bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138

max time kernel
1792s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
12-01-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.2MB
MD5

37e172be64b12f3207300d11b74656b8
SHA1

1895d7c4f785f92e48b5191fd812822593cbc73f
SHA256

bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
SHA512

98cf7a591beb4af2066ddd9d17caee69b3cbb42343cb4dc0d517fb99983159ae8e960c315030487b3ea22b2512359f108a6cfe15ec3b725c040ac06b877c88ff
SSDEEP

98304:pgBOLscYr9NrQO6lSdAd7qvlyBhbUhrZsTY3ycd8izlxGhzAqK3:KOoc+dQO6+Ad7qdriTYlfzlIhMt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3776	AnyDesk.exe
3776	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3248	AnyDesk.exe
3248	AnyDesk.exe
3248	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3248	AnyDesk.exe
3248	AnyDesk.exe
3248	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3776	1164	AnyDesk.exe	82
PID 1164 wrote to memory of 3776	1164	AnyDesk.exe	82
PID 1164 wrote to memory of 3776	1164	AnyDesk.exe	82
PID 1164 wrote to memory of 3248	1164	AnyDesk.exe	81
PID 1164 wrote to memory of 3248	1164	AnyDesk.exe	81
PID 1164 wrote to memory of 3248	1164	AnyDesk.exe	81

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
8ec81eee87b73f70c471a2867baa3097

SHA1
1f67f4db8f656efb608e12e25f1bd5a2c8fe5172

SHA256
a168741b8e0a34c91995fb8db57d6d9ea83220626428d33bf2267575bb166565

SHA512
710d69bb6b0391331da5893b7b87acd7c043253a15872ee013693f2ce1c763975ca22c43f2111d98f2cb270e70d95d95bb76cf8e2d00b59c3bd54e9e0ceb1646

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
128KB

MD5
80a654d5d45370e41ede0dd4a9c64e81

SHA1
2c4367893428c5ea40ac4150a2780e28bb36d2c1

SHA256
a74aa0f09ab99bb6564f6edbb62c89c6163a449639d01f07c3e54c650cb77c02

SHA512
64c352b5fbe761b0e30086409f43b5072f176886d81f7ae8fe9b43779c8cc6a1aeacf55a78917529df6559b233a8a626ae3c02fee00ba66bbd51459bdea13ff5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
b6523235d65508cf3a3cde6c14c824da

SHA1
0479f6b4c409e7c12b91398cfa37e0b03cb78a4f

SHA256
9399300b36cec76a51a17270aef7e0dbaa25dbddacf1ea915f783e919499fa6a

SHA512
6bc6e17cf793da388e111e63b6055fca05c026b508f20712636944754474237fb653f502cef2afc2e7cab0c1a70f2113928edc5eece8bc16fec15a81cb7ffdec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0fb9d777ee0f858ad68e517f60471048

SHA1
645d7bd6b01c89c1d194d07f0dc953e7093a88c6

SHA256
5585a3407851d4f5d0b60e71c563f64454b18ece1d306beaf82ad098d5e037b2

SHA512
ba7fe1514236b3d4f18729d0ea15434e11fd6675d1e4dbb2b2d39b1ca4c8fbcb5c3707dfdc638366f5b8fb8da53b4a9eb52cef17c6abc991e489f459a7575b52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
410ede451628ecb0ac7369108b96265b

SHA1
ef0980343e3083b31f71823fc98e8fbde96c01ef

SHA256
417843f4b39e34ef3c9d545649a00843a9a1188e4f303d114034cbe366553e6d

SHA512
019592bd9e0fbe66a405d224951b86fa2c5679622ff689bc1908707f0019cb0ce28726b93845eaf106598b2411991a0d31ef2d2143a5e8f7db957172151b9659

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2ae67044f87c8c18fbde4d3612369b90

SHA1
1ccfed8eb68b0d87ae711f017b867bfbc753b79e

SHA256
dc6ed91d4fae21154e257d5457c05c3a681f4cda674fbb2350cf20c319e37509

SHA512
e638e65d55b1461b7bda0cda3da05df84d588fe75cffe48448f178e0c82ea71d134b4da176db2c0aa3a86c66ffd512a3eb59ab1f695ec5d8efec4650b0d65e87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
f384a63e4e6e91058ea0b57787291717

SHA1
b49489217b1309ded79b281e93167eacac3af8e7

SHA256
aca29a08ade59c4f3ce4a4d8502533c3890efff7d8c164bd6b84bc5b163d60da

SHA512
a068a57d1ceb1ca32821d70307aea52085812eed85ef64937ace07cfd2a0e030c5e8c212c6868f7c5da0a3edbe7e6f3642a59888e426d666d1d1f583f789d313

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
0d48a89f04bebb7a01d125fb3bb653f4

SHA1
b440dd038db364d47e8fcb508348394f3b605514

SHA256
02775fefb9f5ca407fec553178ce4bd2566d21bc67959d3a1e15795d0b5ce004

SHA512
4b8938b75f78568718808a131bae62bcbaf94f75b41c5571dab2db8512bd13ea45dfad5bc29b5ca1ba848ee01eaab38354a0414b3138dd030d51b2b30e925d53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
83583a57bccd4313c5a3e4dee1b2b8aa

SHA1
0ada5bce3d4844a58e01529e1ee2c9b535bb0486

SHA256
2d4150d06fda42180e5eb47a3375dceba3a71a609732763b4770ddf6ac761464

SHA512
cfbb4c808fc4011deddfa28c1db3ecdcf78b14365832dbf8e666407e11c05daca6f4d0381be7f136acd47d2d5ff3e0b8dfc047c167df17b4a6af6d62865679df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
65ca3b76357e662f291626564ea3e38f

SHA1
3b0a6dbe7e4172264dcd8178a922a7638ed86818

SHA256
4cfad981fa45a5872353f5d2e93624e2de3be221015f02dc29c65f0d365df310

SHA512
dbdaa5bb48234218b84c53971bacc1dc118c949603c362a2a44fb212c12bab499737e23d7c38e7b38a381f5545a353c61f1d5cef0e8542521fcd437fd46a5a7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8f89e4524da979bf5a2660a1e6398ad8

SHA1
f30bac3cbda780fbc7d9b091ce61f2c5254c4c44

SHA256
3744236e0b657e12a86d5077454c3433e6ce93df922482ecffcf0cbc673d0dba

SHA512
50067e9eb851c8fd8ff079d20a1b094cce63495f19c5c1d0ba05115836b60a7091e073e737f357e4ece31ad5ecc8559343f6a215efebe722202196b443b1dd9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
0858326c4124bd15612efdc304569b29

SHA1
5cddc986c458baa86ba2b07f028607056f693959

SHA256
7c226278b26a55aa9be99173b835161070eb6b9ad321e8709826130034a0abea

SHA512
f863bf92f8405edb8a39d74f1010837e8147535a3a3e7f6954d6fbff5a470c2f06c3667d702a55313c9cbe084b24e6bcd2772ebc069fb0b0aeea6792334e0b12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2d372c5ed3a6c854bfd00fc6a18d33f4

SHA1
a0337cf4296f15c16723bd2a616d3ba0dd955758

SHA256
a554df62529d5d90f136d0b1dd66197a73a50105fd1f256243e5ecd17f91ee10

SHA512
1c7e5990d68c051580f0482ac1d47f6b5740a6dfdacbbaa8b715e577d6a2df1080980c17ae86cb23d95fb2d4ffc8cd70039ccadacc91289c4bcf702958106aac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6450e1a17f1c87c0726022da4b3d6ed1

SHA1
0a9f520771ec75a364498def527e2ba700a2cbc7

SHA256
455f2ad581d4b28e334396b8e306a6de4ed7f9afffdc0d6abd87f123d3906e2c

SHA512
71d1e6272b48cff793f36df2ce29b8d54a6eae0b34bb3cc5ae1f71fcf3782e4f3a9b4e71d3f0a2abf088d524b81b7635f4a4d613cb703be6a14b5d901b9f5427

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2a208ad2137e50cf22a5f3f19fc85eab

SHA1
7f32b9c50d39df651fc105da4ce12c19cafffb3a

SHA256
2c438471c8bc65aeaf0fc682cfc4b5ddbdfcaa6577f1c4e64929e9ff9fe87d6b

SHA512
33805f78abc3448bdcc4042b81d33541e85da524f7a3e18a71cab988c115fc5124857d3dd721271812c8f35218a7608c1cf7e0bbfa1127a1767f01db4c137e48

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f264f95d1bd28b89106d991dced2bc22

SHA1
f8ab9dd53e39da235f96d0cff88b698070fc4d2f

SHA256
4e29ab8442cb6f77d4e8a072949c292f9a61c6d8c6254edc73b95a6ef9d551db

SHA512
57154550eb4b46cd1bca8575a8c9ee12c539adcd3644cf36a657b83cb614a7bdcbff76722b4c95e21e41819e3f063991b4b8c4c9e8e1b26c084990f6ae48aded

Download Submit
memory/1164-91-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/1164-0-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download
memory/1164-1-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download
memory/1164-196-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download
memory/1164-31-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/1164-28-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/1164-92-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/1164-4-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3248-12-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download
memory/3248-32-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/3248-198-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download
memory/3776-13-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download
memory/3776-33-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/3776-197-0x0000000000270000-0x0000000001A0A000-memory.dmp

Filesize
23.6MB

Download