fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
167s
max time network
169s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2816	1456	AnyDesk.exe	29
PID 1456 wrote to memory of 2816	1456	AnyDesk.exe	29
PID 1456 wrote to memory of 2816	1456	AnyDesk.exe	29
PID 1456 wrote to memory of 2816	1456	AnyDesk.exe	29
PID 1456 wrote to memory of 2668	1456	AnyDesk.exe	30
PID 1456 wrote to memory of 2668	1456	AnyDesk.exe	30
PID 1456 wrote to memory of 2668	1456	AnyDesk.exe	30
PID 1456 wrote to memory of 2668	1456	AnyDesk.exe	30

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
0a8da2870876ad4b2cbf742d880d640c

SHA1
67a8eb634821185132cb4b7e4b28e311b3c1a126

SHA256
2a66fd95ea6e6cf0b67de8ae71e77447f972727a667645c8f3a10353ab746378

SHA512
20e06620fcc87c1f7fe3525e8bec622f6ade24c706c8bbd7a644779a991cf72e4c884cd50b00bee74022668ece5d08cd688bc506a0af6d903a7520363020f6a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
72cd0e1cc3a25682aad0015c3df6dda7

SHA1
5a4b3b5955fcb3785c3d92cc9362cffbfdbc4d33

SHA256
c98a964c8142af5f02521cdaad5db3d4dc11d5b935ac37e95f925fad9c11284d

SHA512
91d566c4b29589bdb792d0ae3ff6349ee59bb9cc4c09f5832b74d2af9c65830af12cad659e79c78ef18ad1f816c24a6c3c6df1dbe68c879c7610f4f5b23bcc25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
47db8a99ef4c9ba5b0811b4d0750c9af

SHA1
05b25810c2fe9f386a27947cff48de58e72812b2

SHA256
e44cbc9715cc07c4c07faade7bebdbe865bec4a0f9dd8db83d6c08d100fca02e

SHA512
7a82c71e57c679bd0b2b90224f903ba6cf0daf5a292b3745ee16aabdce650e4a9ab1c12b137da928afe3138cf615a796a828301638d55517b67ef5490dec2406

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
09411d71d6f3209236ed0498891660e7

SHA1
f5ac46b39d2a72582927dfa4a0e4da0a573deaa3

SHA256
de0a47cadab0dba9fde8b1a95dc5c5f730ccc55e159a4e0e8394d93e661b40bb

SHA512
5c31e4351fe126113901c9085ec91d622310b37bb8071c7be9eae8670e90384ebdfecde52b15f22c01590770891e7ae3b9612d14bb138c28357c013bb2c76bc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
09411d71d6f3209236ed0498891660e7

SHA1
f5ac46b39d2a72582927dfa4a0e4da0a573deaa3

SHA256
de0a47cadab0dba9fde8b1a95dc5c5f730ccc55e159a4e0e8394d93e661b40bb

SHA512
5c31e4351fe126113901c9085ec91d622310b37bb8071c7be9eae8670e90384ebdfecde52b15f22c01590770891e7ae3b9612d14bb138c28357c013bb2c76bc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
7cdfea52303b37dc6e973d8e510edba9

SHA1
281ce7aa615c84387d1b7d3b42e03406fa45d6e3

SHA256
4cc12820269d48d8de8b7cc4cb0858128ea2593e09d7484e549b2502bc3d9a14

SHA512
ec5e3fddc60fb7b5ed92667eb217f140094c5e459b5e53e25a3905719b95bf06c443569538a1ddebc1208fd161670be0353bdadf4fe69d98ea18217f8b335800

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
7cdfea52303b37dc6e973d8e510edba9

SHA1
281ce7aa615c84387d1b7d3b42e03406fa45d6e3

SHA256
4cc12820269d48d8de8b7cc4cb0858128ea2593e09d7484e549b2502bc3d9a14

SHA512
ec5e3fddc60fb7b5ed92667eb217f140094c5e459b5e53e25a3905719b95bf06c443569538a1ddebc1208fd161670be0353bdadf4fe69d98ea18217f8b335800

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
166902b5671edd02cece51c8e5482c3d

SHA1
f1113d1739ecaa168bc241c3ac86674594d18a38

SHA256
5331c3bf06a190776740aa390f1e1fa065db9019716fc14800fdd547e8949d60

SHA512
4cf679db3caefd0b3a83fa0ab3a961a5b6aaef8a7bf3e19b717857663f79311c6b34c7feb336944e7e63269a2b4870ce78cb01979280beadbb60046765d02ff3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
792B

MD5
c1bcfd73d68711464bd59b7da781be9e

SHA1
e9294c0569ed610c70b9a84ed96ec80fbaa55cd2

SHA256
18d03b5f2e0f54ee660da58d59606bfb5d4c0843f6c6b22cfbbefe236695099b

SHA512
cbbbc05d4816f2e92797e5eab331d70fa775eea56970c54b5597a19fb2f444cf461d0e80fb71963a11ec149c7974aeb9d57e5087a6b5fb5977900e8ea52bc4ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
510f5fc91fa46ddfa86551a67391853f

SHA1
927bf4ec38081d014c345fe929ac02f6c58d221e

SHA256
e36865ddf3677415220b5b6c49a2df55a3bb814a4163b0f7d3a3eb556926b771

SHA512
88042587b09d867c026bdb9403c60eec2fd0e9db83e2a3dc7f630cb22c3b96a06089e3cd5dd12a223cceba66407eea7a1e1555beb8841e55d36025f4e74bf68d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4db16961645bba8af1c30976138231c6

SHA1
ab940766b98281dfbdd2e0d50703890642a37e2a

SHA256
1148efbbc5abcd81db5381d50de752168b31b5787a5bdfd5b810561d7cc7be7c

SHA512
07d1d17373dd59ce91ab216100d81f7930fbed5ba46499a78d057e7cd55104f964d55a69e749fb9d552eb1405ceb779438dd59c7cb39792ad8e138252c6d5517

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4db16961645bba8af1c30976138231c6

SHA1
ab940766b98281dfbdd2e0d50703890642a37e2a

SHA256
1148efbbc5abcd81db5381d50de752168b31b5787a5bdfd5b810561d7cc7be7c

SHA512
07d1d17373dd59ce91ab216100d81f7930fbed5ba46499a78d057e7cd55104f964d55a69e749fb9d552eb1405ceb779438dd59c7cb39792ad8e138252c6d5517

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fea0431f4c143f9f17663b4a3088cf8b

SHA1
e485865df571e085fe32abb1065a5e800d48ed39

SHA256
a9c94d0b7ac6c7c29b99045528660e87919fa9a2628bac60833e1b0a4c9d2859

SHA512
ebfe9b7679c444ece6049e0ca42c8196c31f7344579ab4207e35fbef9adf3d7efd73b51c586f00cf24fe4934702d7471f4b3408d784327a096828c824cafbba3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9d79b81cf078a2d3f9c68c262428ba86

SHA1
f4152cf9d2e9020da2b50e52786cb533a086b4f6

SHA256
4eeea2b67fc632f5b38d8c4d30c35311c8751602a3e3aa7e5826e6ccd473e5c4

SHA512
2a458cff7182eac498255ffb043bdf36dae2d1c7a8a87d511f7baefe468110ee0996a7f756671296ac812f4efdd0750718532b7f0cb2b03fe4fb1c49318b855d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9d79b81cf078a2d3f9c68c262428ba86

SHA1
f4152cf9d2e9020da2b50e52786cb533a086b4f6

SHA256
4eeea2b67fc632f5b38d8c4d30c35311c8751602a3e3aa7e5826e6ccd473e5c4

SHA512
2a458cff7182eac498255ffb043bdf36dae2d1c7a8a87d511f7baefe468110ee0996a7f756671296ac812f4efdd0750718532b7f0cb2b03fe4fb1c49318b855d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ad778da1f870f578a323c54ac0edff55

SHA1
b70190cd0005a3b0296dc58185a46b6ecc5f85e7

SHA256
181dd908acbe04fe4d1ed9f4466e2d099836ce7942e3829a0e8a658637c6ccd2

SHA512
28412bbaa0ed67bdb82eaa37e77982d0d4b1cc12a8332fabb0b582f62990f5bc725c28ab2f36d896540bfd98740f0b8d6886cf5abd21c877a5944ca78e9fe91e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ad778da1f870f578a323c54ac0edff55

SHA1
b70190cd0005a3b0296dc58185a46b6ecc5f85e7

SHA256
181dd908acbe04fe4d1ed9f4466e2d099836ce7942e3829a0e8a658637c6ccd2

SHA512
28412bbaa0ed67bdb82eaa37e77982d0d4b1cc12a8332fabb0b582f62990f5bc725c28ab2f36d896540bfd98740f0b8d6886cf5abd21c877a5944ca78e9fe91e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
c915b14456190d837488775103b08353

SHA1
d8abd7dc14343c41160aee358d353ae4767fb6d0

SHA256
b017e491b68c8c992c5558dc03abc010117b4e8ed51745b841596327ea57968f

SHA512
5e32a16508091c46694dcadefbeddceac21faace9a4334261bd38a5489ec40d1cf4fbfde7f2e204a34ca32661cabfc336d7e914be2b27b12bf7435fc56e7eff0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f443139ad07ad45726c11e7ee1f22c53

SHA1
9e8ed153790a33481a492e87425e54395990fac5

SHA256
a6115dc7ccbec16e26f8eb707f514f64d2ed4c950077ff70a585301abeebc027

SHA512
7a32e141fe259bb38d7826e641a7bbfe681bbb9536bf3c76708291d5adfdbadd531d55ef78bf5aded68d2cda096cb348b0a25f35c11383a39c7911a43b00e5d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
17055b1b8dcdad045b1457b1cb979d68

SHA1
37fc29263536baa1111f434681b6fbffd7b58944

SHA256
9db1faa5cf81cb9e47e07dc098ca61c4004d780c3c004c56bb1b39167ad1be71

SHA512
14ca56cdd126e1ecfef966738df1464dbe05ad005c597a60b42e423f31020ea906823f8637ab20f513ee3085bdde445a036f98d078fa8c925f6a3ee77a69642f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dda5b1eafa1cb9bda254d84a80783c18

SHA1
bd3adeeca0bba0483db09d8dbfbfb9bfe8a74628

SHA256
1c34aed38ace82f9f75af8056c19dbd9e4bd0e970545b3bfbecb55cf0fcb6d8d

SHA512
9026b76c8650083ae820510fc4e0f3356d04e0abd80492c50623890f413ced163d06edbbafeeaef762cd957d04df0b2d7a0e44164cc7be631196db078a9cae2e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
40de1908f0ac8649d97975a6cd585dfa

SHA1
f55af0af93612e31d9609fcf56c638b505d846c0

SHA256
e060680fb10387b501a751a0ef46e5516b0ff153cb4b688a8c09a511fca523f6

SHA512
e47ca10b3ed84d21ed076616b5ad2ec47859c726752aaeb02261f396e7d5de815135efc9b705fa5819799bdeb4a7ef3cde98b45f72c33f0bac34950b75ca64fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
40de1908f0ac8649d97975a6cd585dfa

SHA1
f55af0af93612e31d9609fcf56c638b505d846c0

SHA256
e060680fb10387b501a751a0ef46e5516b0ff153cb4b688a8c09a511fca523f6

SHA512
e47ca10b3ed84d21ed076616b5ad2ec47859c726752aaeb02261f396e7d5de815135efc9b705fa5819799bdeb4a7ef3cde98b45f72c33f0bac34950b75ca64fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
22d8288a7efc78e9b4bd8b2c2524b043

SHA1
0aea549f53acda04f976ce59a63c99d7f9ca4c56

SHA256
3e2b58817f60b5345fec51ee9fe9fb283046252a660f1d58bfff6a7b866d92fa

SHA512
2d35ade4f2a7b0598abb77da2e7b07a45ee80d553e239344eada5d150f8b0fa5d893d96a2117a1a299920a8e1099a48c4e2bb1640ad0e8e8a37132c65d7108b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
22d8288a7efc78e9b4bd8b2c2524b043

SHA1
0aea549f53acda04f976ce59a63c99d7f9ca4c56

SHA256
3e2b58817f60b5345fec51ee9fe9fb283046252a660f1d58bfff6a7b866d92fa

SHA512
2d35ade4f2a7b0598abb77da2e7b07a45ee80d553e239344eada5d150f8b0fa5d893d96a2117a1a299920a8e1099a48c4e2bb1640ad0e8e8a37132c65d7108b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
22d8288a7efc78e9b4bd8b2c2524b043

SHA1
0aea549f53acda04f976ce59a63c99d7f9ca4c56

SHA256
3e2b58817f60b5345fec51ee9fe9fb283046252a660f1d58bfff6a7b866d92fa

SHA512
2d35ade4f2a7b0598abb77da2e7b07a45ee80d553e239344eada5d150f8b0fa5d893d96a2117a1a299920a8e1099a48c4e2bb1640ad0e8e8a37132c65d7108b9

Download Submit
memory/1456-117-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/1456-27-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/1456-243-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/1456-0-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/1456-2-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/1456-3-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/1456-94-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/1456-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1456-28-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1456-45-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2668-44-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2668-119-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2668-12-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2668-52-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2668-114-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2668-254-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2816-46-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2816-13-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2816-113-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2816-118-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download
memory/2816-253-0x0000000000280000-0x00000000012FE000-memory.dmp

Filesize
16.5MB

Download