b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4852	AnyDesk.exe
4852	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
976	AnyDesk.exe
976	AnyDesk.exe
976	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
976	AnyDesk.exe
976	AnyDesk.exe
976	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4852	2656	AnyDesk.exe	88
PID 2656 wrote to memory of 4852	2656	AnyDesk.exe	88
PID 2656 wrote to memory of 4852	2656	AnyDesk.exe	88
PID 2656 wrote to memory of 976	2656	AnyDesk.exe	89
PID 2656 wrote to memory of 976	2656	AnyDesk.exe	89
PID 2656 wrote to memory of 976	2656	AnyDesk.exe	89

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
a2cda3d6ab0fe561bb2e18d6e0a82b2d

SHA1
9161bde4a9b40fcf2d2e4f903d1e003fac78743c

SHA256
78dabd5dacb533f2c955dc5cac683c616443cae76c1a0f505aef64337bd621d0

SHA512
3a4e008dfec42e13e61980e29d1925fc811fafe2e8d3669a60dea89a6a9556dcf92e1beae89dbb9e84b967a6d89b23e075f61032c6be5ec8b41513735d85ac7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9366c51b120173716e9bd5504df3e763

SHA1
14596acd722b395d4a87c5d2a810f6370f2ca9ba

SHA256
62d6086e18bab1e836ec9984821e7fa6ed3dbd528f76f9a347464453474e7282

SHA512
9becce6cb38efccb7f08071a67f5b0f2f4930daf41d07b4763450eaa1acb6b0642d6322e26163499e453561ce6f583377867004f400fd32adea4567a9af232fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
e90e6ca306a4a51d2fa5f187b431ce03

SHA1
289437191e9d90ef8a3465d2c18a9bce22b766cf

SHA256
86f7186e67db9a74a4985449e4d90422d3142fd850aaa0f896f2344747c8348e

SHA512
87f44bd6d4838fa2f2b1c320ca6ec7cf63ffd40221a4cc5a597a2b0378c49b1ba2af10b99a935aaa47a77310c79543372f02180613e21f928eb0ec64a1b62ed0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
ebd73a6f252c1b9ff47ee7b6c778935e

SHA1
e602ff147636fcb2804db6ab56e5e448debd25cb

SHA256
dec34608bac3c70c942cf3b5b66b55eb1c86d1c7f6c9338b75c1d3ccadfdb605

SHA512
362d841d95342ab80094cacca25cf066fe6e3faffafc3598ebe627f6196362cb7a01da2e7b4f2d5b34ac181269ca0bda7a52723878bf3e28107b314de0efdc02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/976-31-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/976-73-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/976-38-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/976-32-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/2656-19-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/2656-20-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/2656-24-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/2656-25-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/2656-26-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2656-27-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/2656-28-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/2656-29-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/2656-0-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/2656-22-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2656-21-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/2656-23-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/2656-1-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/2656-15-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2656-14-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2656-13-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2656-4-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2656-70-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/4852-72-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/4852-30-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download
memory/4852-78-0x0000000000F40000-0x0000000001B52000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing