7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.7MB
MD5

36d6be2d72171c741e2989a578011cd8
SHA1

a1d46b3c7418d8d29208f352e27f5c9af62006e9
SHA256

7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494
SHA512

b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659
SSDEEP

98304:Agps0DrlKJ+vUYhWlO8M2xT6pX2fvnY8nIoVgUrWLHJi:VwJ6b58M5pWnY6Io3WM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2804	AnyDesk.exe
2804	AnyDesk.exe
2804	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2804	AnyDesk.exe
2804	AnyDesk.exe
2804	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2668	2800	AnyDesk.exe	28
PID 2800 wrote to memory of 2668	2800	AnyDesk.exe	28
PID 2800 wrote to memory of 2668	2800	AnyDesk.exe	28
PID 2800 wrote to memory of 2668	2800	AnyDesk.exe	28
PID 2800 wrote to memory of 2804	2800	AnyDesk.exe	29
PID 2800 wrote to memory of 2804	2800	AnyDesk.exe	29
PID 2800 wrote to memory of 2804	2800	AnyDesk.exe	29
PID 2800 wrote to memory of 2804	2800	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
d3d92134519c4d2d12035bfb99d66867

SHA1
d940656335a6a999a9f668bd0d05b48ee83dd550

SHA256
97ca267d0743915cc9c2921ede054af3ba184dfe68f308a6f0e3f043a1cf3aa8

SHA512
9d5f3d87c2058554b07763ee3cf41287f835c061ee8a9caf2cff193e263c09f7968f28706eb5b08bf12b9ca61671b3788c4368719ecad171dea90a480800d05e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
d3d92134519c4d2d12035bfb99d66867

SHA1
d940656335a6a999a9f668bd0d05b48ee83dd550

SHA256
97ca267d0743915cc9c2921ede054af3ba184dfe68f308a6f0e3f043a1cf3aa8

SHA512
9d5f3d87c2058554b07763ee3cf41287f835c061ee8a9caf2cff193e263c09f7968f28706eb5b08bf12b9ca61671b3788c4368719ecad171dea90a480800d05e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5d247efaa1bdf594fb658f2f9687e362

SHA1
9b348027ecd61221169cd97662694369ab777eba

SHA256
ff67d402fbea33df30697edf3aa24dfae910ee636b2ebee1d9a47f8635e58c5f

SHA512
f5829cb0752fda83b9b2747badc9165bcf4af80d9a90c6640709a3c1968f64cd5172374ad20df12b4ae1fc250827e104aef4db4ac0068d8724c359f36644d9b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
751B

MD5
63737a4e61e8d1588c0774bb59cd1e72

SHA1
35b65febb5811e0051d515a845a709d9c4c50415

SHA256
41be8a26aae873eda3047b3d993f75f587f6d0b97f5fc867b59d951c502e69ad

SHA512
57bb8876241c933a388641d82190194f9ad99d24e215763aa71d1c4473c802be86120679bb3c14f0f25e5f9d5649649cd4ae9cd0e30ac31d611af7773c01e942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
820B

MD5
695f4446fdcee7be192a64982586eccc

SHA1
fe2a0d3e39d41f5c1e2fa648d61b16681613fcf2

SHA256
395440ee8750d836629b6157decfcedf96ed65b12fc1d1c6cf4d4025be14fc5b

SHA512
def4135f316aaf2a04870b77a62615ff0a85839398b5ca81f8d2017263b4f8782c1279ecb610c081c5f18fc47ca1647710d96089d12c5517775792de8f2b2603

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
283B

MD5
979412445e04edddb523bbf64f2d9e25

SHA1
c627de03ba6be7c2e52c4ac0c8494b250f8ea4fb

SHA256
c253a9db55efeb183543baa5965f0d279b0e4ecd7e6211e231e8e8f5c8dfe596

SHA512
f548475ee4e83bfe01c39444c90502f86cf5245eb51335d3d13186b967df0f7cacaf9ce5125f3ce104e08a1f27c215af08bf185afe771d74ee5c0872aa7f4c3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
e32d12310c15ce88c153eea200a8cd26

SHA1
4e0c789543f71de96cef53ca005500025eedf468

SHA256
26cbc83500aaa29838bf46eae62b86abc0a3e7665a3fcbe3e8c851290f483bc3

SHA512
bbddcf54c930cf9c209b2012ec088aea76880c5e7e3a861e1b09249300ac65ad82cbce2a10cc6f34a4c52d22421170be2f6a874a923bd05026243d03045f8a90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
583B

MD5
c869b17a97706c8c9c3703133912d6fd

SHA1
17628700f5160a659f8ab623255558524d6cde8a

SHA256
0c4674dd82be1bba50efd757fd031018b858432a844ab35de5b9f18202e7ddf3

SHA512
6fb4ba9a299ef438316403fcde3ec2c37a0d5f992be6257cbc1870bcd19c863de655a44c49736381ed2b38edccdf9f96617cdb09d189b38e97751f86075f7244

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
640B

MD5
fa560b6560b39bd50ad803b5804be338

SHA1
ed5f03f72caeed15b377204d43bdaa2ea0e754a5

SHA256
99765bdb492ad976feedb6c2ed9b26e5a07741b2f61351db84c83a0078e3ec4e

SHA512
c6c3dbc40f67beda7f33090ced34a4a91edaf0deb0b3f49f681be886abc653cb1998b869e183cbf7b1a88e08327af9e7b7bc25f6eb2dc8451447905207ac2cd8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
704B

MD5
dfdb96f88002b836ac3d3a7d72650949

SHA1
0e28f9af32bda0a7de12a688d4065e75dcb3e553

SHA256
4b73b9508218b64c48d55798c08724a76259a8a948da853546176ff9b87b7cef

SHA512
df1efbb6c7c6d12e6d3bcc8cd1261b01e82e0d7d1d8b94cffecd9c388d5690083fa00d0af54b6764766b96957c26c0341729bb42cd4fec19fdd08b057531eb0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6e8a6be817b554f22ac14b0ea6b9a2f0

SHA1
817757c90a90585899d5804abfc5cc82003e9497

SHA256
95ffa165860a3e5f8e641710775e50197eda2727be05f16ecfc298f2217ad65e

SHA512
21efbc27ae302e13bc1db2ae0da58049d85d0508e20c7c469d9ffd0d022affb7dfc04410c59c7206bb36c1ad30ee76041066a14e983e68fd247acf9c02aec71a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f585522f77175c484effe5e4337b9efe

SHA1
1b9abd940132b2d643bf0ba4d32d175671d99064

SHA256
1e333e1772bdaeac173db17fe5408e73b41dc7939254dc21bc9bdb8ddb9e5ac6

SHA512
e3859751551d8e78f958c7e41a2708c39de64b8878a8e87b03f6ac9106e0a5d49bc14a8b55f078fa2c463aa1a36e4de0085d084bff5346d460a647d9b26226ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb3f2ba72ac75e7591b1462659d7b548

SHA1
0c5dd91c2cbf24d6331997b8d3b0d41f72972aaa

SHA256
ab8dc82011f9775ac1e6b659c7e171356f19d9bcb28a4719d9ffe51e1c312bb3

SHA512
32215ba81f2b77119360d9de0736ffa0aab3165ac33149fd80a34c7f6a53716ebec62dc9dea8162e537b4645c2d999af56f713ddafe42d5532514fd5192effeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
11f47295fb4b6172acd1594ef5fd7eb2

SHA1
fc2ff13522b36e50c59190d6a04f6c889bd5d00f

SHA256
9519d52fc07146fa084d535385cbe4ca5f34be515ae50aae7d71fb364bb9fdb5

SHA512
19e752cdddf6b98c2fb33f8b8f3e53bcd4841f27072f727c7b5c81f403243027f19091eeb11ed2fd911a54bd3991f29850129bf069487cda1247c1fd0fc5bcf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
aef94f2806ea15c30af3f995393532d2

SHA1
ccc8251a39245835d6d2cb5d2bbe635b3da5844e

SHA256
7786e2e16754975c854e83d025f7d0e1aec1d9933c6cc3ea0cf96594862e02b8

SHA512
37ac21507bf6f0c4b6ce3e6d17b986d8e54fc99a8ffe6850647c147c407f4277f5d89b6256c1fccbadf16dffab8e1630f723eaa9163fa395ca6ae3ca3f7f0799

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
11f47295fb4b6172acd1594ef5fd7eb2

SHA1
fc2ff13522b36e50c59190d6a04f6c889bd5d00f

SHA256
9519d52fc07146fa084d535385cbe4ca5f34be515ae50aae7d71fb364bb9fdb5

SHA512
19e752cdddf6b98c2fb33f8b8f3e53bcd4841f27072f727c7b5c81f403243027f19091eeb11ed2fd911a54bd3991f29850129bf069487cda1247c1fd0fc5bcf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
faecf61607f0c93cf05ffdda2806ac2d

SHA1
465d103ab6f480cafc9f13b040ae7e5abd3840ac

SHA256
fee0e566f61f8959ae4826072354583314028f12b60e56fef5be510b7a8354dd

SHA512
151e7c963de66fa3ba63499ffa176c3ef6ed7d0cf4f4177629c05645a591835afc7028378f1654c33feb80fdddc8321067008c418889dc7dfb0dd6a5c32d3bca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fb66197cba4ab224cc11b66ca07b0281

SHA1
aa9ff2ac0c6b7efee9019c73c60c22ca6da3ad5f

SHA256
5c7bf8701256ae34ed7464d1ca31c700a2f895e29ba73a162920fdab1108015c

SHA512
501e5297b7e7b49509a318633bc8929b7f4167615bd4ab288fbea12ea3173aa7072f0b576579a14a6c7afb5091592bbeb1ed7cd2b0f9352faa3817a2b89c6894

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
65244646a2795034c80970c0f3621d8e

SHA1
5a38bc121ad11ebf4e6a952115e481c99d90528c

SHA256
e1e8863e55db0ef55322525cce4284cad302040027b7ad95e82d62a5f93bd003

SHA512
b346652edfc9b9d87da4fc160b2f918045846c18bc902c9dd465776fe59a369562c108d798f1c9e8fef8a88b4d8c49e8da67e1d6274bb8a65b1fb2d270370b25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
65244646a2795034c80970c0f3621d8e

SHA1
5a38bc121ad11ebf4e6a952115e481c99d90528c

SHA256
e1e8863e55db0ef55322525cce4284cad302040027b7ad95e82d62a5f93bd003

SHA512
b346652edfc9b9d87da4fc160b2f918045846c18bc902c9dd465776fe59a369562c108d798f1c9e8fef8a88b4d8c49e8da67e1d6274bb8a65b1fb2d270370b25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e1cac9ff7d6514226ac68221879821ed

SHA1
b61e2047df77b2819d26c9676e949b15b7b0725d

SHA256
4868b602a7cd265d8741853c6dad96ef053de41be4d2bd08e81ed53695731b71

SHA512
f91443a999c6b3a4b14dc25d0bb6a66a7a90b30b2485a4e73525ac46725a98ee69e5dbca3a0fcffa65922f0a54cb7753e92dacb36dae4c298463f12aedcf9958

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1ad7dbffdfde0fb9526f51f5292c4f37

SHA1
6bf3a6fa68622d418dba4acfd293d62527e3c1d6

SHA256
ad454d5de165c7c70865083e47e0c1e042b48609cae8ef4b21f4d35813b7d813

SHA512
5c64b829256b17d8fdebf521f9dded48c8a4252af0fd471a9c076c589b756dbad45c864b431069bdc4dff48839d1b9c44af8905efa5b85ec837c45720cf62c18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
48adf2456d64e5eb1be660b1266040db

SHA1
6d754db9b312342a8e18f73a7df2a5961670f80c

SHA256
4bcf5edae1cf5aeec96d47c906fb2d1965ca83e5e965b6023f7c6eeb1ff371f5

SHA512
2dc58eefc333de8d8c0155c551e85b7ee58e068bafbbec2583663b7248674ace46ba1f1344a18a3662e6102de2338a5d9bcb098fa43a72cc40dedeaf32fcba90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
48adf2456d64e5eb1be660b1266040db

SHA1
6d754db9b312342a8e18f73a7df2a5961670f80c

SHA256
4bcf5edae1cf5aeec96d47c906fb2d1965ca83e5e965b6023f7c6eeb1ff371f5

SHA512
2dc58eefc333de8d8c0155c551e85b7ee58e068bafbbec2583663b7248674ace46ba1f1344a18a3662e6102de2338a5d9bcb098fa43a72cc40dedeaf32fcba90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
48adf2456d64e5eb1be660b1266040db

SHA1
6d754db9b312342a8e18f73a7df2a5961670f80c

SHA256
4bcf5edae1cf5aeec96d47c906fb2d1965ca83e5e965b6023f7c6eeb1ff371f5

SHA512
2dc58eefc333de8d8c0155c551e85b7ee58e068bafbbec2583663b7248674ace46ba1f1344a18a3662e6102de2338a5d9bcb098fa43a72cc40dedeaf32fcba90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
106006c5906bf8008c0e2e249762c6d4

SHA1
df7dfe4f8a1e374f2e2116a0c459ef61ed276c1a

SHA256
ab28f6ff68f3f35a4ba838df88084be4b0550da2ed60ca0669b2066e5873c975

SHA512
147b83d455d53f85c579c4b50df68fa23ecaecd715cd1308c866c42e08340449a8ed198e59916abf8ba93b278004329bcdefa4a5ca26b0dea03410733a761687

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
15f2fcde4036f87400b0ed8579fbc0b2

SHA1
85ce97bdd6420120cd3667c11a5f9d16a1bc5cfc

SHA256
10978cf2c8ee31854608ebb415d415247dca27705829d06a9ab7fbc8dc2a36c8

SHA512
4c86ae9c67978d1204bc7869b9c9b26573d06beba74673f0fc950f803437926ba58b59cf6cd2bd0a788a7a014872e9ead2a4b3ea9ce3b4a7d92618d7ba1f1cf1

Download Submit
memory/2668-82-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2668-153-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2668-132-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2668-54-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2668-16-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2800-0-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2800-3-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2800-42-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2800-10-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2800-53-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2800-24-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2800-131-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2800-41-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/2800-4-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2804-13-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2804-138-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download
memory/2804-49-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2804-55-0x0000000001130000-0x00000000020C3000-memory.dmp

Filesize
15.6MB

Download