b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2848	AnyDesk.exe
2848	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1028	AnyDesk.exe
1028	AnyDesk.exe
1028	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1028	AnyDesk.exe
1028	AnyDesk.exe
1028	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2848	4460	AnyDesk.exe	87
PID 4460 wrote to memory of 2848	4460	AnyDesk.exe	87
PID 4460 wrote to memory of 2848	4460	AnyDesk.exe	87
PID 4460 wrote to memory of 1028	4460	AnyDesk.exe	88
PID 4460 wrote to memory of 1028	4460	AnyDesk.exe	88
PID 4460 wrote to memory of 1028	4460	AnyDesk.exe	88

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
8e554d0b6e88b1433b55000a99ce4b1e

SHA1
65a7800594ae1d5c86e76e69379e00cf47c85701

SHA256
4f7e00f6d79a695c4243c3286709b87ffeaa1a28c159d0513d81771274f8ff00

SHA512
1ac30410611309eb2c5e54fce2e77b6ba019c81e0c6230f82ad43cecaa1737c4ad0d50c712e3b2652b83e5603e919dd0513d13811e340a361245313fbcc638f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
2c11ea31b51a7801ce5d846f72245805

SHA1
21f6baf176c7d570b310879491c2b71eb331dfce

SHA256
b057f2e978137dbff8cb8ab20bd92cea7115a87e73bb0133451dcb67ca8c0275

SHA512
7e160abf617e115a511d4b2b0bdd3a0494b34524fa7e562b11af692b41571649a9c2ddf42e3672894e515063cd45824eabe1ad2e18cf8e153de4b942cab6d878

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d38ad65cc4c3ffeb06cbdf2a1271e865

SHA1
429c74db0f59ccdf25b79fea3aa5e05d585c78dd

SHA256
669327c452dc3dfedc0e9f2a643bb04c0085ae886f24465f3acb108797b9da04

SHA512
73cb7a207f31a00bcbf1704af2a41375e1bd0c422de2221b83caa1f75b2478db99f25ba94360082ee9f15d929075b65e8db538f5f261f8b42346aa20f07a92e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
8e4db78f6c12fb6f91323aaf49d80174

SHA1
8d0449194219c563cf5e483d337ee97a24aed24e

SHA256
96b10109276f22716c28ba9f2460804a36a7c3631d0825fa80a132edf3feafe5

SHA512
8a26a6e8c946b398d3a6c8fe1b794123df06c76c6f79d2977062305e519cbc2cd7ae91dfdb918d8f2549e8cb5e5e5ae7f44e9b32a0d58c2f74b6fb151305ef90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
c71ee7e3fc27cf4806572b57a21747e6

SHA1
e23c4415c66076f39d50b40f3c000bb0bdcb932c

SHA256
7b998c63000550231edc241c10985ec454226bebeb19b434349ba93834a60da4

SHA512
627fba90a7477cf9597291299d1fe96c07b94537e7c33482555faf7cc59f22af0bf59f1911de84e258fccb3151bbb1b6c4b6bcc6e5d7ff191f76bf0061c4a5ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1028-31-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/1028-74-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/1028-39-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/1028-34-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/2848-73-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/2848-82-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/2848-33-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/2848-32-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/4460-20-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/4460-22-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

Filesize
4KB

Download
memory/4460-29-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4460-30-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/4460-24-0x0000000006D00000-0x0000000006D01000-memory.dmp

Filesize
4KB

Download
memory/4460-27-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/4460-26-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/4460-25-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/4460-23-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/4460-28-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/4460-21-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/4460-0-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/4460-19-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/4460-15-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/4460-14-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/4460-72-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download
memory/4460-13-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/4460-3-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/4460-1-0x0000000000AC0000-0x00000000016D2000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing