bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138

Resubmissions

10-11-2023 21:01

231110-zt1c9aec7v 3

31-10-2023 17:43

25-10-2023 17:35

17-10-2023 16:09

17-10-2023 14:20

17-10-2023 13:50

Analysis

max time kernel
311s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.2MB
MD5

37e172be64b12f3207300d11b74656b8
SHA1

1895d7c4f785f92e48b5191fd812822593cbc73f
SHA256

bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
SHA512

98cf7a591beb4af2066ddd9d17caee69b3cbb42343cb4dc0d517fb99983159ae8e960c315030487b3ea22b2512359f108a6cfe15ec3b725c040ac06b877c88ff
SSDEEP

98304:pgBOLscYr9NrQO6lSdAd7qvlyBhbUhrZsTY3ycd8izlxGhzAqK3:KOoc+dQO6+Ad7qdriTYlfzlIhMt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	AnyDesk.exe
5012	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4940	AnyDesk.exe
4940	AnyDesk.exe
4940	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4940	AnyDesk.exe
4940	AnyDesk.exe
4940	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 5012	4464	AnyDesk.exe	85
PID 4464 wrote to memory of 5012	4464	AnyDesk.exe	85
PID 4464 wrote to memory of 5012	4464	AnyDesk.exe	85
PID 4464 wrote to memory of 4940	4464	AnyDesk.exe	86
PID 4464 wrote to memory of 4940	4464	AnyDesk.exe	86
PID 4464 wrote to memory of 4940	4464	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
4e617c801607bc1de9f776fe0bcaebd8

SHA1
f29233abf8dd8fa2464cce0f0b7754cf570becdd

SHA256
d24b4fc01c4a0df452e86d448a181585492ff39f90baf3fcc56e1b35eeb88ae3

SHA512
2868e1d1d5740a3afb0a5c17295c81e69ef592945b5adca4438a12a593ea74ced450be567581f2feeecb5f53ece1e8c734012f57d579ab7663ba0536ace2f704

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
4e617c801607bc1de9f776fe0bcaebd8

SHA1
f29233abf8dd8fa2464cce0f0b7754cf570becdd

SHA256
d24b4fc01c4a0df452e86d448a181585492ff39f90baf3fcc56e1b35eeb88ae3

SHA512
2868e1d1d5740a3afb0a5c17295c81e69ef592945b5adca4438a12a593ea74ced450be567581f2feeecb5f53ece1e8c734012f57d579ab7663ba0536ace2f704

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
654e77238c29e8bbaf6a751fc2a8a9ba

SHA1
39558eb847e14db862680eb340435f8bd6ec5578

SHA256
6319b41e047c915cf6891df6cbffa6e2c1271b67cba45e9fd30b91acdc3fce8e

SHA512
6ae25cc967309a015f6ac907ae73570c7b4a552f7313b9af68bf83b2bd3e969b928fb012c136d93decb4ff43fd960b1565ec23f10ddab7f5210426961527f64e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0b7857613cbb3aa875c80783772b13d9

SHA1
f834fadef7a24932cb5ef15228cb550a98c393bf

SHA256
e09e12f2badca500423dc28acf36183d2610c843df2b62f3d6ccb35eda4fde94

SHA512
9fddcec3cad7a7f2e06210bc857e0502099a3e528db58430a29377a3f987b6de5fcf40d097e96675ce2f48a26a6ba4c8b9c7f7b612424fbc35bff1b919b32d35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0b7857613cbb3aa875c80783772b13d9

SHA1
f834fadef7a24932cb5ef15228cb550a98c393bf

SHA256
e09e12f2badca500423dc28acf36183d2610c843df2b62f3d6ccb35eda4fde94

SHA512
9fddcec3cad7a7f2e06210bc857e0502099a3e528db58430a29377a3f987b6de5fcf40d097e96675ce2f48a26a6ba4c8b9c7f7b612424fbc35bff1b919b32d35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
5a3a75ef3f8c8ac7b6a3a975799796ee

SHA1
a9dd1b113827e8c3d3c251c4326e8c09225f7ef4

SHA256
0613ac6f4c21d578a65405c0a50f8ccf72e578052458b327b1aab1a62431cddb

SHA512
73f5cbf9c271843b5bacacb7fef728eddb39e57f769eb516be14ef48a45e826ea2858103b80d6e3f49aa0b878fffb6f08a9aef101d0b6e24f90be57d5e090eae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
5a3a75ef3f8c8ac7b6a3a975799796ee

SHA1
a9dd1b113827e8c3d3c251c4326e8c09225f7ef4

SHA256
0613ac6f4c21d578a65405c0a50f8ccf72e578052458b327b1aab1a62431cddb

SHA512
73f5cbf9c271843b5bacacb7fef728eddb39e57f769eb516be14ef48a45e826ea2858103b80d6e3f49aa0b878fffb6f08a9aef101d0b6e24f90be57d5e090eae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
4a3f9f4c993c89f00753f50e88641168

SHA1
aeb16d9bdb495e3a6a718eb4c9f6ccb672b0977b

SHA256
65602df2cb01f4f42e83cc18106a1abaa9e66a3cbbc1588e25feb6a686ea4ae3

SHA512
24584af69e86afa9722c13d0d1d4ccd0db2398c529bb62ee0449d6f2380bf0c3bf73fe8138fcfbb7456a4f8583181fd2c3174998a2eabeaa33f45b21cf44842f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
b61c2920f10e6227247fd8aad77bb3bc

SHA1
eaf4ef02ed85ab0ddaeb855a840ad27d642258ab

SHA256
bba04a1567997ce69e76f9bd8181248035d073819cdf8de8f353d193ede4ebdb

SHA512
6ebc632b8c9d09692a140b99428efe2dd5633b0fae03e3f8df2311f88719e0f81615b7b43ba5acd8144363209590f97064f3a82cb9150c7c613201f3fc212524

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
acece92ef29254abbe8ca8d1ef2549b6

SHA1
2bd1aa31724d1f50142e579b903ef4d9f65e1a0d

SHA256
79729b4b202c4915918f2e9e2b8db037a77f562360b91e919af8cff6b8c9545b

SHA512
8b64b93c1488612463acf25ad54b075242fdf85bf692778eb82c72fa6f7368a3c8dcfff5ea24f642116e8bc52969133c3a7afb6e7b0d6c73d3d35baaf239f73e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bf9c18ba202bb5ba78b50ad951f5ad37

SHA1
cc855ae4480a843ea30a0735b3c8a955786b538e

SHA256
579530d535e0017fedab58b00f61bf0b623485c1072e4c2f32efd561e4347a9c

SHA512
bea6ffa2ad639995e4273ecdf35b9929d7f5a94d1739990b4d32b7347d22621559e49cbd51759263bda5154bbae6c5e5375d87be9298f02bbcd8313bb8ab305b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bf9c18ba202bb5ba78b50ad951f5ad37

SHA1
cc855ae4480a843ea30a0735b3c8a955786b538e

SHA256
579530d535e0017fedab58b00f61bf0b623485c1072e4c2f32efd561e4347a9c

SHA512
bea6ffa2ad639995e4273ecdf35b9929d7f5a94d1739990b4d32b7347d22621559e49cbd51759263bda5154bbae6c5e5375d87be9298f02bbcd8313bb8ab305b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ccbb820e6d0fd43ac647f00cc5fc3f7a

SHA1
a02dada3f760ebc87b688c8dd6c638edc33d1d54

SHA256
00f73da07c9027e1ef3cf7adc241872c4970c1809bbbc0fa3802c0e4ab9b8b98

SHA512
bdb2dff77795f6c927208c1d765d8791994eb1723f7c8607189f5977168abf8da1dfd56ad1ae644dfbefdf5cfcbf85b8ac7b7ba3369311bb5ff44e70be5be985

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ccbb820e6d0fd43ac647f00cc5fc3f7a

SHA1
a02dada3f760ebc87b688c8dd6c638edc33d1d54

SHA256
00f73da07c9027e1ef3cf7adc241872c4970c1809bbbc0fa3802c0e4ab9b8b98

SHA512
bdb2dff77795f6c927208c1d765d8791994eb1723f7c8607189f5977168abf8da1dfd56ad1ae644dfbefdf5cfcbf85b8ac7b7ba3369311bb5ff44e70be5be985

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ccbb820e6d0fd43ac647f00cc5fc3f7a

SHA1
a02dada3f760ebc87b688c8dd6c638edc33d1d54

SHA256
00f73da07c9027e1ef3cf7adc241872c4970c1809bbbc0fa3802c0e4ab9b8b98

SHA512
bdb2dff77795f6c927208c1d765d8791994eb1723f7c8607189f5977168abf8da1dfd56ad1ae644dfbefdf5cfcbf85b8ac7b7ba3369311bb5ff44e70be5be985

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b93e72b36b54ac2ebd4e36edc9f6cfe8

SHA1
9104049956f24494a119645b099f3abb7614e2a1

SHA256
37880670fe9f5eaf70a1a11d06499c60eee8b2e5d0c364384cd645a57576ab1a

SHA512
6b104a8b8c27edeef0d820bca4be9c890f3cdff4b8a73db2286c37ff4be20804a529649128e3d7ff8c28be5b1098da8d3a76a31695d44e07841020dcd891384c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b93e72b36b54ac2ebd4e36edc9f6cfe8

SHA1
9104049956f24494a119645b099f3abb7614e2a1

SHA256
37880670fe9f5eaf70a1a11d06499c60eee8b2e5d0c364384cd645a57576ab1a

SHA512
6b104a8b8c27edeef0d820bca4be9c890f3cdff4b8a73db2286c37ff4be20804a529649128e3d7ff8c28be5b1098da8d3a76a31695d44e07841020dcd891384c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b93e72b36b54ac2ebd4e36edc9f6cfe8

SHA1
9104049956f24494a119645b099f3abb7614e2a1

SHA256
37880670fe9f5eaf70a1a11d06499c60eee8b2e5d0c364384cd645a57576ab1a

SHA512
6b104a8b8c27edeef0d820bca4be9c890f3cdff4b8a73db2286c37ff4be20804a529649128e3d7ff8c28be5b1098da8d3a76a31695d44e07841020dcd891384c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b93e72b36b54ac2ebd4e36edc9f6cfe8

SHA1
9104049956f24494a119645b099f3abb7614e2a1

SHA256
37880670fe9f5eaf70a1a11d06499c60eee8b2e5d0c364384cd645a57576ab1a

SHA512
6b104a8b8c27edeef0d820bca4be9c890f3cdff4b8a73db2286c37ff4be20804a529649128e3d7ff8c28be5b1098da8d3a76a31695d44e07841020dcd891384c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b93e72b36b54ac2ebd4e36edc9f6cfe8

SHA1
9104049956f24494a119645b099f3abb7614e2a1

SHA256
37880670fe9f5eaf70a1a11d06499c60eee8b2e5d0c364384cd645a57576ab1a

SHA512
6b104a8b8c27edeef0d820bca4be9c890f3cdff4b8a73db2286c37ff4be20804a529649128e3d7ff8c28be5b1098da8d3a76a31695d44e07841020dcd891384c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
36c0e5d2a414ea8b628aba53e9d88ac6

SHA1
d07ab7f00bf707aac6edbd18ab4eb085c46599f8

SHA256
262b59193a1443479ef2f40ed2f581cd72e89b72359f21072350fedd9048d93b

SHA512
83ed1446f4a5283adda4b209b2190da6efe5fad514e4ee64bab7d5ee4f4de5b6c1e3ca88667e7b7a13b581e8d9f41329237d7064311647bc217a3a816ad283cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
36c0e5d2a414ea8b628aba53e9d88ac6

SHA1
d07ab7f00bf707aac6edbd18ab4eb085c46599f8

SHA256
262b59193a1443479ef2f40ed2f581cd72e89b72359f21072350fedd9048d93b

SHA512
83ed1446f4a5283adda4b209b2190da6efe5fad514e4ee64bab7d5ee4f4de5b6c1e3ca88667e7b7a13b581e8d9f41329237d7064311647bc217a3a816ad283cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c0f96acb2ab06c2882b831bcd6e697c8

SHA1
3851a308a372a55685c0fdb61e5c6e88475c94f9

SHA256
aab2169deb7b7b547140ddf512e57b181deaae56b03cf3d07ec9ea1cac27b7a9

SHA512
45a87b37744d0641f80c7c50cce99d1dd979c1a1ee8d73da7652b5eaa7eee78724243065c907bf9399716ff31ecb6f3c63da272d5d909ef70f479fcfce2adf73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c0f96acb2ab06c2882b831bcd6e697c8

SHA1
3851a308a372a55685c0fdb61e5c6e88475c94f9

SHA256
aab2169deb7b7b547140ddf512e57b181deaae56b03cf3d07ec9ea1cac27b7a9

SHA512
45a87b37744d0641f80c7c50cce99d1dd979c1a1ee8d73da7652b5eaa7eee78724243065c907bf9399716ff31ecb6f3c63da272d5d909ef70f479fcfce2adf73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bdf38c4bea4b2f927163553cd99870c2

SHA1
941b6ad35ce13d7a286bc714d280eb7241d287ba

SHA256
88c65a512822cd5134d2b7910aebab82a6605e39e69303d77d29d5d144742e9f

SHA512
3e77561727be5272d214369d9128e6868a669e15ea1793bcd9fdaaa9e2471add9e3244e2855d7e70bdd561e08a1b01390e8a4a5da1dbc56ac7b51c28abe24577

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e9c17b485560b7fb38572c69f6f7bca6

SHA1
651996b54d2e215a3d45e400e2b373fd901d7add

SHA256
a365ae67d9eaa8dbb2875a242f89a1cc8a0960072a6202e002558ac9a801233a

SHA512
38900f2736d1ebf68ce9337e3f08f2d380986cfbc57380b5d11a00d2d11b0f108426d6150fd2deb4cb42afb21183330204385235f2a430586e57df5e71a6a8f1

Download Submit
memory/4464-4-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/4464-11-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4464-139-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/4464-224-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4464-223-0x00000000073A0000-0x00000000073A1000-memory.dmp

Filesize
4KB

Download
memory/4464-0-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4464-25-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/4464-1-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4464-23-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/4464-3-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4464-70-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4464-6-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4940-119-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4940-22-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4940-14-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4940-221-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/4940-31-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/5012-15-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/5012-220-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/5012-222-0x0000000000960000-0x00000000020FA000-memory.dmp

Filesize
23.6MB

Download
memory/5012-35-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download