96fb4a7bee20bb96b505fd0119d

SHA256
c2ab67494346a8a23ee8371edfb1135bf7b39104863f2e98ff5dcc169e61d2c1

SHA512
6231741d7060bcda4949b1e6b4066fef4c33874bb49bc9467a7afea51f0b36a2293393db042064f156a9599710bf830810d6e9cdccee3c2652faacba39d08f2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
12f4de51b00329060d8a2efc676ffc8d

SHA1
e67860b9e5abe96fb4a7bee20bb96b505fd0119d

SHA256
c2ab67494346a8a23ee8371edfb1135bf7b39104863f2e98ff5dcc169e61d2c1

SHA512
6231741d7060bcda4949b1e6b4066fef4c33874bb49bc9467a7afea51f0b36a2293393db042064f156a9599710bf830810d6e9cdccee3c2652faacba39d08f2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d29b51132b5822e26e577cba1ff8ba60

SHA1
f54b5307c2b39102f376900be5b236b65408fdf1

SHA256
1d8bc74d6cf268dfbb241cdd5fb5ede0a415a50bc2cb0a395a4da29b54c87cc2

SHA512
ade982bf0fed1aaa0965cbd9ddeacae5e61901e3aac6bbc99aa1f3f84217dbb37cbeaee2080ec8281a11e4445faa6eea2e52aec110100385d61f9eedade7e727

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
e644d3c655518a52d37cdebec15b4fec

SHA1
2ef0f61ac0d6e7bb382ff1307cb73ef546cecf55

SHA256
b1729944290b8d9f8d6d88029262b134da0f4bfb94ba04a18f8bfda3330db907

SHA512
91fecf4b08bf08115df3912f7aa382ebe61adbd7d0333b127e127e03d64e98d2c59fbfd91d41ad89470883f64faac5aea27c50d84d1286a662e35956a55b9d16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
e644d3c655518a52d37cdebec15b4fec

SHA1
2ef0f61ac0d6e7bb382ff1307cb73ef546cecf55

SHA256
b1729944290b8d9f8d6d88029262b134da0f4bfb94ba04a18f8bfda3330db907

SHA512
91fecf4b08bf08115df3912f7aa382ebe61adbd7d0333b127e127e03d64e98d2c59fbfd91d41ad89470883f64faac5aea27c50d84d1286a662e35956a55b9d16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
572bed13127f08ef5c2dee3232bab4f6

SHA1
b35acbe06a08d5b6da9f92d4085fdbf4b7d7f381

SHA256
c290772bc2e3248ff594f30a5c1c3d9bfce56826314ce4f9016883d931f9e517

SHA512
23086a48ffb10d9ad62dbd202f10045e7c46ecd1e499da48d864af32fd9ca9164ef2d30e6b8d00738f0108311db6e39871b99499625024f0e4503c41cf5a8095

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
572bed13127f08ef5c2dee3232bab4f6

SHA1
b35acbe06a08d5b6da9f92d4085fdbf4b7d7f381

SHA256
c290772bc2e3248ff594f30a5c1c3d9bfce56826314ce4f9016883d931f9e517

SHA512
23086a48ffb10d9ad62dbd202f10045e7c46ecd1e499da48d864af32fd9ca9164ef2d30e6b8d00738f0108311db6e39871b99499625024f0e4503c41cf5a8095

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/4068-153-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/4068-133-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4068-156-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/4068-157-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/4068-158-0x0000000007090000-0x0000000007091000-memory.dmp

Filesize
4KB

Download
memory/4068-159-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/4068-160-0x00000000070E0000-0x00000000070E1000-memory.dmp

Filesize
4KB

Download
memory/4068-161-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/4068-162-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/4068-163-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4068-204-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4068-134-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4068-154-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/4068-155-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/4068-136-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/4068-152-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/4068-148-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/4068-147-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4068-146-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4112-167-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4112-206-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4112-215-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4172-171-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/4172-165-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download
memory/4172-205-0x0000000000C40000-0x0000000001852000-memory.dmp

Filesize
12.1MB

Download