55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
144s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2396	AnyDesk.exe
2396	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1476	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2396	1860	AnyDesk.exe	84
PID 1860 wrote to memory of 2396	1860	AnyDesk.exe	84
PID 1860 wrote to memory of 2396	1860	AnyDesk.exe	84
PID 1860 wrote to memory of 1476	1860	AnyDesk.exe	83
PID 1860 wrote to memory of 1476	1860	AnyDesk.exe	83
PID 1860 wrote to memory of 1476	1860	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
88c236d35de44a1f88f30e13c18e5c33

SHA1
6ed7437855d51ade75ee43817b846c8e46d3255e

SHA256
28b16c44fceebc222c85d53cd633199dfb413e2f4bbdc6f1948adf2357d68bad

SHA512
d4f4e0822a0213e6c05f140e0f15512e2c9f0ac3158ad819ff9a4c7bb924ea749622c1a3d03d5d3572d79a16c460c92ea47bc1c1f4023418ebcfdff42a21afe9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b8daca28605eea04d5e7d1c8732d5fca

SHA1
1df9d9ca3544094a0587ae9436fa6016c0edc267

SHA256
b88d7919a7d525ba71ac9307b528842bd8ef224fc91d3d7f8aa754efd766df6d

SHA512
5351774c938a7087454ed250e313b7ba571905b92d68ea8084d976abe16d3960cc89cf90870ed3f6a0ef66f248ca67a7ec2ef38c82413cf3d9c1eb505f04087d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
03b5e7361f15749951ae38aa3efd5941

SHA1
2565cebe094af202f99f0da55eb77add4badb87b

SHA256
0663360189676b1abb21387fe7a2904de196c3dfd8bdfd71a6b33fb081be277b

SHA512
7e4391e5398bee43c26360b7da1aacabe6cb69299175c42cbd175feb1d66c4a246c3f49cc4b9496c3f827b9a536981d1af9dbefd4b6edc59407b9335c1e4b972

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
45464fbbc825b72dbe8e3dca509dfa8d

SHA1
51582df91cb6965d71fbbb498ca83648bbb583a4

SHA256
90433e7bcb098d730e36788a16686bb38bd99033238063c4dfdf0a502d8fa0e9

SHA512
e62e15b543d9944dc2eab42c586ec2fd92662d5ace52c1fe8d7b43e499f8065ffb3c254143917e78901fcd4645ab5b316846cf1dc9fe5b0661281e3e61f2d5ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
fd2f6e27870cecacbf9e7cbbf9228dc6

SHA1
54c5348c8daae13cbe2378326e3b0032df596c9e

SHA256
1e5361b760f7caa6bd18e8cfb2cc920b9370d0a7aacb33991998b3a1f819cf68

SHA512
15afa920a2b529e1049793e3afd24970107eeaa245325d2c81f3f0d9080aff2fd8767a228d56c7358138aed19da45f67931a6a8ddd07161d9b799a9d722a0e02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f5a875dbd94c630dffd85b912c31d35f

SHA1
8812ccb42eccde1505ebd63b45a98218d5bbc8c0

SHA256
b11f192d89affff0d732c346d014cd8cdc1e304e3614b6ed33e77d4bbbd818a4

SHA512
7b5eba1960c4e455fc3d722fa2d8e7ff403cc0ad2c2f584a7aae5b47956b40cfa7a98a406c6e6b0932fb64afb3ccbaf079ae7ced63f47768dcf91ebe48eb32d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
893b15c2f39640e7ed8145c89bd25614

SHA1
bd2fb774c1e6f573c3fd904b40cfc548e6540889

SHA256
1df90fcac51c4b21c8472798002d9e92bafc81f567b7dc09573d78ad39be5630

SHA512
a1cc13a9a33dc534d334d51b2137931657ed2c7366ea3f2378925f7abc7b2991f6d2c1dd9da4144e2c33e77de97816a259f77adf8af1620aa2b95c163716cc5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ebcc3beae3521acc031c714fdc3b769f

SHA1
793f1174a5270946210e1e8ad6f5ed5775a8eead

SHA256
f5805a27d7e9b0d4cea3914da9b551ba4e35566fd9266acc3d65a3172551ea41

SHA512
b55f2afe1b02a9dd0d2032ad8df737b66fe6032fae6f6b2f7d4678466fa398b065ac54a5595e4c54ce74ae56257131b1b56d044a43b03f0bfa47a813adc23df3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
00fbb3a2522c6491898b3855092e113f

SHA1
e67114226101d63627b86c2509a7736443444766

SHA256
caa6beff39f51692da35dfa0891abf8fc9caa609cdad4105cd9d5fe3f11909db

SHA512
7ae51d0449c3494c13de7fb54212a9287de62028efcf72719ecefd20d1446fcf71e6830a71055918b76467ffdfaefbba1d99345002b477aec0ef3c61f3f86ce1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5045fb5eba091db0b798a6a02bd88dfb

SHA1
c07f399ee633bd740dbaa3ee92ac1c217bcc73ac

SHA256
d728e6b2db62274fa4f37bc3f4667b44740f74820510b7e93a9c71f7b90233ee

SHA512
3f7c204aeb2c6d491ea5877ca6750c3783f5077e6c79df66bb6a739e78120732e4f4d0769b82182e7cc805ca4ca3e192d50cf0bed5032c6045e5229e87d8cc57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
96afbb67c7b0822de15995a2b97cf6ed

SHA1
3bd536e91324046de3d9b2de2f3e1f046f028519

SHA256
b9ade72ef31a03261941adfe9bd8262adf8844d9a1a475953d024ab2c680b43a

SHA512
ef888a553341d5c5200d704cdfcd5025af88a825a38771eaa3ce0270695df72de3a8804ea543fa962c6d97e3bc53185d1e4e74093c3c0c43c6fa86ea8b75b87b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ad789a02690e5b213c68425c9df5115b

SHA1
352e8f39fc247ead3b20eea3a5cc11926b7f9eb4

SHA256
078ec16ef03951e310a07a6b337fa6c5bb450bea1c7ee348346d31181adff442

SHA512
afd5537513df7538c1a22cab869a0867d59f3f94d395f757c238bf29acdb67783b7ab155d2388019266e51d53d49504587b9ba5d98184fef819ec31b62daff7e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f15e9be2287cd70513d90d3cb5a1123c

SHA1
ec9bc7009ab1aa6566975364fd2b478829df7ff2

SHA256
d473242e72e2f1fe12155cceb4a01a8caabb23aa48c2f770c46868c251113c20

SHA512
c71768890c952478b4d788bfce25f3888392e42f135d6fd4ebecfc2362e8ce1b71e83269802a333b86dfea73d0b21c08f2282e4f3226d2e7f7a8be96ddf1e33a

Download Submit
memory/1476-19-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-30-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1476-233-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download
memory/1860-22-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/1860-88-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/1860-83-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/1860-0-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download
memory/1860-23-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/1860-220-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/1860-4-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/1860-231-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download
memory/1860-1-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download
memory/2396-31-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2396-12-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download
memory/2396-232-0x0000000000C70000-0x00000000023A7000-memory.dmp

Filesize
23.2MB

Download