55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1564s
max time network
1567s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-01-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2368	AnyDesk.exe
1700	AnyDesk.exe
2452	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2452	AnyDesk.exe
2452	AnyDesk.exe
2452	AnyDesk.exe
2452	AnyDesk.exe
2452	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2452	AnyDesk.exe
2452	AnyDesk.exe
2452	AnyDesk.exe
2452	AnyDesk.exe
2452	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2368	1700	AnyDesk.exe	28
PID 1700 wrote to memory of 2368	1700	AnyDesk.exe	28
PID 1700 wrote to memory of 2368	1700	AnyDesk.exe	28
PID 1700 wrote to memory of 2368	1700	AnyDesk.exe	28
PID 1700 wrote to memory of 2452	1700	AnyDesk.exe	29
PID 1700 wrote to memory of 2452	1700	AnyDesk.exe	29
PID 1700 wrote to memory of 2452	1700	AnyDesk.exe	29
PID 1700 wrote to memory of 2452	1700	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
a05f49ac622aa4f722b9277d84fb4a4b

SHA1
e2f790f36aee0c24cb9eff22b4857ce51d803b55

SHA256
13475f8a4093554301d8b354a0a2d12e1829f5dfb1d2216fd10acfbf13a1214f

SHA512
921b05643323460eb47df5ddbc3b5b59f82790ae64ec26f16ae04c1208fcb4c3b5874b93993bec9847baeae8a8c67a21b8607c7217cc95ab1beed43840feb614

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f11ad922d50a727c3a9b16665b41fdc2

SHA1
4ae06d1fb39382275ba9eb693c083fd91a2d7001

SHA256
9ab9005dc8dae3945632304e20d824f5baafaa50887ca0c7413f78de0aaea381

SHA512
2eb9d517df90d2aa0d03b7ef78ab35f1c69eaccb325eb3efb5151f2b064a8ae7506ab9b783429e0fd686aecd98bcac629e870dd1592b17d46f83e98221befbcc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4ef82c1a776d8b483eee16e70c55418c

SHA1
dcfc1f8525e39cfea95da7825077466f425d1c73

SHA256
9c0446ba94891f0f43d018e770ebdfd39c1928ee04216a480d6a690e694a7e6f

SHA512
664865204fd8cdfcf2d491e2b1f318e50752f8569af9eadd6a135c02d85c1a1a229e02fee5ec47e07fb120286b14f59c872cffbe73e274b550c3131db8aa858e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e090a875b39df21aa6ff43048d5d1789

SHA1
c6b2ce896dabdc994e5ddd8248fa9b39808a680b

SHA256
e344e5beac2b3d7659e9fc627625bebf308fb209071a6a0afb7b3e3388131df8

SHA512
2f1a9a946eda260f1ade50ffba716c2aca50f7118aaafe3f130e13e5d08e7db94ff14d51db3531f74e12b1b6a2ff2c4fa030ee7523d77cd094682eb0c1b71cd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
2ff1c49dd55e4f362b83499cf42f756a

SHA1
c701121161ee49cc6e97c8faa49509063d07a879

SHA256
76df6e4e4a569690199e98729eb56e07d0d7b89faf55b39e9d131b66485c62dc

SHA512
5478c1f422eab39bfa0d0f0118b981b4a3931a7536719544c20d41e328477512e8256c1fe0eb7d246c940ef9375ac163b7e75a3899e3ba7d385eeb34772416fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
06009cc01e4bf4cfe2d11d99a84a7ea0

SHA1
9df74f46ffeb99d453a2564857b604e876d89a47

SHA256
d8adc3439033dff75342cc31be1d8cb4fb8cb2aef1a60f4cc87a92c2c73f2f2f

SHA512
fb51a113c7c849912ed87b84292812f3678fab9896690ecba93c52e493e78091c43463d47167e2c7864b6aa0cb67c5d6b61c40c30a07fbf9e4971d4897513ad9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9e76539acde59bbf337fc317bc593670

SHA1
56caa1b30a5641189ef2195b635bd78b94f129d2

SHA256
b8953f3dd9a25861545af312790de653ab33721736b8c23812cec3c577e39fed

SHA512
62f56780733796057c909737d14037509cb02461e65e4104e7d713809bdb80ba3a35f8ab2a200ff25cd758977569a9c9111af68a8676c31dcdfe86f4c529915e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3b05437ca53fcc31d3e5dc459d5e8ff6

SHA1
9886b36244d3a33d21e4f75e32f59e94e6b4912e

SHA256
622db4480f4440610da9039b28fd5ec90a22052971444e8ef2b833959091d600

SHA512
070db8909d73fe0ed139486a8880cfb8cf59844904d4196e90292bdbee054c2d12a2d08023ca4f1864a6f3c8503436a826e995b378412b34e72daf6520aef52e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3ee86259ccd5bcce73e50d587b08e64e

SHA1
47d84804395b6726bb611f098330c425ebc82c07

SHA256
00a3198a04204a4efd8cf11bb061d4a31800141d6200004b86a89e5701897fd9

SHA512
3a177d34578c675539148beb87414210044802725dab90c73440228ce7672b0a60cc01b46a6f37f8bcdb5598c0f6d66fb76ee7142101f0577560ac105728c572

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3d2cb5466368be0f413a1e46e6d63243

SHA1
9b3f2ed1108ef2ed529a3ea868e813c335d2a07e

SHA256
3e9651bbd5dbb65470b95a016b5cdc7476c153037ffc89931cf54674794d4fc0

SHA512
78304cff714c89b899cbe269ba253c84a6d8434273b44b40da7edba52131a82deb98ed47219c49d4f649976414ec7778e96f7e91756c70e74ad9c7bc843b8d68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
187403e63fe75c4c106ba12149552af4

SHA1
3c0f3df0ceef1c7ea19c02804a71bc91e669a84f

SHA256
b7a62fbbf97eb0856b08b61567b9b41ad69120d27360f73544daaabb5f4ca866

SHA512
610001754fdabc6984875d6091d1d687395bab264a721e2a5792810479ccae732526af0f974748e5e74ecd563b992a8da0ed296ffca0da0c8523bbc8830c6f0a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2d889bb3922e681a765bd6c92f98dd86

SHA1
ab72d30823bb197370e0dfb2cef8440170a99573

SHA256
bd830511ddb6e0ebf33c715f9047ed3bdfe3abf49d1e914e87ca53b5832ae8c2

SHA512
38580cfc3a44b41b0d6935f72c5fb7e7722c02edc6f7b91ba821c30778369bdf74ea4630c8d8a9eeb3104fc58bcb71c0121d95d247c8b1436267741a9d682495

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
69d3819619d80ae35e774d3f9b832f7e

SHA1
69f2109c952411ab56038b1b54cb795da4e2dc38

SHA256
6ee80d49e8b2e0786d38916fcb1d4a2634b1a17cb5b601a9550d5e16761b0069

SHA512
0a3520e11f511c22d43f9b1ac0600d4cf39d64a220c0252696daa81637b2570778952bda518327a4e5fb686b92d80742ab290915f018cd330c389104728056e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
22dcf269783f326da6f6ad181c720027

SHA1
94881d3cfde13aef3a4e50ec3e18b3f97a76ee8b

SHA256
c5cd1f4a5c971acb2b78bc9899447f261c0336626f804ac8762edc9df82ad150

SHA512
42284f659298cf653a7c954f789b71e783507e9e0517ee76850d87154355ab16e5f58ee5d4ec05b4bfa2e88e15436e595d1cd5d0319681398b7064ac063a0f49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d94604a0fe6afc19502ac7ef22d436fe

SHA1
743c02f6257ceb460857c7a8b69865e057627574

SHA256
584f4fd71eb00186d43a109cc7ab3e744af3c3a3e4844e6be075e00b8cce3740

SHA512
5cd399a1604592e0f2fe3f1ff10133bf733595f3851e1cefcabdd7796679a8215320027768dd8546cde547e5b68aecd12dd1b835b878e24b821e43d24738ab0a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
753667d2036577115a8998b6633a6bc5

SHA1
de8dd6cd16a7b6e2c2af4925493022458548775e

SHA256
3d3b16b77951760d4aedab30c13a422376c7684594466c636d380cca0a6a3e18

SHA512
7b078e510c028743175b3364a91c38d529ed3f4fa048920960d3419567fbd2590136cecaa8c7191043def8cf8540c7f7a97a042899ad5cb878b3603d87650fce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
1eb916a955cdb88ff929cad2f3d85717

SHA1
230584e7b93934e94043a6217cd728500d5c2b74

SHA256
da91ecc8283db97a8763b78ae99ce59644029715e38b1ed17c82f118226b2ca8

SHA512
285b9fcf9471318ee5863a79d046e2c1ad2a61b5c7d9c1ab49b81ff61015292a581a40ee38e2853d0edd02a525181452f668fe4d17bf0738038c5e88572d765a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
39bd0ef9630500b2a3c125b94c7d79fd

SHA1
dd6e50a01e79867f62221229465095581cf324f8

SHA256
f59be5df9f33a9d4d89f6adc2ae9002563bdd372e8ab5b33cb97841708709f71

SHA512
3ee6c14a5c67e284d2ce48d5f4bb5e60855998b1b5bc61790f1bea6d1c33cab9ab46bcda34f2b5d8b495cee3a5bf1708304d195f1395c5808889d2b144e4afb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
7d2a3ac75bec62003bac0460e0dcc595

SHA1
f69c6d407212f17a25efeaf1b0c4c9a9a77dd5c9

SHA256
a38373c830a21268387487edb4fe9e2ddddc7701715c1c9fec7649b0bc3b3880

SHA512
44a9a6ac57313888744043fcdbc0bd1c2f8d950655fd84b9e3f82f929b0e68528875c4fe545407a3562dc947aa30cdc7650f494625b390304bdd3e25ea701e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf898d81.TMP

Filesize
3KB

MD5
7d38ffb2c35bdf21e7ce05008e3aa5b1

SHA1
0cf18eeac8cdfb147649f8d43747350293cf7694

SHA256
c25dd70f8d9176080ce6cff88ce968dd883033c7a1c76e1b764fd29324689ead

SHA512
a5b1041494fe0a6518601d10b67b51cd51932aae732c59214a3783e9d1c132f8be8ae99b6225260dbd806790219930b41d7239166fca59954e4d095771ff9790

Download Submit
memory/1700-682-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1700-688-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/1700-36-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-21-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1700-144-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-726-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-702-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1700-154-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-158-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/1700-157-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1700-20-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1700-0-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-123-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-701-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1700-689-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/1700-685-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/1700-103-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-4-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1700-687-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1700-317-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/1700-204-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-2-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-318-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/1700-683-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/1700-681-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1700-678-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1700-680-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1700-679-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2368-152-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-40-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-319-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-738-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-11-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-262-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-133-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-147-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-104-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2368-34-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2452-108-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2452-27-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2452-62-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2452-18-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2452-135-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2452-306-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download
memory/2452-739-0x00000000011A0000-0x00000000028D7000-memory.dmp

Filesize
23.2MB

Download