4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk6.0.7个人版.exe
Size

3.5MB
MD5

365aa18cadc5b80a9b5ca5950690c7f8
SHA1

16c33a2907264382715fba2061e4ff803a41c629
SHA256

4de898c139fb5251479ca6f9ec044cac4d83a2f5d1113b7a4b8f13468a130c97
SHA512

c774e56c89f999a18aebec9f479f57f06213f2453238385aa4eb63adb081dff2da6fe424b1261424068a8af8435be3b6a173cd7c24ab248dedd1f5c6a700c3a1
SSDEEP

98304:+QMMzSE4J8JcFFLbx4e0PK+80wbZ/A8xL2G:tM6SQPKzA8xLz

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	AnyDesk6.0.7个人版.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	AnyDesk6.0.7个人版.exe

Loads dropped DLL 2 IoCs

pid	Process
724	AnyDesk6.0.7个人版.exe
2436	AnyDesk6.0.7个人版.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk6.0.7个人版.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk6.0.7个人版.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2436	AnyDesk6.0.7个人版.exe
2436	AnyDesk6.0.7个人版.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
724	AnyDesk6.0.7个人版.exe
724	AnyDesk6.0.7个人版.exe
724	AnyDesk6.0.7个人版.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
724	AnyDesk6.0.7个人版.exe
724	AnyDesk6.0.7个人版.exe
724	AnyDesk6.0.7个人版.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2436	3580	AnyDesk6.0.7个人版.exe	84
PID 3580 wrote to memory of 2436	3580	AnyDesk6.0.7个人版.exe	84
PID 3580 wrote to memory of 2436	3580	AnyDesk6.0.7个人版.exe	84
PID 3580 wrote to memory of 724	3580	AnyDesk6.0.7个人版.exe	85
PID 3580 wrote to memory of 724	3580	AnyDesk6.0.7个人版.exe	85
PID 3580 wrote to memory of 724	3580	AnyDesk6.0.7个人版.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk6.0.7个人版.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
df51187e257c9616869b3b52b3b929f7

SHA1
598e24bf6943af77786091b343aacd4bb0f94d08

SHA256
d70d113c781e6abc4f39fdf26fb6e72cf2168a6a8c6c256eef2315a09ebd9c04

SHA512
30c372b3a3173742ab5fec670cb10537cee3c59567793d51db685125c591dbfa35b090ce1181056faafadf8fc4a18612259172e02021e0ba0716d6f8dcd1443a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
c825c54cb062a53cd1d1bab399f3f55e

SHA1
d3fcab6f26013e3b9f0d6575c5d89d4e576afc80

SHA256
f046c1f1308ed636ae6081d70b2598de2aa7f3f63f8e118a4cacb41130dbc1f0

SHA512
024816ab9dbfc1b60b43021d0e85084c050a8c2a1408a3be39d46d498ac2612b75cf8ddab2c6a871a1ec46477eda99c2c38ea34f2e7c6ded2246ecff56771b55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
39af8785413318089f4d7505b9b92a7d

SHA1
60d4522426811f01cf8ccd2623475e37aca744b1

SHA256
57aad3bd3fa2a44cd4574a9a72798b885b71340a94148b22b4347fcbbcc6470d

SHA512
bb132df0b33b0a6dfcf1c90d8a86538cd97540350ceff7563fb0ec5e415683219249d0ac8fb3c8c7d04bde16a0b864591a57dc30c8639947c5505935a7c43fa8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
9e2aceaebf5abec0b39838b724e7d480

SHA1
13f3868be41911887ed1792fa2f9192ee0139511

SHA256
e60f6cddd30f98a1ded2474c05d69de29b17d1d8ed7d5a679316c1637a7cdfbc

SHA512
4a036a8500875ead3c9121cd6aac07f28c86dfdc7a8e04fc7bd90863e5c82935257a0939038a434e83524611a6dd3978fe5fffeed50080008d0f346e6dcabbc0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
9e2aceaebf5abec0b39838b724e7d480

SHA1
13f3868be41911887ed1792fa2f9192ee0139511

SHA256
e60f6cddd30f98a1ded2474c05d69de29b17d1d8ed7d5a679316c1637a7cdfbc

SHA512
4a036a8500875ead3c9121cd6aac07f28c86dfdc7a8e04fc7bd90863e5c82935257a0939038a434e83524611a6dd3978fe5fffeed50080008d0f346e6dcabbc0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
49d68499791576a90fda72d3e3c8dd00

SHA1
6062bce23e5862493c286a8aeacffe6b8fdc7c1e

SHA256
14d156b2e9ec77a66595d17bf32144c138efc0c592e360c68e4868c3b69e2af3

SHA512
ff372fddc98c1d2214fac3b905de91bda45dafada3c75d168b303040f66beaa0cab45381f1390c4889258e9547c7986fd058fd11a112005d5140684da3ef3507

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
49d68499791576a90fda72d3e3c8dd00

SHA1
6062bce23e5862493c286a8aeacffe6b8fdc7c1e

SHA256
14d156b2e9ec77a66595d17bf32144c138efc0c592e360c68e4868c3b69e2af3

SHA512
ff372fddc98c1d2214fac3b905de91bda45dafada3c75d168b303040f66beaa0cab45381f1390c4889258e9547c7986fd058fd11a112005d5140684da3ef3507

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
450B

MD5
c603910dc51ebbe0dce56f2322c71671

SHA1
892e32faf70e10affca90b7237b6ca479536fb62

SHA256
708dd6abba6f5c33cac25aee0caabd3e53abe6f8bf9cc9f7e5d1ba7baae96378

SHA512
46ba3de6a3fe7bf7d893de1bef8d69750143d454a3ee791c103f933eb79dd394a39cca7ff6982d096187592c17e353d28efeb8205b9ff7fe68235f823dbad6a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/724-182-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/724-219-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/724-152-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/2436-227-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/2436-218-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/2436-151-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/3580-165-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/3580-133-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/3580-164-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3580-159-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/3580-163-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/3580-178-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/3580-147-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/3580-181-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/3580-146-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/3580-145-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/3580-158-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/3580-135-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3580-217-0x00000000009D0000-0x0000000001744000-memory.dmp

Filesize
13.5MB

Download
memory/3580-162-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/3580-161-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3580-160-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download