bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138

Analysis

max time kernel
146s
max time network
161s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
05-01-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.2MB
MD5

37e172be64b12f3207300d11b74656b8
SHA1

1895d7c4f785f92e48b5191fd812822593cbc73f
SHA256

bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
SHA512

98cf7a591beb4af2066ddd9d17caee69b3cbb42343cb4dc0d517fb99983159ae8e960c315030487b3ea22b2512359f108a6cfe15ec3b725c040ac06b877c88ff
SSDEEP

98304:pgBOLscYr9NrQO6lSdAd7qvlyBhbUhrZsTY3ycd8izlxGhzAqK3:KOoc+dQO6+Ad7qdriTYlfzlIhMt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1172	AnyDesk.exe
1172	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1336	AnyDesk.exe
1336	AnyDesk.exe
1336	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1172	2768	AnyDesk.exe	81
PID 2768 wrote to memory of 1172	2768	AnyDesk.exe	81
PID 2768 wrote to memory of 1172	2768	AnyDesk.exe	81
PID 2768 wrote to memory of 1336	2768	AnyDesk.exe	80
PID 2768 wrote to memory of 1336	2768	AnyDesk.exe	80
PID 2768 wrote to memory of 1336	2768	AnyDesk.exe	80

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
158KB

MD5
dcc46b4948139a4870258f3577e55401

SHA1
88a09db5b1b03c5e9b9a1786ad3aa7ce80f8ab4f

SHA256
99a9f2fa61eb6032e90b258bfca820717ec52b65172b8b16d38fcfceb32424ab

SHA512
908e8f0620d35396064ec78b90eeee627fe44987976a32efa445e19193c6df1f964af0cad52c46504be6d7555cc89326dbe5758a9d492b821a8b6fb12a09d6f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e7e61cc867de3cddb9b8806a70ef5e30

SHA1
d1e2a12a7f41415f76d2058fb1ce74bb6194d558

SHA256
fd3c227f9036a6368022355cf4d7e301d888b713ddbb451256c81f0582badb6d

SHA512
65621994f1d79d1455f4fee5a83c9c20535fb2efec79108cb7c9345b3e49ac9c3d07eec02f90d738bb9124ea0ac98f613217de48487cd1a1843e289e09360829

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
756dba641bb4901fad31ff2893320c86

SHA1
f553a31a6e365aeea5a5b60666886813aa3b61d6

SHA256
1522dfd4d68d313198d6de63446d079c78349155fc8a8ecf9173e3b915389cf4

SHA512
f98ae9ca15500b0e871f9d7d0e979a41cf1a3284cb10d6f768ae746d8338c3958b4cb30d31c256e568c0f45da3b01f73433363c0bbf8e1676d39224f2b26296c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
14a8975ae914878396e78d607b5e786b

SHA1
9d6267627cf4cff024b98f6cfcf5a2b8fce9385b

SHA256
26c390c94c699a8319c45b7f67ba223f18abfcade8f5429b7e2b7b0fdb1d2526

SHA512
b92c5688dc918aeafe2cc3d317087aea83a91e0dccb812637567659e7c1c4d30cad300b48519a3057859d831c13e2d91c58370696f14ebd8ce9facd0e1fd8f95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a5bc857cb5a87f9469ed7f734d06bb4f

SHA1
7afef3a568ef018cb4c6a587e9ea79fa4ae54f8c

SHA256
0075ff08a63ac217922eafb6c6bacaae4b61c0214e0c0b63e17d1d07a3fda78f

SHA512
3ada18b41abad98a424a3d66d41ca731b6cf1803608aeb9688edae02e0dee884133c1a1a24476a1a27a21c5b41abdc9b915854a4b0dbc7f3f4b8b8af13fa73f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
3e3226d5e1727c729de9a3b582012ba7

SHA1
89f80fad325d4fdc7c5a17e56dfa671112be716b

SHA256
8f5aaa454c24b8c9c2f7e69a68b21430a4503f55709531c503fa7d06ca641dc1

SHA512
684cd0ea97344687306ba423e40ccba7a256eccebe8090aa19456a45965e5e6fb41235fe59187a1457c4a431bb5959be94dcd12c7f164fc97d1f6460f7e68ef1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
967315550023052328031586918c88f2

SHA1
dceaf385a6be2b6eb0b3e98aea706d13151b9c76

SHA256
0a39f64539d8c7f19af6511185a6ac517b1b9356b8493f3b9365c0990b808d04

SHA512
c363a49b5d2aa4334ead121caaaa012d018dcc758737d72d0db082aea7f249dcd21ee2d9e2e2eb38b45dc8477988da8ba5cab0727946748cb7d2a910aa58c527

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2e6ae21dcdd6d36ef49a81a79db29a2e

SHA1
58c3a5de04aed087d8aceb2866c21b36c07692ca

SHA256
b0ba5f7362c928c8c4aa5566e4e4bd0d8e7473e82ebedea976bfc56a6c0c640e

SHA512
49ff29d1ba3c7fff9789e90189fcd10e151019bf926ccfce2d05ac4a60f91a25c8a20c57e08430a0b240b62ae8971c82e73978b007c9159637a48c2b457c9ddb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6dc2fe6315648e4360f54ad058304970

SHA1
f60891af73713c2d34eaf5cdfb74b6d57c4a471f

SHA256
f2ee5ea299bb30e300c9fd8ce8d8b8e32c6aa360b2fc554aefadca1e24d01a07

SHA512
edbb545fd440547987b927b7e769a07e9ee57bc1947b8ff74e2664584f58dc0be32672a1a453b0763071ac776b16e0f05e6898a1916523d03554ed2ccffca9ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d5e454d7127e1c86a5e1aaebcedf207a

SHA1
da8198ab11440babd0245322f1500f59cf02399a

SHA256
3f8a728fecd972c8cb22f7c80c7fc56c870c4b585ac31b5cedeacccc9036efe9

SHA512
e65edd67f3837c90736a56b4c054eda87cbf5cff6b687ea3bd4d4d5a9e03e22267db120ff61fd66c557baae71822be7d44a6d4c79b6399b8a4eece388618bf80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
30c74e2e8994cc403eb71178acff486c

SHA1
3cb0840235804f8d542f7ef9936c88dd0d7399df

SHA256
f29b1d65c0f2771f8e47a05480181cf8331af10778100ab7ec1f73a29d897a4f

SHA512
57c6364733dc8e4404b8d5fa561b619e8946fe745e9789272a5e194a71019da8553bdacf2a0ab5bd1ab554ee927c5283596be0127765a2aa38e8b63b7107832c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
79ac71fc968a9acbe0b0cb01cc5c8553

SHA1
2a1e0c28c318a495ca751ede66d7850d473c409e

SHA256
83965587f5db89dc470d3e025985cbcdb974ebc4afbbb2c997ea352d3991d467

SHA512
be0ddb1578a4bea667c09417bae98bf91fd77c182536538ffd13c06f8f16da60e9fab1e15381fcea14aeac7a7b90e2b4ac32781e09139376c560b9f667cf7c53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
93f76d1d8b2aad76f1ec2f73f69b1724

SHA1
77391f055abffa9d12759d73964a1e27b2f9b176

SHA256
7b4655334d83107824573dd12197e415a54ef0869f35d3595d13692912969580

SHA512
0a12184e72b318a6053a1d64f4e7b7aa6008424922b2e2c8efadd355ff967f1d8dc1f3386d2a93cad4315e4e47247bd4c93bafb0b1df9824c2fcc02480fbf351

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
55d523d470ddc140afbe6f787a6e8e59

SHA1
ae0b157247c497aba30d04de8f3a1715e09128e1

SHA256
954f858d401e6c2ef4ea957df70b0aadf94e297520a0f22578179b1157b3aa32

SHA512
52cc5a08ddbb592bc3e9e85cf6dc8436c561d616ca4b18fd61c844fcc12d233d468f30af0f287c87f18b26794a108afb0d200ccfdded492cb0959f843197c471

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ea187c3cfc54875bdc0dbe2e97de5bc1

SHA1
e41f51cde3831380fd5d77458d0ab0a913a4c543

SHA256
aade76a1ac88a1e692d761cea6db509240f65ca58654db4c6dda28ed3506f4fd

SHA512
c42e9430f0ae9eb0b6ffa2beb9a19ec8c125ed41db126d9ae74e3c9355351c32525db5d3aa163517d4618935ac40f74b5aa3e523cb43b20166570d0b336d47da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7fe8513f7ee082f9afb33ade5aecba8

SHA1
5ec75a8c57ebd5cb51189e9f55e287b574b4d3bc

SHA256
9a3edc2fda0171e2bc56567a7dd50e0e0e39ff74d89aac6acf24b15abce7b046

SHA512
8f518fc6d581abad18da77ea9b4493477aaee1f1ce8b506cbbba517cd052e14a3046fbed5eecee250491d8b358c0075f33367f5000af809ca9ed8ed28f57c9cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f34b6ca81f40aa1004af02ae19e65c8f

SHA1
da7902297696ca4f7f1d37a5afd24fda73aa299b

SHA256
54e77a80d2663e6c7a29d3c04fab5e2601c342b66f37a9babaee2507924d819e

SHA512
062d8c437ad80d1d63508a2f76a28a21a5d7b719752e9b48ea6e3c47083e0431ace2467638b2f5dfe6d47871e80b08b7f7d1021ddc00e54537ee981f97e83349

Download Submit
memory/1172-11-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/1172-33-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1172-214-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/1172-28-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/1336-215-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/1336-12-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/1336-32-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1336-19-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/2768-89-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/2768-0-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/2768-22-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/2768-4-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2768-203-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/2768-1-0x0000000000970000-0x000000000210A000-memory.dmp

Filesize
23.6MB

Download
memory/2768-90-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/2768-31-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download