b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

anydesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2828	anydesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2580	anydesk.exe
2580	anydesk.exe
2580	anydesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2580	anydesk.exe
2580	anydesk.exe
2580	anydesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2828	2168	anydesk.exe	29
PID 2168 wrote to memory of 2828	2168	anydesk.exe	29
PID 2168 wrote to memory of 2828	2168	anydesk.exe	29
PID 2168 wrote to memory of 2828	2168	anydesk.exe	29
PID 2168 wrote to memory of 2580	2168	anydesk.exe	28
PID 2168 wrote to memory of 2580	2168	anydesk.exe	28
PID 2168 wrote to memory of 2580	2168	anydesk.exe	28
PID 2168 wrote to memory of 2580	2168	anydesk.exe	28

C:\Users\Admin\AppData\Local\Temp\anydesk.exe
"C:\Users\Admin\AppData\Local\Temp\anydesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
d085e6588db1c642c18e75bac3d8a5ec

SHA1
ceccbe6d31b1a37937285fd4ebee7acc0248357d

SHA256
46a768f9251fec80cc7b085fb78435daf684a99a3a49a712a194ccf8c23b32d7

SHA512
a53c0212ce8ebad75dd332e99c75ecfb5e3e13a405da314145c3510af1b6936331e45dd7bdcdb4f96b2034231ee280881de3c3c24d1a5b77a8513b84ae1fddbd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
2ea673cbb3b8b4f4d6271e834f8fcae3

SHA1
3561618f4f675c7b76b6171ba84c3ab81b663128

SHA256
f53c8a14fdfc01be42b101121a58ae2918ea5188457fe825448d98c1d039ebcf

SHA512
0982b73fb8f39b94833aa88ebc710225589c7e6e50be75d6d1261b9688f69cc284a7cf3fbc108ba3130334152d2666815df0d2bd9e13bb1327f3a1cacadccdbe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9f9ca9aee9d74edb6db3ea53743cc600

SHA1
28a79e96e77d7d49ad2febea7abcb47897b5dde7

SHA256
7525a17eda8d7f360c4bed1d5e90a302affa86558381d75db14b4a0417c6705e

SHA512
a05421857144838e8574c45cdf645a1a7f15aac82e424f5d1896195e9895b4ae19bd944f1e4c7410e975956502087742083649337534e9d72f83f01647f111c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
60ee4801fff5594aeb5d4c47a7505578

SHA1
3f0d981e587720858b1f2d45dd43ca3cb6f65382

SHA256
e6772ac6aeb4ea81740d867a1726b8f5c8c67fcfb0b281b0c9687c07b36e4879

SHA512
8cde7f7525a8fb695f218788c4909110de69f1dd31e4e8ec82d8cc3978bc1eb23b3056da31810d47feb3dcfb81c1e9b035386815d430e0353b368569a3c46f72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
7f7a936a8148245c3695482d3db848c2

SHA1
869f86ed137bfb5003057fcb78985b21dfb9ffa2

SHA256
d21f2c9b0acd2890ff71e98b2e079cc615612297742e0b3d27ad5e3ed4d60383

SHA512
4917bcb3da63dccab9aae168946f0ca02496e39ef1d459d7492d72e5935c8064c2b2788f37e64b8000504f60ab38e0caf4f6aa6e4d9585ce97e671651aa5c4ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
7f7a936a8148245c3695482d3db848c2

SHA1
869f86ed137bfb5003057fcb78985b21dfb9ffa2

SHA256
d21f2c9b0acd2890ff71e98b2e079cc615612297742e0b3d27ad5e3ed4d60383

SHA512
4917bcb3da63dccab9aae168946f0ca02496e39ef1d459d7492d72e5935c8064c2b2788f37e64b8000504f60ab38e0caf4f6aa6e4d9585ce97e671651aa5c4ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/2168-25-0x0000000003E60000-0x0000000003E61000-memory.dmp

Filesize
4KB

Download
memory/2168-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2168-24-0x0000000003E30000-0x0000000003E31000-memory.dmp

Filesize
4KB

Download
memory/2168-29-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/2168-23-0x0000000003C10000-0x0000000003C11000-memory.dmp

Filesize
4KB

Download
memory/2168-22-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/2168-21-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2168-20-0x0000000003940000-0x0000000003941000-memory.dmp

Filesize
4KB

Download
memory/2168-19-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/2168-14-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2168-81-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2168-1-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2168-3-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2168-0-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2168-28-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/2168-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2168-26-0x0000000003E80000-0x0000000003E81000-memory.dmp

Filesize
4KB

Download
memory/2168-27-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2580-31-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2580-30-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2580-83-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2828-33-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2828-32-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2828-82-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download
memory/2828-88-0x0000000000300000-0x0000000000F12000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing