734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a

Analysis

max time kernel
33s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/06/2023, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.9MB
MD5

bca01af10aac7833188c47d7fec17196
SHA1

7f7898da333b924bd358aeb9936a944eb8bf3c09
SHA256

734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a
SHA512

4429536226a6f3e72d008525c99bc0e676973be04670f7bb49f93ad20e7c8957ceb945c9eeea3ff47e6a751525976b0f4702e90d682940d225d6cb82a6567032
SSDEEP

49152:6ZeC+Xpi5ZnHuNO7HrDequJVU6GTTC/gZAjj4agcXz75rtelRqEiruLh3fZlTP5t:cpfn7HruwEk00agcD7fkRX6uRfZrnAnC

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
112	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
572	AnyDesk.exe
572	AnyDesk.exe
572	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
572	AnyDesk.exe
572	AnyDesk.exe
572	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 112	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 112	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 112	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 112	1368	AnyDesk.exe	28
PID 1368 wrote to memory of 572	1368	AnyDesk.exe	29
PID 1368 wrote to memory of 572	1368	AnyDesk.exe	29
PID 1368 wrote to memory of 572	1368	AnyDesk.exe	29
PID 1368 wrote to memory of 572	1368	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:112
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
df742e8fbb181774ba73c69d9d8d8c22

SHA1
a3bfbedd9b0192b203afe379e70be2fdcf1a7e6f

SHA256
bbca985b506f7fd718d4ebc95792d3af79203dbd5a90b64a7c720ff4c81d0585

SHA512
74c8bf252a1df9f877643d903414bfbd8e6a02c02d5f10afbb5446f4ab55e9928cd89800d92e0d71eac4e8271948e589eea6f45a1cee96d3bfc826f28768dbb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
df742e8fbb181774ba73c69d9d8d8c22

SHA1
a3bfbedd9b0192b203afe379e70be2fdcf1a7e6f

SHA256
bbca985b506f7fd718d4ebc95792d3af79203dbd5a90b64a7c720ff4c81d0585

SHA512
74c8bf252a1df9f877643d903414bfbd8e6a02c02d5f10afbb5446f4ab55e9928cd89800d92e0d71eac4e8271948e589eea6f45a1cee96d3bfc826f28768dbb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cff8f8670fb40e727040a5ca4ec0d85e

SHA1
ec96b553707c553381e4be4762f46e1c3fb5b2d6

SHA256
2bea95e28c06aac1c634a8ff234006705a5f59159dbc790050850b8419533945

SHA512
f0edc9b2a026d833b06a32fe8fa0eeec2e79bd71365014cdf31088e23b06b7487d631171c1d472ae276da4f13f9bfb0acf58d07c52d1a2bd8b5b522bf1b7ce52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c2b8a5b9a4375be759cb5c87ef9c54e9

SHA1
abe1f7dba1aa70356fabfb7a36d0c29558536a75

SHA256
2aa7eb62231a589f422953f61cb726ebf2cce476ea057803bdcdac7499633a4f

SHA512
8f6ec4b449c4aadb0b70bdf27388f9a567b2768b24c768458ced200537a24b5aa880e6ab9323248e290c1bc921080961adaa133226fa9414f7a88bc02e5cbde6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
98be4519f25824236bca133801dc65bb

SHA1
86e94820668892fab8e7913ecb3d3f1d74371880

SHA256
47ecd56f89f771034fca255c40159e2f692e3a9d377fa1685174f080425546d3

SHA512
a8c27300ab79648ee41ed31f4feb034bc7c945d6027191d292f2f0471ccbf03813bed02adc19c7dc0440b924242bf5ed1cce73cc34e572c5b1d6b1f285580fd8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d42e85c365c04812e421ba51954ca5aa

SHA1
8a4cb6670cac8763c4bd0f0fb329d7fe84315582

SHA256
bbad60f872b8879d2e8e50520496f6e6d2e0d4430477eda4ecf4ded77d6133f6

SHA512
9cc6b8cc40da326f344a893ccaa904f4beff6dc24c429bdfb9a9df1d9ce90d725327a707f2546ab15616f53a7123acd86bca8952468b3335e14560df8c0369b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d42e85c365c04812e421ba51954ca5aa

SHA1
8a4cb6670cac8763c4bd0f0fb329d7fe84315582

SHA256
bbad60f872b8879d2e8e50520496f6e6d2e0d4430477eda4ecf4ded77d6133f6

SHA512
9cc6b8cc40da326f344a893ccaa904f4beff6dc24c429bdfb9a9df1d9ce90d725327a707f2546ab15616f53a7123acd86bca8952468b3335e14560df8c0369b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
0837fa24e1f5a3966af9cc778adf4a45

SHA1
457a56c5741a970914be9a657f8d0bfc61cee577

SHA256
fb631116a5d4800f882c00c87d7659bc204f3b97f27036cb590eba2f732bf4d0

SHA512
b624215d01b363d3f49b9e6dc35a6db1a761539eb53a2a148b26f5ed970ce337a85041ee6c35800d6ca2aee418f6bc99d4f66edaae7bd4fb309456c83572c327

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
dc58d53c4af9824ba9d25756e5d9328d

SHA1
58db344a5ff601770c1206e114f733c0051aff7b

SHA256
867ad815ab0621c28d25f6e8e665d700c51039f2d798fa64e92cf43c70ed93a8

SHA512
f9a230ca71a92055a50e71ea7eba2312f94a222945105aba8c25f69655ec1c57874bf276680c562f0392dd91d8290160db55acff738f314d1e537b9a65ce6183

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
d4932302da2c4cdc45a2bc90c3b7f772

SHA1
2f13f3600417061ccf7ddbb896e87ad550325d2a

SHA256
411b55290920a92873eceb8635772a9ff75470f934d0d05fb48c4d82d84f1527

SHA512
bda9c3b0d947811ed59075d034f1ed8da17b1cec88619f5f05d31b695d6ac2d01c9faa1c3c3e735509996ec7263a5bd7ffb3c635558465296def9dff05cfd590

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
002b351685fa08f348e4d2492826d7d1

SHA1
c9898b6725593eed9df07f3d28b54979df7a34a5

SHA256
4383e010c88a2328e12951f3e47aadfd0377b1165343c9bacd6d1843f87a278e

SHA512
b4818d2d35d80cc8b02d4d309e83c3498b1f91c7ba694303248c89167e5f40ecebc1b08dd2567ec90c67b5683d0784fc397de37e30359edfa0d85e11af907197

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
002b351685fa08f348e4d2492826d7d1

SHA1
c9898b6725593eed9df07f3d28b54979df7a34a5

SHA256
4383e010c88a2328e12951f3e47aadfd0377b1165343c9bacd6d1843f87a278e

SHA512
b4818d2d35d80cc8b02d4d309e83c3498b1f91c7ba694303248c89167e5f40ecebc1b08dd2567ec90c67b5683d0784fc397de37e30359edfa0d85e11af907197

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7833c0179dcf8e3ede0968bfe0084408

SHA1
334722f7c9732f6b9101d93e500c6f5f0e9f1987

SHA256
c7f6b9ee1a224721062c2f9c61b849fc943e00e937e95eee79d657c2f9181e39

SHA512
0477214b139ce0c12dfc2d5b56c1a254b549e23473e910d35292919650096b42b78ea329461347e8dc11cf3066bb6266dc9f4be6a2631b0d73ed065d5eefa563

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e634e15e529624aff906b79c0582335d

SHA1
dd5de60fbe50d10b74da22ecbe43dad3473172f3

SHA256
13ac1d055374d58c19e9e305d8127a1b6c3b0d1274ee139ef10e4704bfd6dd15

SHA512
75c05c0b1853937e04bc1f9bca185f4098f8854f0f30acae7797a4adace3b9d8a77706663496541844e30a8dc49e413c6ada0d7cf7f1a69923915b939812d0b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d8542106fb273185938f2f0ebf0fa804

SHA1
3e7c4dc729cae58a5e105cce7c19d8d0c8610095

SHA256
27cfb7d4de9883fa90f78516c5bc950908ab9223d0586774e96a8d50fe1017f4

SHA512
62ae00ac6cc5e8b0b5507016d0f034e82797fecdbb40005020d41b7a2cbb45e44983b1f32a0119f91e13b6aeed7ffdedec52100046049deeb09146f95b9897d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d8542106fb273185938f2f0ebf0fa804

SHA1
3e7c4dc729cae58a5e105cce7c19d8d0c8610095

SHA256
27cfb7d4de9883fa90f78516c5bc950908ab9223d0586774e96a8d50fe1017f4

SHA512
62ae00ac6cc5e8b0b5507016d0f034e82797fecdbb40005020d41b7a2cbb45e44983b1f32a0119f91e13b6aeed7ffdedec52100046049deeb09146f95b9897d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b52d432f5c41cc6cdf540b12017970c6

SHA1
d9c0d466cd9a7aef891f398a507f582efa2664b3

SHA256
402b8903bf27e9e910189615a861aaaba688f1ce3d1ed6d1c5c4dc53f2c80226

SHA512
e1800a7be8e29a58433eda69f82a8dc0eef11dd5e071c6294fef45be2b99198524de56cc395dc0964d98d40496179baf9107bd0a18b36ececa68941dd2ef7626

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
52b7a777246e020e602298bac8ac5fc0

SHA1
a28c9dc43f32b37406444f07a50864410775fe6d

SHA256
b4f356a43e28075a99e159dde88cdf5db7c6cc0ef2325f383fa3b0ae5a5070c7

SHA512
5d39da84bbe5b018dcaf762cbf258b76c247a6faaa52c8193f8b5da3ae24a37896498147b5532a68bf615792df9c593ae30648ea17dca8da9b25397deb1db800

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
52b7a777246e020e602298bac8ac5fc0

SHA1
a28c9dc43f32b37406444f07a50864410775fe6d

SHA256
b4f356a43e28075a99e159dde88cdf5db7c6cc0ef2325f383fa3b0ae5a5070c7

SHA512
5d39da84bbe5b018dcaf762cbf258b76c247a6faaa52c8193f8b5da3ae24a37896498147b5532a68bf615792df9c593ae30648ea17dca8da9b25397deb1db800

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
52b7a777246e020e602298bac8ac5fc0

SHA1
a28c9dc43f32b37406444f07a50864410775fe6d

SHA256
b4f356a43e28075a99e159dde88cdf5db7c6cc0ef2325f383fa3b0ae5a5070c7

SHA512
5d39da84bbe5b018dcaf762cbf258b76c247a6faaa52c8193f8b5da3ae24a37896498147b5532a68bf615792df9c593ae30648ea17dca8da9b25397deb1db800

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
52b7a777246e020e602298bac8ac5fc0

SHA1
a28c9dc43f32b37406444f07a50864410775fe6d

SHA256
b4f356a43e28075a99e159dde88cdf5db7c6cc0ef2325f383fa3b0ae5a5070c7

SHA512
5d39da84bbe5b018dcaf762cbf258b76c247a6faaa52c8193f8b5da3ae24a37896498147b5532a68bf615792df9c593ae30648ea17dca8da9b25397deb1db800

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
310b8e835f0fbbac44710cf2265cdc11

SHA1
17992cf87316a8e62e196ef39d563453ab32da6c

SHA256
a9304af8bf08218889ddead7bb9b531b9375143380bc30f33361d18442c2e777

SHA512
98bd4fd01539254f29499b48caf7eb74c676fceb3997d1bf3981cf5fdf36103ebe2c9b2c5c2ac7fe1bc04a7ccf2017892ab844f83f1f0b4ea37bd110f97ca027

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
310b8e835f0fbbac44710cf2265cdc11

SHA1
17992cf87316a8e62e196ef39d563453ab32da6c

SHA256
a9304af8bf08218889ddead7bb9b531b9375143380bc30f33361d18442c2e777

SHA512
98bd4fd01539254f29499b48caf7eb74c676fceb3997d1bf3981cf5fdf36103ebe2c9b2c5c2ac7fe1bc04a7ccf2017892ab844f83f1f0b4ea37bd110f97ca027

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
895e82a1c6ef5e56b149025c85296554

SHA1
b061e4f7f44b6fecf100637afcf0d70f12d331af

SHA256
9e5f84c87b58bb0f710ad7badb0d2532159ef4dd4baba3a10f81b5b4741d6253

SHA512
b5e9fe349dfd30301627bb210f87fac33e2d165018568f686c64654840b90aedde41e6fa09dea95b1d68475591a0805bd8f6abf4cd7a1d9739e6f50897d7d695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
895e82a1c6ef5e56b149025c85296554

SHA1
b061e4f7f44b6fecf100637afcf0d70f12d331af

SHA256
9e5f84c87b58bb0f710ad7badb0d2532159ef4dd4baba3a10f81b5b4741d6253

SHA512
b5e9fe349dfd30301627bb210f87fac33e2d165018568f686c64654840b90aedde41e6fa09dea95b1d68475591a0805bd8f6abf4cd7a1d9739e6f50897d7d695

Download Submit
memory/112-70-0x0000000000980000-0x0000000001A04000-memory.dmp

Filesize
16.5MB

Download
memory/112-251-0x0000000000980000-0x0000000001A04000-memory.dmp

Filesize
16.5MB

Download
memory/572-73-0x0000000000980000-0x0000000001A04000-memory.dmp

Filesize
16.5MB

Download
memory/572-87-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/572-252-0x0000000000980000-0x0000000001A04000-memory.dmp

Filesize
16.5MB

Download
memory/1368-71-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/1368-54-0x0000000000980000-0x0000000001A04000-memory.dmp

Filesize
16.5MB

Download
memory/1368-69-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/1368-56-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1368-250-0x0000000000980000-0x0000000001A04000-memory.dmp

Filesize
16.5MB

Download