55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4792	AnyDesk.exe
4792	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3984	AnyDesk.exe
3984	AnyDesk.exe
3984	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3984	AnyDesk.exe
3984	AnyDesk.exe
3984	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 4792	64	AnyDesk.exe	84
PID 64 wrote to memory of 4792	64	AnyDesk.exe	84
PID 64 wrote to memory of 4792	64	AnyDesk.exe	84
PID 64 wrote to memory of 3984	64	AnyDesk.exe	85
PID 64 wrote to memory of 3984	64	AnyDesk.exe	85
PID 64 wrote to memory of 3984	64	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
26f06a708bf6ad4428209ef67307efb5

SHA1
9cc155cdb5e006e9db8f4d535485123169953fc2

SHA256
56b5cd19e416e406ec2f9ebe86a66a5a136edfe8ef273b3b75c187bda27a2321

SHA512
2a0d04ff09c0b39080ff343d35cb32decb0f83e361d0ef55a4622a4436bc1bcfd486bae766c65180d426b7e042f0d6a12d69c1b8348ddc0c8ecd9149cbfd63c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8db29bc6d135acddec984fdc60146d70

SHA1
ffeafc79bf20d20740ec3b78d07240b55582f90d

SHA256
4259408d56f75526cd26f95ff7a5050ac252b36776692e692050fcfebc2ae818

SHA512
79ab1ce086058771b1fcdbd18390998ce51310f00c4372958fd5f13d8f5fbc178818b2bb7975705949a82a59e0c8f9b75703773e1cec1699255e38864b573787

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
25bc8d8ce7246b44ac57501a2d706f0a

SHA1
671ab35a55fdf238817bde88f49ff43c09419ed7

SHA256
1fe153d0a5e0f70f097311603ac29c955b51819e33e8c50f213ca53f84d5fc0c

SHA512
d65ece43b07499bb5d651443a678ea95357720c7d3879926132b79323cc77dcfe6d320d992089b12be31453dbd823057ad6651ad38fe466d61a0c52365d568ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
41d4deb087de1d556af48f992c991d62

SHA1
c72c3a9c58d472387f1b322b96d204e4f76e9483

SHA256
58b6052471b19c5d9a3f38bf038d24a1f79b70bdea832abf5c31de329789a672

SHA512
18d4e6f073aeb44f9946d945c03f59bb5dbe7fd90e668b5c22eac2668c4b990af0165a683a2b343a799bd038b161784de9c76dd3f45a523b732a10aa5d149cb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
732B

MD5
92e811df7dab534dad5c160540ec4299

SHA1
5c4e0b24d4206ba06ccb0995e689ffb925df88d0

SHA256
bfb8b8806b9fef6504b91785e1dbc93db77279a6be837386614dfbb2c3a9e21c

SHA512
06a55c90b20573c7daf10e07a60d09547f1be2e30459ee09ea3fae48dc9995cd9357d6fa8c86927a71761e32442b15e49901a4c8208bea0ef49fbb3f2160f07e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
9deb1defbddb03c137eb88709d2f8b1b

SHA1
f9e3aaeb179c8aeeaf4460eca87a768fec15d52b

SHA256
3f9afd5ca48ba9d32ae17cb447584c0685d70f448d91df624bc3d8e0cfdc0040

SHA512
747894e82412eb2b32249c286823756f63f819064aba61ea8ad74c87b7970136fcbb3969b34e7665959847a46dab46d5fb5cb5312abae459c099edb0b0806af6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0d5b9bcf9906d34c372de8205baacddb

SHA1
ddf9de4add5c947496eb72e1e603633084bf404a

SHA256
9cbb3ae164d4bb23c19b913fddffb1e4882a1a8e4038bb669e988c7f031594ee

SHA512
9acc3d367c7ad69308b7876eea3bd61aef3dc5d0727431900ed49fffdff201785d57f07f9f009ab5f33d4e23a21a24baba3dcdecd6d42c1c3f6f7d00a8f98cb2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
734e3a95b1d30b07279713d657535f4c

SHA1
f8afe778c001adee94ba504bd8d34f22a7d8d26b

SHA256
e12eb98b60ba4b369e429146a5dd14e7ad5618b11eeb84114494f475e8efe822

SHA512
b09bb43b69a85eb27c782444fe2848217db42595d59344a6dee09e6d4c6df2ff03c5228444cc94cc7363fe9daaade1b6c985222c3860bd2a9af0ccfcfa3fbdb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d49c26a923bd60366a7d9ee40e7c8ef3

SHA1
54a6aac504a317f3ce8710d5e36e4fbb940081f5

SHA256
d531e4c3cb35cabc8c3b3278d704ca3e1e24535e5aa0bb349aa2044d7306f198

SHA512
98a8dd67de79d34a4e499bca5464a4d87c07344b3afa7a76bba90863c5907c9fd08199c1154d770c53b4f8a11fd0304865d0f97602d0cd211c5bb81fd29dd19b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6d63717387f9be70b43c75fda6f4e341

SHA1
661f43fe7867c16b6062609cdfc8b8913f122e17

SHA256
9a0d50d5c1a014f1aa444aabfc27713347002ad737571011db9cb4049ba6e013

SHA512
912313be229d384c80ffc56bb3eeecbf910762603fb44e79ee09b10d248f1ab8dde2d1046f30f56590d4cf7c0576cb11273b52344bcae4e357d2fac1767c4f6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
16e61928a763c9e109d50f29504b7a94

SHA1
0c6151cbfe504cf105af7795a843dd111ba27f3c

SHA256
a4bf1cf6b9199003121e9fa22b0a4478462d82b1f445b54e7af5dea06b3a1f7b

SHA512
46891e23b446096278efdf392b84eada43cee045abb85000f2d557c7c6dc0a61255870a03b1ae53b217d01c39d62353f1f4331eef5c736f940556febddd6b9a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
2e0d1db2a069d8a3181abbd6a1f7b9ad

SHA1
8a0ecfb4cf5a247a95b5dcf184f1fb0b3682b1c5

SHA256
9b58b7c86b78481648d480c229ae6bc55e330055d736451422046dcdee534f6a

SHA512
0b5e69679c4815e5e6f4a1100b4b5f641bdac6b93baf6f5d54f4b041f89bf0a2e4645a716bc4c428f705344f22cd142a5f3f5b5608ea83a95ef05d7aa6872b49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
761bededeadb71057a2ec32f5cd544f6

SHA1
81ff911c2479d94da419ff8e54b6da59add00776

SHA256
69156b85bec4b82987e309042100130f6249d0dfe784d7f632f7a9727b1f5dfa

SHA512
548220e0be7983df08698975994b362096ecc8b380a240290f961801de16d606b3a4956f2d0f0a6802347af99dd82642fec438cd39dd6473f1030b08da9e0c15

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4162f5e59abc43fc0df80e27b37698b0

SHA1
52546adbd2b28382740f12dfd45a21ccf2d13bd3

SHA256
b0921e3780eee37ffed920c62d96e7013b194320e8958d2b2976fad8717c1114

SHA512
92bcebec12064e71461f1c67fb9a60ca816dcf57269dcb82a61df332baf3329d56fdbac6d595265416e0d5f673db235abb17ac9d8f2dafc2c84c0f28249ed258

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a5c6a7156d9d2e9a2a36b3b540ab5456

SHA1
b19e8ee3ffdecdedf7e33fcdea03570d0a8cf100

SHA256
a496900241f5b1a208280241159b516d78021545eb4eb82254a846f86e513468

SHA512
3c6f6b4d5f2449b25d64b4bc63e5710370a7c5a754e57ce17632b4f6f68ce805bbcece2ca98810aed2a5186257f70f80671786b0b314d10a715e8367d5b57a11

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
66aadfdafe13695799ce8479a4754337

SHA1
c5c6fbc1af6e3956b8810d57ab91b1ec0a9afae4

SHA256
ab7991436d5aabfe01743fef9b460d1eb4a93dd99d5474779c7859e7f7a5a477

SHA512
60d170205d791df8067a1ad972e841b07291c789055ec366fb47bea1acf1c6109fdf61af8676c5b993cf2ca12463e5ef77eb16bd3e36547adc653d2a6a68bd8f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
96955eb2904dc588160530e4cd07378f

SHA1
806637ee72f743060278c0a4fb15dc493bcdc669

SHA256
e34358cc12d8d64d92c23b047e9426de80d079319d7774305e8d063e7d61812a

SHA512
f2602819f2999f1586db510e7b41a7f4a606516c6a2dbf0a7712cd67a2415c682ce66c3c9447f062758361563ce1559626f588bb24f5fd86b438c4682a62a8c4

Download Submit
memory/64-249-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/64-94-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/64-93-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/64-1-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/64-0-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/64-24-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/64-21-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/64-246-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/64-73-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/64-3-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/64-239-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/3984-30-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3984-12-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/3984-248-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/4792-11-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/4792-247-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/4792-29-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download