ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 21:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

75eecc3a8b215c465f541643e9c4f484
SHA1

3ad1f800b63640128bfdcc8dbee909554465ee11
SHA256

ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
SHA512

b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
SSDEEP

98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4348	AnyDesk.exe
4348	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
812	AnyDesk.exe
812	AnyDesk.exe
812	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
812	AnyDesk.exe
812	AnyDesk.exe
812	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 4348	936	AnyDesk.exe	93
PID 936 wrote to memory of 4348	936	AnyDesk.exe	93
PID 936 wrote to memory of 4348	936	AnyDesk.exe	93
PID 936 wrote to memory of 812	936	AnyDesk.exe	94
PID 936 wrote to memory of 812	936	AnyDesk.exe	94
PID 936 wrote to memory of 812	936	AnyDesk.exe	94

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
72baf1681be4f91eaebd15a7933e7db0

SHA1
932c93aa2b91ca009df4cca9639cd909d7f8aa22

SHA256
477fb1792fc5ce0390431b5b948d2dc776abd1220e46d8226a99a1ea88667814

SHA512
54e243b430c1808d034d2c230e3a945c9771ec15d9a0882b9b4eed670f447eb5ee3e960ac4b469f559d24f8bc1048c807abc85614053713f523d1bf35fe0d3d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
bf73268e0093f4548b9277d540f6d009

SHA1
77371921bc84847d957b3ae0cd63aafa7dd41baf

SHA256
b395e4c6bf70194ac05f45a5a37b443d24c94a1dfdc4698306e6f6b4b595270e

SHA512
caa23ee4b97cdd38f995fab49136b4540afa3000ad18dd38e79f8c5f8e27718f9b82e873f697c622bb4eec77b545fab5f8ee593b975814aa8116a2237e682957

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4eba4b2e1f357033b0154cafd5dfac5a

SHA1
355815157ff713cabb143fcdd4ca2803c9bd1eb4

SHA256
822fc77d4fd1d5d7a87978b3012d8525fd4dc901f36e0891eb3b2db17f37b184

SHA512
c2f16800a695fd96f2d396abcd9956ca7194c4d978a7ba8f1bcb0fc357310e2d2be1b60b011745a20b3f4ad860945e3019d5c018ca3b8a67ababc7adba6f7939

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
68c3e57d6bd3c0933ef0341ef46059ff

SHA1
b51a245131d5bb48a993cbb75eb4488126214782

SHA256
4fb50e30cb26a4d8817e7f0048279e003455ef81108d1d32471177e5e725de62

SHA512
7ad06754fcb6387920419e92fef3d80ff3c87ed1fff9d26a4917cc8d9d833771c40b809ab832aa9dc594ecf2a8c94f7748705ac2f0ef2acdeb836175acbed6e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
0ba094bcb013fec1aeb6a01d9ab30b33

SHA1
c6d49fedbce78d4a6a5b184cd16128fa1e143506

SHA256
4179a7ed2bd45bcc0b4bf1acf2e7b0d1c1080987daaf4ee7bd0f5519e0a8325c

SHA512
95db9a9a33154ec8a292a89c0d51fba4d9f152c1075bbf09b461d8474e3bddc1385476a3a18e72e2b8f98145b7898c962e6ad5d76bcd3cbbd0129a1655fa6d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
0ba094bcb013fec1aeb6a01d9ab30b33

SHA1
c6d49fedbce78d4a6a5b184cd16128fa1e143506

SHA256
4179a7ed2bd45bcc0b4bf1acf2e7b0d1c1080987daaf4ee7bd0f5519e0a8325c

SHA512
95db9a9a33154ec8a292a89c0d51fba4d9f152c1075bbf09b461d8474e3bddc1385476a3a18e72e2b8f98145b7898c962e6ad5d76bcd3cbbd0129a1655fa6d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
63c9f1fd9a1d0b0ba3b190ea8c4aa7e5

SHA1
d52e2ca4066d78e65b8246134333715f4124af19

SHA256
ba80e236b73c35caf3623f5bd9b7aca0aa2457031e079ece0597dffacec25367

SHA512
61e17cca6abb255714a6977542981b45c80d2c88068052a93c99481bbaa7c448df93d75aab947ba649d22e0629bade4068059c6b4f8d74521c70ca2996c5fb91

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
b794950d306092c79c28ff2c74b73fef

SHA1
3b3bca7d1ea726fed493a6a424d1b9ba7e6f4afc

SHA256
d773b36af63b76980996d0ae7e65b2b3fd9ed6509ff7b5a548ae6a80dcecabe2

SHA512
6239a849380539dcbc731c9d15e893befbd114dc7e7865d9f4bf95c641b498e80ae11e6a2943ea7fab8abd6a3fcaf775bcb58335673bd2b0223b67d32da903ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4716a15906291d8aaa531ef578e400e

SHA1
e46a27ad28007cd00213750b1750221a32eab609

SHA256
cf9c376bbd94c5aa7907364d8b497d0e8cf50ad90ec0d69783d1af498bc474dd

SHA512
77ec0a80c27591e7b94354152b7f904c08a1bef607970c944380d2e988db4a51d46eace0b78f4e7f9890bba3b59842d933bcabc987044f9b2e67f25853e27574

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4716a15906291d8aaa531ef578e400e

SHA1
e46a27ad28007cd00213750b1750221a32eab609

SHA256
cf9c376bbd94c5aa7907364d8b497d0e8cf50ad90ec0d69783d1af498bc474dd

SHA512
77ec0a80c27591e7b94354152b7f904c08a1bef607970c944380d2e988db4a51d46eace0b78f4e7f9890bba3b59842d933bcabc987044f9b2e67f25853e27574

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b1d561b644232d4cfc1555422e0c098c

SHA1
ce41f5105c804542d015c0bd7b2728ddfa3fa4ce

SHA256
150bd857dbdd1a0b2a49ffccf3bf60710deab61a09c0fc903585445c80176609

SHA512
24b0f7b79bf05b612b2e60b03173f8937b88451eebea5ce8fdc744643775b566efd069ab585591f6176dc88e536457efa9fae068ccb866669bd0f26cfb19fab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b1d561b644232d4cfc1555422e0c098c

SHA1
ce41f5105c804542d015c0bd7b2728ddfa3fa4ce

SHA256
150bd857dbdd1a0b2a49ffccf3bf60710deab61a09c0fc903585445c80176609

SHA512
24b0f7b79bf05b612b2e60b03173f8937b88451eebea5ce8fdc744643775b566efd069ab585591f6176dc88e536457efa9fae068ccb866669bd0f26cfb19fab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b1d561b644232d4cfc1555422e0c098c

SHA1
ce41f5105c804542d015c0bd7b2728ddfa3fa4ce

SHA256
150bd857dbdd1a0b2a49ffccf3bf60710deab61a09c0fc903585445c80176609

SHA512
24b0f7b79bf05b612b2e60b03173f8937b88451eebea5ce8fdc744643775b566efd069ab585591f6176dc88e536457efa9fae068ccb866669bd0f26cfb19fab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b1d561b644232d4cfc1555422e0c098c

SHA1
ce41f5105c804542d015c0bd7b2728ddfa3fa4ce

SHA256
150bd857dbdd1a0b2a49ffccf3bf60710deab61a09c0fc903585445c80176609

SHA512
24b0f7b79bf05b612b2e60b03173f8937b88451eebea5ce8fdc744643775b566efd069ab585591f6176dc88e536457efa9fae068ccb866669bd0f26cfb19fab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b1d561b644232d4cfc1555422e0c098c

SHA1
ce41f5105c804542d015c0bd7b2728ddfa3fa4ce

SHA256
150bd857dbdd1a0b2a49ffccf3bf60710deab61a09c0fc903585445c80176609

SHA512
24b0f7b79bf05b612b2e60b03173f8937b88451eebea5ce8fdc744643775b566efd069ab585591f6176dc88e536457efa9fae068ccb866669bd0f26cfb19fab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b1d561b644232d4cfc1555422e0c098c

SHA1
ce41f5105c804542d015c0bd7b2728ddfa3fa4ce

SHA256
150bd857dbdd1a0b2a49ffccf3bf60710deab61a09c0fc903585445c80176609

SHA512
24b0f7b79bf05b612b2e60b03173f8937b88451eebea5ce8fdc744643775b566efd069ab585591f6176dc88e536457efa9fae068ccb866669bd0f26cfb19fab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c4acd0adfa5c313353c3dbe92839b0a8

SHA1
bfeab56bc7b5e03c298ab88bb97f8c26e82cdcdf

SHA256
8f0572e4f31281c65660e641eb06deaf9956c6a0d3e371c476d611517c026d86

SHA512
c1a446713fc2174d0d37d4926e8de6c0326d35b11b83fcc196defc40c49fe5c7d58b00e6cbf669df88a4910284154cc76bddd9e5a2876a64c38f7212fb5cf17b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
03e3d56f931cf87ee2591bda56f5a013

SHA1
377d3a9aa6357678086b5a76de062b18b8995f17

SHA256
e0355f00bc01fa6d0e651cee86990ae949f425ab4fa35d77cca259a870497592

SHA512
d738b2eeb5ee76d66f5e8c5819f717003246ebca18ff26e6ba781113c2d428986a5789126e75d3d3c220157be689f30fcaec6d08902f429bf4f14ed12b198ec3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
83d811dd1028f48b12d429e79d6d3ae7

SHA1
ca5ebf0e0badd532b592bfc85a60368c139743b5

SHA256
029000aed3da8fc028e6eb11fb617fe165bccd9c7bf6bde01043e7fa4a602f1f

SHA512
e034212986972e148c5eb5a2158ba3f0632efe3c87ba4051bee7cc7997fac94213e1d06a376fb9091d09e6a2c2cc1b07b159b176b1f2af1bb2714e0acd185515

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
83d811dd1028f48b12d429e79d6d3ae7

SHA1
ca5ebf0e0badd532b592bfc85a60368c139743b5

SHA256
029000aed3da8fc028e6eb11fb617fe165bccd9c7bf6bde01043e7fa4a602f1f

SHA512
e034212986972e148c5eb5a2158ba3f0632efe3c87ba4051bee7cc7997fac94213e1d06a376fb9091d09e6a2c2cc1b07b159b176b1f2af1bb2714e0acd185515

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
465892e9217a429cba41eb8cf20011df

SHA1
1d5a67447e1b3a1ec3c748fd2b45af2a0ab996c3

SHA256
10874af8c2dbf77681649fc82549868841190a330b75d7e6232d1c2137ce8de7

SHA512
d1ab5df7527358850b78798d1bc0450865162f56b1e7ab838f5e48ceaa4afccae1f881a54935617c5e091e9590388c90579635679f9656a3722621c525e9ab1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
465892e9217a429cba41eb8cf20011df

SHA1
1d5a67447e1b3a1ec3c748fd2b45af2a0ab996c3

SHA256
10874af8c2dbf77681649fc82549868841190a330b75d7e6232d1c2137ce8de7

SHA512
d1ab5df7527358850b78798d1bc0450865162f56b1e7ab838f5e48ceaa4afccae1f881a54935617c5e091e9590388c90579635679f9656a3722621c525e9ab1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
465892e9217a429cba41eb8cf20011df

SHA1
1d5a67447e1b3a1ec3c748fd2b45af2a0ab996c3

SHA256
10874af8c2dbf77681649fc82549868841190a330b75d7e6232d1c2137ce8de7

SHA512
d1ab5df7527358850b78798d1bc0450865162f56b1e7ab838f5e48ceaa4afccae1f881a54935617c5e091e9590388c90579635679f9656a3722621c525e9ab1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98f7a92c4d3f7d28f639663b90b3ca11

SHA1
881669ec80a0d263743b18517a4383ff70dfb88a

SHA256
06077f2cc2932939fd67bab4742158029b9c998e447cd1220cad2a5af52a702f

SHA512
f7d9a1d2627a462413f2f556106c4652f3b2bcf9eb5593b18f9f18835259bd7b20c7f4d24914086b65dbcc33a5ffe9dd5d68ed1a58f4f2637543fe34238af3a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98f7a92c4d3f7d28f639663b90b3ca11

SHA1
881669ec80a0d263743b18517a4383ff70dfb88a

SHA256
06077f2cc2932939fd67bab4742158029b9c998e447cd1220cad2a5af52a702f

SHA512
f7d9a1d2627a462413f2f556106c4652f3b2bcf9eb5593b18f9f18835259bd7b20c7f4d24914086b65dbcc33a5ffe9dd5d68ed1a58f4f2637543fe34238af3a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98f7a92c4d3f7d28f639663b90b3ca11

SHA1
881669ec80a0d263743b18517a4383ff70dfb88a

SHA256
06077f2cc2932939fd67bab4742158029b9c998e447cd1220cad2a5af52a702f

SHA512
f7d9a1d2627a462413f2f556106c4652f3b2bcf9eb5593b18f9f18835259bd7b20c7f4d24914086b65dbcc33a5ffe9dd5d68ed1a58f4f2637543fe34238af3a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98f7a92c4d3f7d28f639663b90b3ca11

SHA1
881669ec80a0d263743b18517a4383ff70dfb88a

SHA256
06077f2cc2932939fd67bab4742158029b9c998e447cd1220cad2a5af52a702f

SHA512
f7d9a1d2627a462413f2f556106c4652f3b2bcf9eb5593b18f9f18835259bd7b20c7f4d24914086b65dbcc33a5ffe9dd5d68ed1a58f4f2637543fe34238af3a7

Download Submit
memory/812-27-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/812-33-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/812-207-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/812-13-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/936-11-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/936-32-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/936-31-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/936-118-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/936-0-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/936-4-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/936-194-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/936-1-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/936-205-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/936-80-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/4348-34-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/4348-12-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download
memory/4348-206-0x0000000000610000-0x0000000001DE0000-memory.dmp

Filesize
23.8MB

Download