fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
71s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
64	AnyDesk.exe
64	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1556	AnyDesk.exe
1556	AnyDesk.exe
1556	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1556	AnyDesk.exe
1556	AnyDesk.exe
1556	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 2544 wrote to memory of 64	2544	AnyDesk.exe	84
PID 2544 wrote to memory of 64	2544	AnyDesk.exe	84
PID 2544 wrote to memory of 64	2544	AnyDesk.exe	84
PID 2544 wrote to memory of 1556	2544	AnyDesk.exe	83
PID 2544 wrote to memory of 1556	2544	AnyDesk.exe	83
PID 2544 wrote to memory of 1556	2544	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
22e51a818797e5d00313ed9409c72b3c

SHA1
22d6ac7135dac09626206411290d407f2156e3c2

SHA256
bf4cbf0c0051a948cea58d96c1a29619ef10efdebdd85a7bbbe7465dc1eb7fad

SHA512
2f4f8f1cf03b476a1ba105d099834f8b55677c6acd4bb0977d75f4dfe4c43c4ce98027c1018d47ede84a09bd89527f70d406740e554a06da94370c1685615f98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d973c4b930599610066a0e30ab4354ab

SHA1
98d13b0e56d9182c55f75b042b209b1df45a0837

SHA256
11f36a69c8e08b73e2701e3baa5ec4f91d8d0e4fada5b37590d5a749d73bc102

SHA512
93dff46ba35cf11c4c7bcc532f23d8d348a06c50a9988d658536d4fd72aa70c4b6375f8b1319c4bb1e2cdeb04dd8a058e9803d74e1bb700f682f64d31000ec2e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
64273367c68bb78481c8643bb0712a68

SHA1
d2f274fad16be5fbbf547fccaf8b4060c281e500

SHA256
d0f7d15e04a067c29cd03c5123566bbf049794741889f759b14912cb171f1b69

SHA512
81458404f35fcb7fc2b81aa230df9aa9a5ca66577ceb052135e9baed735b45be87f8b21513182817313b34062c60d3197cc6ca216874ec12c4b74e7f92d2d39e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
b621018072ea77cd49e1e6fe5134770e

SHA1
9522968d13cd7dd6972d667ebf7535a7b7587602

SHA256
9c9642bac7277773d04e7d36fd148f5db60ba97cc19c76e43ebe32375f0d302f

SHA512
5dee654f33425e95cb919497fd41492efc59da8e640a7bfc315befc3a75607d6e5d717224c4afa0c5dca4ad51dddf2e948532dadd430d1cf4eeed328bf60ee08

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
03968a37f48046009bab98c45e242b46

SHA1
bdcaed67900730345b524df9cefe5d4df8a1d32f

SHA256
4052d62c6c3c84b146bd5f2793328264066f75615ad7f155b75630db0909a612

SHA512
4e5c4e088a0aba86cb6432a4dc0252a248158031ccd3238044373967104a88e247def86f82029f14e2c9daedca020e9975de5c3f480a26e94edd7c204285f2e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
1febcf582548f00eef6817d5ee211f63

SHA1
c4d820ad2d34d2e37f9a538c8638405f2390ef85

SHA256
926a4630fb196170e34a704c790c5c2603428a2630949ea3becd34434373e919

SHA512
186b627ac16e40543219f9b262592f587fa1a83680b4d9b19606c2dfcab750a105eaf22ff0c28a13c14eee583d609a250d45aca044f0697980e986ac04fcb1ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
299e9e7557e49f97da8304037b25ee29

SHA1
a7699f2a40fca77f7f5ba65db44afc3157c8271e

SHA256
e1be1b06f5869df7e39315a43b416e2e3a2a181c4ac2ea03f326046dbdf0bb80

SHA512
ec16b240c61b63b92c2569b694c3c9d796410ea3e40ca42fa7ff040fc800adff295b45f2bf52e89ce8321180b0c33fe34bb7d1af5a6d75311cda56bb6b39a5dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ed91ad7f44422abc3337537b48fea368

SHA1
52473fe833082e78d36e60b5e88895c9b685525d

SHA256
8df7cbe38e160fcc9377bea7fdd6de2f26002cfc3c7a4abd67ea830f5f2fde07

SHA512
d264e49b7f95f72ca5f49afd95315b451c8dadb8df0d43e5f9f1f21eec0bf1b2c4733149e1a7c82a3981a163d09d56815e82af42d31bfacbd789443a822b8bdc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
051fc7e0e5129b984df2738442d30581

SHA1
9db2cdfa2903ece397f89a07a804cff76e5d758f

SHA256
b207ece8aae4bbe67e424dc0fc5e40ae5197799cf0b918dbce81e0953fa4a9c2

SHA512
ddefcf2490f6d68d4447dfb56dc824590d004b753a0e3cbadc7697eadcf41de8121b872f1ff2583a99b7a05c29449bcfc0fb63736a0184a44ab6f5a3738aaa25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
cd6bd0a85f47e10426b9a158fb179d7f

SHA1
bf9a73db5330fb34819d0cf002f60fa8a4abf51a

SHA256
d731bbe81e0950852930332a1f0d674180d4af50468d5ae3a8537610af8bc0cd

SHA512
f7aee05a401571ad2a769a9e2c1759ac31eab3778ff4a5ce0532b095da3d1b683008b07457b8b647bc629127d9d7a5a3ba820cfbe68519ca0554e68792a04a7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e631b030daa4d6781c95e7b162a5cdfa

SHA1
4e37f2dda7fe68955d7b0cb22af2bc7ef58d0c68

SHA256
735cd26ecab168267327bb7183fc186558cd371638abb9ae8eb366016948e5df

SHA512
2f7d502fcae69d1c0f2f5ee2a049b86cdf6feb0f0732835bb0d46cce2125a4160ed9de5b48e205205300c4b2709e869f694b5bf35baa312db77e3ea51075e75f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
483f30b048f67c10b91ea246cfe72a25

SHA1
1bc0eb841fad6f447f4002305a909a7e18b81958

SHA256
5b5ba3d670dbcb2de93a754daaefeaa611f48795865b9a07959fa28d088733ad

SHA512
e17c2f9c0edb09e79aa7fabc2f4299a80c0539ecb6e569a9c8f04b87f14d54863904c2b0f91d63232c5485a7de4806738403f6942cc2520d4a11c522a22e1d96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
bbbc4807784c1df988c32cc5784898cf

SHA1
1b41fdfc15058c20dd628e65843503effa67f8f2

SHA256
b05018463de7d1828d9e6c952039a7b20f7b2fe84bf8aa3ec2a7f9ac4eb427c9

SHA512
1667d37bbcee1d4cb24e81d2e159d59a3a1e8df361f8e547f7370a1da53f4ff3c0ecf1fa5c00742b01b302f35122ad9c5c4f3d099a02918e6f37f490ae8967d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6639f41d30792b1113a463606fe9b9f0

SHA1
08f89506be089628d5353694ea71c41bf7db01e0

SHA256
ef0d9488c165f6198c0d90f96428ed0d5d49d17fdb4783b9c582022e4925be6d

SHA512
5dc1b455aa52b12b653b1115990b68ffeaf76e7779d358b9981c7eb7d6cadb3e799a90c0d42105582dc55b32eb48c30b618cf9151ae05913eebb4a55f002b890

Download Submit
memory/64-9-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/64-204-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/1556-205-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/1556-28-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/1556-10-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/2544-24-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/2544-3-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/2544-0-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/2544-203-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/2544-84-0x0000000007F00000-0x0000000007F01000-memory.dmp

Filesize
4KB

Download
memory/2544-29-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/2544-212-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download
memory/2544-215-0x0000000000650000-0x00000000016CE000-memory.dmp

Filesize
16.5MB

Download