7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494

Analysis

max time kernel
181s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.7MB
MD5

36d6be2d72171c741e2989a578011cd8
SHA1

a1d46b3c7418d8d29208f352e27f5c9af62006e9
SHA256

7c20393e638d2873153d2873f04464d4bad32a4d40eabb48d66608650f7d4494
SHA512

b686a2963dd4679101eaedafc4cdd62450e91d91a59d19cf0f37bd0df76bdddfecdf66efa1dfa4a7a6390ddc37bfdbeb1fff49d1db4773fb9b718df0810dd659
SSDEEP

98304:Agps0DrlKJ+vUYhWlO8M2xT6pX2fvnY8nIoVgUrWLHJi:VwJ6b58M5pWnY6Io3WM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2976	AnyDesk.exe
2976	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3432	AnyDesk.exe
3432	AnyDesk.exe
3432	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3432	AnyDesk.exe
3432	AnyDesk.exe
3432	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 2976	4784	AnyDesk.exe	88
PID 4784 wrote to memory of 2976	4784	AnyDesk.exe	88
PID 4784 wrote to memory of 2976	4784	AnyDesk.exe	88
PID 4784 wrote to memory of 3432	4784	AnyDesk.exe	89
PID 4784 wrote to memory of 3432	4784	AnyDesk.exe	89
PID 4784 wrote to memory of 3432	4784	AnyDesk.exe	89

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
83006309e4dbb369f7d67e1361f22789

SHA1
a25013f03d6dfd073956408683b2100f6bb7a2ff

SHA256
fc10acc26bc4d5b1f61f03582618cf3dfdab5caa2661ea9058f4b90b837e2c2c

SHA512
b4dba182318e6069b5aab4c61f2d93cfa163e4b1f05408f9ddaf067d33fe2a673494fc7bac90d848d954b47c6a448b451e0e6b6c16508dbbdb5dea5e1b40994c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
83006309e4dbb369f7d67e1361f22789

SHA1
a25013f03d6dfd073956408683b2100f6bb7a2ff

SHA256
fc10acc26bc4d5b1f61f03582618cf3dfdab5caa2661ea9058f4b90b837e2c2c

SHA512
b4dba182318e6069b5aab4c61f2d93cfa163e4b1f05408f9ddaf067d33fe2a673494fc7bac90d848d954b47c6a448b451e0e6b6c16508dbbdb5dea5e1b40994c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e58970910786350fae374c98a34d2348

SHA1
624178b9899e01431933d317c88f883c3e1db6a4

SHA256
72bc06e8ffc5b299c96ef36ba3509503c8a9064c0f48d0ddbf4bfba93565487f

SHA512
20b9ea7ff74e7e0a30051bf4aa6a13fbf688a55de83e50e21aad734e8d517bbd609d19b1b00b1618a051bdf1320ce41a8fe36939a18a7489b1cab9d8af65b14d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
283B

MD5
979412445e04edddb523bbf64f2d9e25

SHA1
c627de03ba6be7c2e52c4ac0c8494b250f8ea4fb

SHA256
c253a9db55efeb183543baa5965f0d279b0e4ecd7e6211e231e8e8f5c8dfe596

SHA512
f548475ee4e83bfe01c39444c90502f86cf5245eb51335d3d13186b967df0f7cacaf9ce5125f3ce104e08a1f27c215af08bf185afe771d74ee5c0872aa7f4c3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
ec5c4ed3113ee780bfa10dbc0afe5afb

SHA1
c820dec11fd9598b0460fcc75f06f6a507658732

SHA256
97066200c3f54390f39c6ea7619f4970307aa7a4b20b0147316ad60209002f5b

SHA512
9af7e62c8822947a5acfdd7dd059a8b5a0fa294cc6c37e5ee4b50314f19bb3f1b9ff5ddfa93482d366996efa18d55e09f3010592bf579f96f1385c6f8dfc9659

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
ec5c4ed3113ee780bfa10dbc0afe5afb

SHA1
c820dec11fd9598b0460fcc75f06f6a507658732

SHA256
97066200c3f54390f39c6ea7619f4970307aa7a4b20b0147316ad60209002f5b

SHA512
9af7e62c8822947a5acfdd7dd059a8b5a0fa294cc6c37e5ee4b50314f19bb3f1b9ff5ddfa93482d366996efa18d55e09f3010592bf579f96f1385c6f8dfc9659

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
652B

MD5
2630c00c9bb07c4041274b6230185e4e

SHA1
bcc6bdbfa235628b0a53de7512bdab875dac6f2e

SHA256
8a9ca17696f7f1f7a927ee1a1be315a5bb5ae732367c538a0bfa1af3f48e1dc0

SHA512
7d4c28480ac51ffc803466abdf832db8ba0e864c84f304a42c5f3cfe9265e4737b3109f529134f6793e76f10718eb13d7a7c69820ffb8106b306387dabcb9489

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
652B

MD5
2630c00c9bb07c4041274b6230185e4e

SHA1
bcc6bdbfa235628b0a53de7512bdab875dac6f2e

SHA256
8a9ca17696f7f1f7a927ee1a1be315a5bb5ae732367c538a0bfa1af3f48e1dc0

SHA512
7d4c28480ac51ffc803466abdf832db8ba0e864c84f304a42c5f3cfe9265e4737b3109f529134f6793e76f10718eb13d7a7c69820ffb8106b306387dabcb9489

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
709B

MD5
ee46792e4b567e83c7dbc9b7436309b6

SHA1
5a307912d089741f78123b915db73ff029f8539c

SHA256
ea8d7d5b8d7429c8fae1a1cb469b3e1fe55838b717c224ecd442175ea446879e

SHA512
14370e12262dc1b4756c7d6c47b0a3426e7ff2328d4c058a4e1164d69f1aac0fa1c0bf3913c91790accb91c9bedd28cec2766f0931f2bfd3dd0d5ff1df907ef5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
773B

MD5
17a48172538a79e1c002232206468547

SHA1
4dd0e69256d3379410ebb9ad208d4a91301c46de

SHA256
b43c29f8e7a6e8bd231c669c8851f710c84cdcd5557fce9e56704089158841c9

SHA512
4a1808f32769e64163f4e6738794794ea862c3b81beb4716f120fc9d08373c3ef060a90fd5f61d9667ae37b9affab4a8af222a9c177f4bd9417c78f3cee48b13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
820B

MD5
ecdc803a5725edd5abd2bdd7466543b0

SHA1
73b777bcfe9b19f28433ad4cce68a1531852086a

SHA256
9b254388b0a6eecc4a8b90b9710473d87315477abed783fc1123341f2c7bebb2

SHA512
fdc0cdb8cacc36b50e2e796dd6d09af9f2068bce4db3e698bc28dbf70e06c1092fdbb7ac9f65ff03f63206b0be134e5959407c2bbe649e97eda4bb1f64b0bed3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
820B

MD5
ecdc803a5725edd5abd2bdd7466543b0

SHA1
73b777bcfe9b19f28433ad4cce68a1531852086a

SHA256
9b254388b0a6eecc4a8b90b9710473d87315477abed783fc1123341f2c7bebb2

SHA512
fdc0cdb8cacc36b50e2e796dd6d09af9f2068bce4db3e698bc28dbf70e06c1092fdbb7ac9f65ff03f63206b0be134e5959407c2bbe649e97eda4bb1f64b0bed3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e3464ee57c6405a7a5c2dc0c1da76e39

SHA1
4a83483f6113fb70e7af89ae788864bb03d57372

SHA256
fb0f6691c282ad63ac0dd820e70d7ec4f92e385c1c10e057b76898a75cabbf0f

SHA512
d3f25f3f53e8bba4d76631ee3d2f2bf481fedfc085fe922d9ba3bb1d6c8be96c885e770f1144dbabd76390b5d330c41beb0742405258b463650cdfbee079a3b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8ae33c173aa85e325e92ff5abdc6b2a0

SHA1
6df0e1e8c1024ea5298950e41fe88b7247921d3a

SHA256
4b55fe375640173bef7287ed37ded7e524a39034b5b9b93245d6af0545eb8117

SHA512
f6e3cedec823f4d6bde7a3ef9afe00c21e6277d9da1fc8210b930cac7244f0caf8bbd786154a5e23875147ad1880ee1757666b409e604701915347c502f8e2eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
49da62ecf8257ad77f802ce08f9f1139

SHA1
3cd365f5a7938aa42533c3ce44d87da117bb0334

SHA256
a2117407e0d1a99b2f620ea2c3ceb73a3372cf4b1be9380e3a65e3082c55fc62

SHA512
e65fb6f57332908ad1c948186405f1bf7a8891b57277e861a2a0c27f2656a97ea046e7f47a581e56245fc8d7f9024f97a40e5cbbfa326f5889a4e22b45922a28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
306bffcbcb1783ad1943f87230d75573

SHA1
e48e724528983c70bafb8f872a9831e329319b93

SHA256
c933a90a5a71f0fef8a983d976fa0c426d5b4e45804802c8652f05f850065451

SHA512
902005cf1bf1d214bc2a4ed9a5f02e4a62ac30b203afcf295a7449693b6f08410adc606f83ec61d80a8f957362895770fa90e6ad0e6a2c8ef960a0b8b1415acc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
306bffcbcb1783ad1943f87230d75573

SHA1
e48e724528983c70bafb8f872a9831e329319b93

SHA256
c933a90a5a71f0fef8a983d976fa0c426d5b4e45804802c8652f05f850065451

SHA512
902005cf1bf1d214bc2a4ed9a5f02e4a62ac30b203afcf295a7449693b6f08410adc606f83ec61d80a8f957362895770fa90e6ad0e6a2c8ef960a0b8b1415acc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
306bffcbcb1783ad1943f87230d75573

SHA1
e48e724528983c70bafb8f872a9831e329319b93

SHA256
c933a90a5a71f0fef8a983d976fa0c426d5b4e45804802c8652f05f850065451

SHA512
902005cf1bf1d214bc2a4ed9a5f02e4a62ac30b203afcf295a7449693b6f08410adc606f83ec61d80a8f957362895770fa90e6ad0e6a2c8ef960a0b8b1415acc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e3464ee57c6405a7a5c2dc0c1da76e39

SHA1
4a83483f6113fb70e7af89ae788864bb03d57372

SHA256
fb0f6691c282ad63ac0dd820e70d7ec4f92e385c1c10e057b76898a75cabbf0f

SHA512
d3f25f3f53e8bba4d76631ee3d2f2bf481fedfc085fe922d9ba3bb1d6c8be96c885e770f1144dbabd76390b5d330c41beb0742405258b463650cdfbee079a3b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
ecd8e70a7b6f8fdb408aba47294c2607

SHA1
2ae7db06de0e128abf70e219afcdf066e2a60e2b

SHA256
c617a8dd1629ef575ba54409f6be205057d3d2c8f42cc84c7d2e140393abd6ae

SHA512
1dd861daa77692586a5502e3776158bc50e77e2731312c7c894d284fd9432f571bcae89490184e2274205f149300b8636265e32af01cf366953d16dea96d7738

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
f38d5f099880606c9dbec80ff18f0435

SHA1
24b6bf336224b498befa4779bf0bc5b485365023

SHA256
7448bc5b5755ba95f173b15f5169d9e2818756abc3f4a53aa2ffd8b8b2a75cdd

SHA512
95114c196a7311f6414405b6d820c7d329889b6018e5d123b6dea84ba855a801f5e897d82d0773db366cff587e4ab7da7bcb0909a5bdeff6f34ef2e25031db2f

Download Submit
memory/2976-10-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/2976-120-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/2976-30-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/3432-50-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/3432-9-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/3432-18-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/3432-119-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/4784-23-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4784-24-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4784-0-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/4784-3-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/4784-1-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/4784-109-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/4784-68-0x00000000006A0000-0x0000000001633000-memory.dmp

Filesize
15.6MB

Download
memory/4784-51-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download