55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1797s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2024, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4576	AnyDesk.exe
4576	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3192	AnyDesk.exe
3192	AnyDesk.exe
3192	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3192	AnyDesk.exe
3192	AnyDesk.exe
3192	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4576	2124	AnyDesk.exe	84
PID 2124 wrote to memory of 4576	2124	AnyDesk.exe	84
PID 2124 wrote to memory of 4576	2124	AnyDesk.exe	84
PID 2124 wrote to memory of 3192	2124	AnyDesk.exe	85
PID 2124 wrote to memory of 3192	2124	AnyDesk.exe	85
PID 2124 wrote to memory of 3192	2124	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
43f676f7009c92b5eae9e28084e6ed24

SHA1
1426f1e6cb1f210dd98ba02bcfcc9d137f1d0040

SHA256
a60d48e46845f97ed5b4562c25fe2175387032ba1cd169aa83dbad2da0be87a4

SHA512
d790db8016f0ab549a87ac59f4c59bacfe86c7e6905bf9ea9d7caa7e33dcbd221a43ae68491352ae2ebd6001f3c880e7d61e10fd018e3a05e5dc76a5e90100c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4308326654bf5c853d0d7fcea7064569

SHA1
a747b6100c92aadf30e9e1a0af91d7088ef581c6

SHA256
6e9d02fb778c6815c0492444fde77f97b435424a2e798c89097a282cdb4e4f26

SHA512
e70b6762121435bb920f8001c45367875f5d3a3ed4caa7be1edc21ff5bfe063f18f379adf55bc493f5e5e53f2de7892c654150be1c69a58868daecef6dc9d134

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ce148b9720f1fcb85f1b949253e25b47

SHA1
de1f5e902d0e86bb4bb16da48d3d4c52cd69c526

SHA256
b6f035b28328c337ea9689c1c76119aa4104dc11e7b0ca2ea213e001e22ab532

SHA512
84998bb66a1bcd7be5aac7f8af5d525f2ffaa2748c0fc557a6dd4d9d5565b886a3dead533e8aaa6d7074db504472485d5d84a270fc17ca6b7b99b232f4966ca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
471778ca52982d474d7f0361a937e039

SHA1
34086714219f520e4c5c2bb3138d595c4119ace5

SHA256
52a09a027d5208fa910f84d7f2fbed2a3e6db4d55fde01e0ef5986c10d12484e

SHA512
55ba272436b4718a4164b94110ed2f41028c222b233c97bd9876a542866637129157dd1d2892d1c40899f4cdf6e97df8b750b9bcf94a369fa128a54df2cab77f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
d25a7cac7c99285b98ca1101a217b1f4

SHA1
eae55f7decdcbe70d1ed103a2a7518775d908c58

SHA256
0a22323a16472d702fa039fbbf86f2148bbdea1bbf2d3d029de12ac4752c1136

SHA512
f22d4bbc8f99bf0895850b4546b7b4c47a2fc7651d7b2b5e0d2609490ba0ff950555b57e59897726efe131314fb3c7c9e457478f7d9bc9da5eac801b531f85f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
5b70018625daf115d54f614ae3da5e3e

SHA1
af365df668590e61b63f0bc25d924d618e018c04

SHA256
7da3bcdf836a87662269f66666cc3c4e2d14784f7b811559a51d006245a5914b

SHA512
589d67c490da749be29d78c61e75b3f4e21e9faab943e1477a2ef0ea31adbded233c4c4ef0e8b867798bf7857f4260254a39addc85798ad73bcdae45880e5c99

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df7dcef1b71219925c7ef2f1e34b959f

SHA1
a90c8bb854bb8d7d3eba30102e21b919abda941d

SHA256
c718f43ef1999090a9125c3256e71bbf26eee4ccbc7f42227a971b9505ad53ff

SHA512
6e6e24dfef96011444e475eea3d151b648d7a3317d62c790a41f01ff3c3662915b8eefa32fcef37fe978ce73c5bc7ac7acab14048a07970f1e49f8d6a7b54178

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
784c38daa3eba4989aeb2edc102d3aa8

SHA1
c9c1ff33ce157b3685423a4c1e40e3db8e2e9755

SHA256
979274744430a90d834bae38a3cd9c958bcb30b3014322819b5eb6e0d6a8d4ec

SHA512
9c4b719bfbe1a44dcce9f3e26db1e4d2b04595ed8e28feee4ce4941b4e777a9cf028ffe7118abbc68399948a694ad3e88b83cfd8796f11bc5971e8e028c1cedf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
71ff36cf719e67da09622ce9099c94e4

SHA1
4ae12e030a726b7135244f21bd0a15be2235b4b9

SHA256
6086e4c473fb59b09ba815a98a5d0de24e10d03cd17bb05f4834b428c77e1e25

SHA512
bd4af76d35a3f46ccf1833655344a8d1e90df5e2db3fab265a083b602f173541a8d2e772ed6351ab58feb1bb8201f562690afaf241bbb14fe1e5eaf0c650713c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
6e1a9e0a45aa393066c9ee49a27d0212

SHA1
0f2abf8c5258a3f936a61fbb9978798dfd7e984f

SHA256
e6dcd0470b2f8dbdb1abcc4dfd152b20981ae9de493d4fa614b51f3e7fc8c7f3

SHA512
aef7562046bdff1f6bbef1123c6b7740b78cd2fc663c67737d160b9d6cf4053eb22281ee661f86a07e921987b1db4f8cc18d7b1b1de6e396f8c39e757aca1ff0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
69abf48858bfa40dec38aace22b01f35

SHA1
3e98e8fc5cf9c3c3763de340e8157cea962cef8b

SHA256
1e8f58aec1fe6c44dbcab39b938917e16633bf23af7780570ee735037091a3c2

SHA512
798945202957495279407a972896d297be087a2a7830265325a8d44c8e432e3082ae3464646f3a5924931512911f012b0dad19c35f30d732cc2036ef7062d0e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
84e957f31b40ff2a4c315af465428bba

SHA1
ab0f0b97c6c385e93e8f10c73128b1ba629b8a60

SHA256
fa2e36b366dbb0ac599c48656ff50e255684bf15c0ba4ef74e6f7ca39a7cbaad

SHA512
61922611fef6557fcbb4e479009303eaeaac802aa3081aa45e8f7250d4340d51226c1db5a4602438c59438ec495b90707c455a7293bf183a6d10bbe2bb1b00fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ff8961ded6b22383ef41e2ee5f1e627f

SHA1
050f66ee3f78d69ae97e8771d40186e227ce0c13

SHA256
64a4a656e159d7c8bea93dc151f5fbbf6cd4c82aebb0c541acdfe13b00820bf6

SHA512
87a51f0265244b8d81b7877858a94b214f00d1842cbb401660ad8b265a08199782de5635c05acf77a8ecb72a66e6489c3dc1fb447939501a06fa2de26f211d9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
7b877a8c893777d937c7ac0f31f72a73

SHA1
3253b5a1950b761e0c6d2ec07f73b0d7c68ef1cf

SHA256
2990c2bc4bb738ea5885bc14b9b34e0d47e312386b53a40ab2f2f3855c58b350

SHA512
ce34a5fab86573a4beaf5a44fa5c2ded5e31639124893bbad9645874caccc8b1e586b550c653dc8c214a94d0cf09c62164745bed9a7ec933b45c08cf993c5845

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e344de63603888c6dfad976f8f63a0fa

SHA1
30a6a38c50a22800151a98c73d6541ed331732db

SHA256
b57ba64510f2a4693dd797986a41f5526ac615142591850fa0997f3616065caa

SHA512
fd8f45165b3e8d3302629d660447e039bb70afe6002ebc9f333a6700ae0759a404dd0b16f9b35b77675cc194b79e804cf9357b7be32e74ebbd35939e276b840e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08e2f404b9763626cd3839e3dc1115f5

SHA1
be7e8b6f7255d5cba2e8645b333212b124ea6f45

SHA256
616cbd1a193e33d6e7fc733360078c2ff936ca9061ac6422071f8a3d1e7fc4be

SHA512
e3322c2d9cb8cc260ce05b78dc8cfbbfacbaa51cdad5f48e0503438fa88140c86b3bce040255cf52014ae311bd1c792525071a16bc335773eed3b714ad4f5590

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e630e11b5f35c99fbc92bfb283e17d65

SHA1
8b8740e1ddec13815e0a2b1570181429d579238b

SHA256
241111c038cc6dd79182b13e8c83ea6eec6530444e3c24302c5ad9194891438d

SHA512
82545ab9816edafa7300115d3e90205bbd22c91193c2e95fac1fed25107be23943ea8e3690a0cc0e9f17d1ba8eaae8991648e7e3f1522a3e38a5266ac68e88ec

Download Submit
memory/2124-0-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/2124-4-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2124-103-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/2124-29-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2124-233-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/2124-84-0x0000000008290000-0x0000000008291000-memory.dmp

Filesize
4KB

Download
memory/2124-232-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2124-57-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/3192-12-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/3192-13-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/3192-30-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/3192-237-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/4576-11-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download
memory/4576-41-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/4576-236-0x0000000000340000-0x0000000001A77000-memory.dmp

Filesize
23.2MB

Download