55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

05-02-2024 23:43

240205-3qwsfaaha8 3

04-02-2024 22:00

240204-1w4zwsbge3 10

Analysis

max time kernel
121s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	AnyDesk.exe
2412	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4192	AnyDesk.exe
4192	AnyDesk.exe
4192	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4192	AnyDesk.exe
4192	AnyDesk.exe
4192	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2412	1332	AnyDesk.exe	84
PID 1332 wrote to memory of 2412	1332	AnyDesk.exe	84
PID 1332 wrote to memory of 2412	1332	AnyDesk.exe	84
PID 1332 wrote to memory of 4192	1332	AnyDesk.exe	85
PID 1332 wrote to memory of 4192	1332	AnyDesk.exe	85
PID 1332 wrote to memory of 4192	1332	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
3975425687c0842798f9b4b341cfd2d5

SHA1
e628d05af32eadaea13812d0ba32b2a55e89fbcd

SHA256
fdb6b259e8cb26893b77dadcb85aa36ba77d0d882e49229802aa68d1e0f5b412

SHA512
2cd29c44fd8d06ab93b0d9b8a65db30a1ede27d9270794f7b7277a1f7811d78f9f5967555034750de8d601f8a5e102e91a0cc4fac9607e46177fa34a5d3d76fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d6974bfad1a2e5bbbabc672a94108727

SHA1
a13a65daf6ad4c6ddb42d27248b347bc18c1e8df

SHA256
926a30cdd7bc14a5101ab342a3c654b1c2fc9d0fb66c0ca7664d1d73b4f76267

SHA512
c83f39f1c40e3ffcf24231b1a048176380bfa89bde99e3d707ad5f95dc58af4f074539c6e19dea55aadce1dcc984b4f7b069a5569c0b2cd3267cb881a7a9ba9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1c8bcc9a7480d3141368600bf27f997f

SHA1
e2ed43c1de12ce6f4735e307622d122e354098ec

SHA256
49a9b86e7f368f3247b6d401ee68290151908f3ac417aaac8553095b98a9bd6e

SHA512
10ad71875c8641454ce17d0a9edb932257f4fbedda8376fee4eaa7f622c038cbd6ebd4dde5e0444ff90494019d0e7291abb1611ec4136b1fb7dad9b90563bff0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
f6912fccf83e33d4e52df047e69153de

SHA1
a9e4022f457d95f70b3fb741100e8ecd7ff94c00

SHA256
9ef434b3594a0ada3ab26e7a2aaa5fcfe77b76cb693960636550a7caf65545d4

SHA512
8fcc5a030a10dcc9100d9d2a8dd1e5ad0596dd3987fd913892f753415dc9ed15bddd7ccf012271f5893742a7fb841fcc4543bea81699499ccc496f51c8dc38eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
57ac81d79c9b2dbb5b9b30c80d9b6633

SHA1
719cb4660227da97de20e0f0260a190eca6ce994

SHA256
d9533754fe323923827c49064801e28c145f4cbf64434d5928f69a5ac84cd2d9

SHA512
aabd383ad18a0097bfa195548284f9c87890be00a1d1e2ca06a822f8bb798920833bc156272957a73881a0d8ec764171e71a9f6608ed476e9321df464ad8a170

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4feaf44dfdec4fe31752e681c8e6b55e

SHA1
68f943fc15696a747e41e32b913fa8af82e7370e

SHA256
81f602854e82cbb59c9703d5add46d743d85fad0cd510c471124916d5278d7a9

SHA512
68a5b0af2ea1aeb26b4e51c4471d99cddd9e2e909779a12703c1d54f912b84e205ab910923ddceaac657f110ede6f095764573b6b61968688e177629cea525b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
83b4205694be9f1ce5695d3021f01698

SHA1
3c61ccd2f4e68d1166fc62b9588d1a5be433ec11

SHA256
24b1b59e93bd8c37f59807b8460f9f05c493d69d5feba03072c03260a75fd44b

SHA512
69d145edb5afcdfd499ad21c285c5848b2a544b1bac1abf69c34ea9853b21ad955a506641cfd78829b500be8189cda453a4fac646b62f36fb4f95d9f6957114b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6f388efc4f0b9487d4bf86b4e9b2f211

SHA1
6f20d40d95a468dc2a45a85064108531836fb0b6

SHA256
f9fe20a32e31583dfa756172e6a1184ff9d59ee109129c7fa3da24856b95ca0b

SHA512
5121188be62fc7efa078c31c67b97c6dae5cdbd4d4af8078ccbc5e2080fea76101b176a8fd0fef18e7b81967e70b13c761e386259be8823382e075f4bb1373ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
463e105505644e2c830176d672b19240

SHA1
bbb5b78c07d51a526b9ffe0b2c588fd21787848e

SHA256
4552bcaf59c2933c5177827e57af6e69019c18f0b6e18c3e481b0bff3ef11696

SHA512
6d0381e836d826b81cf8afc95d06bcde4653dfb39277b58eb04e74d7dc3fde9792b2e591432cb58bd48042e7adf32c469594060be6a0197b27328c33b0a9b057

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6bde3182a5c715ca3f308886161e3c3b

SHA1
c10b7628ee98999060944bb865a44af44da542a5

SHA256
8e0f5153f60a1554fef6886a4d6a12ded9e58ddf46abd665ccf58b5d3f294d91

SHA512
f28cc5b13652c3df88149525897d483ab0a8a8975f5e3007983d815cd11292907a7db73b377522328c8f4ae0fa7ec821624f533c03a50d2afb276ee3e5a1cf8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
825cef082279026db544e3f49d6e8a7d

SHA1
90d25d9a3759d58ff19aeaefd9a0e83aaceea280

SHA256
4e56cbdea4da042038d63b31280557ba961cce99e418ad2730be1b1e400585aa

SHA512
4427fedf325a8a04107a7ede246517bad8891bc7d0a9ada3dddbced05b5c4161ef840721b364507048c626596d953a3b42a66bcd72af984e056ec555f849ed8e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
889fa212736363c1ea6431b9430245e9

SHA1
35a517157926b9bd32a4ffb8c463bfed9cef4d10

SHA256
b18c412a08626dc378258b1973b295c2c4d41ccb616bf73c88c712aa6d2ea263

SHA512
dc317f43696010866ad06f57d7137264f5220ea4d3bd2aaba271c639a02ac2c7f194a13364cacfa45f6b585989054946d48276702ac4643c86f573253ccb7818

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b57d8107c280fb5a3b509c5e98994743

SHA1
ebad9911cfd22d0a8d2dab0c80f2db299b000817

SHA256
60c0399abfe624626dcaeca34703b98657194874f698eccab211882bf2d839ca

SHA512
b3a4fb1ab4c633084469451e40d599eff076639a21cb82e77f023bb44595013348ac7bcd7269915562b5fe99d13171873241fac8d1ee7b39ea57f09458c22252

Download Submit
memory/1332-18-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/1332-1-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/1332-108-0x0000000008550000-0x0000000008551000-memory.dmp

Filesize
4KB

Download
memory/1332-246-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/1332-28-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/1332-3-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/1332-237-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/1332-194-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/1332-196-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/1332-17-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/1332-0-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/2412-20-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/2412-244-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/2412-33-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/4192-19-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download
memory/4192-31-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/4192-245-0x0000000000870000-0x0000000001FA7000-memory.dmp

Filesize
23.2MB

Download