55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1558s
max time network
1564s
platform
windows7_x64
resource
win7-20231215-ja
resource tags

arch:x64arch:x86image:win7-20231215-jalocale:ja-jpos:windows7-x64systemwindows
submitted
05-02-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2828	AnyDesk.exe
1172	AnyDesk.exe
2856	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2828	1172	AnyDesk.exe	29
PID 1172 wrote to memory of 2828	1172	AnyDesk.exe	29
PID 1172 wrote to memory of 2828	1172	AnyDesk.exe	29
PID 1172 wrote to memory of 2828	1172	AnyDesk.exe	29
PID 1172 wrote to memory of 2856	1172	AnyDesk.exe	28
PID 1172 wrote to memory of 2856	1172	AnyDesk.exe	28
PID 1172 wrote to memory of 2856	1172	AnyDesk.exe	28
PID 1172 wrote to memory of 2856	1172	AnyDesk.exe	28

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:600

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2356

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1604

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1716

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2068

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
175KB

MD5
dab3d1d4240a05b86ceeb088fffb8790

SHA1
fc2c896d4b05f923ef068c389c3c93cc8aa73980

SHA256
d2a196f203af97c5500aa8b9ceea085f23746a75119d644facf1cfb8a4ac6eb5

SHA512
d1f265606c82b8f1761f7ad4104899e487814ae3a83c4012209b212060330fd2cdf39ab67be9864794ce8572d7fe5a6bc672073b224483cf5d33b2097e39087d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
b82c0ad2fb6aa652a04a6f4c226c737f

SHA1
1e923d39b42ad566065bcc001da231ce3ff77155

SHA256
94977b58d4957a6c6113fe2f1cec183222335d3e8282cacd1742fc3453714cf5

SHA512
7e782fc6467ab0f6685f8258590c512f50b514c4fe88ebb5154559316a7d78187d7a965894f2b4dd061521998b3303b98d4aef08b75877e4ce1a9f59ca32ea8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
d0a1769570c73ae7bfb80ee536e4eea1

SHA1
08f3c2661c87985559777a1f2664d7fe6b9857a7

SHA256
e0da5f16d11168daf159ec4bb266b121ea1c0d40b8361f233f0a10f57156b507

SHA512
40a7d4b567b78894be695fb1133816d84009086480d581a97ebbfea894e66281fd9e3c264541af932320607baec7c933dfe6ce41dc4738e936e33affb686f065

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8a4a132b1e3419424698deb81904b3fb

SHA1
100c4c999fe6e93bd12ee696759fe0f5f9a90f93

SHA256
5ed2ad612c543e95b3f9d91221106f32062601d1bf5c2f63d64ed65e9e555838

SHA512
95142ac21e013130212112b1abe5a449a0ba5b5931e986f0b3e6e870f33bba1dd0af17869ffd34e3a69d655338cae6c856888925dc28f52eaec430fe20cc9cde

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
26aeaf58986f6a80fa02113a2ec736d8

SHA1
ff2fca4bd2658ee7ec2a792826f35c6e6d3f1e7a

SHA256
4a091dcbd4cea0a2326d7a0375a7cb22c14b0a1447b08c6f1b7fc3e6838cfc12

SHA512
c0eecb01cb5d166f27aa28baf31b8701ed65c359502b8ade427dabbebc3757c878ba44a8717883ecebf1d5185adfc7d6a13d06e70a95b23871e00f47791b33e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
fcca188afbe6310dbcff901fc97885dc

SHA1
9888fb053e21ea718a0b2bd67b50575ac662996c

SHA256
f8fbc41c32f313f73dbf54ccc8109797a284efd1673b125b37a595754939e4ae

SHA512
df3d93d30574208152398eced53065176bb1938451be4818cc028cd22702d62eee0df0de7502c1e2bc7f48a3b3947f937ccc2ee3d7907d04b792ae71a52f658f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
52a1bdbe098d7acc44ff88545d4f727b

SHA1
98414b566007164266e9c41b43a7a264c84e5a67

SHA256
1d3fbce1a7b70d29b0b806dc06d90fc43cfff08f73487fbd88f9b3585530b8e8

SHA512
2da75031ff35e3ead8d65e921b3c0d8e198bd0388b7e0740f7a9e22fbb8fbd5fd5a9ffdfd80155645135e0ebd3079a8f1145f8f7035a8837c9f738698652fec5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6b4307cbc13b8a49a5f2004a02e3215e

SHA1
5913f5643265ec37a3a8b3766e233a4cf81157a4

SHA256
125d55c5f6fb604798a23eef0279695e8a5efd966a3fc16fdd86f1f63803cbad

SHA512
5aa49047865f291c9335962212ca0f42b78a46decc65b90c96283464caa15c600dc5f541ac9114c022e1ed4816fd1e8e2d0f85e6a8a95a6ddf18417ecfd250da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ff8fbc294d41e25474a0fad8b5e8cbb4

SHA1
649ddb53954726ac3046567cc416f71b7a3de8fa

SHA256
5f6ac939fff22efd0e148d779ee56bf9e6409870a5153254647f7ed3ded1298a

SHA512
47ff1d4ce1ab620f6e099e2221d65da1f61d121abae22a107270e0ba32e4ebff16244cf38283fe55835ebc54305064d0b823754e674354057f646ae6be94626b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f8e83f54e58effb8710005bc4e89ba61

SHA1
23c53f6ca9fa3cea87377d26a646b66446ac2f1e

SHA256
ae1666b773ab70d8b981dc4d3d0b469e50bfd26584fe91f7548b2607a40d806c

SHA512
e96b624adcce529166d4a0b84ce2fb75e29ec56d4908313287424c51bd07b78e6370e17e7e0425e88c4a318f189547667f88caf8af79307e5c8ea8351534d948

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8e99154d52f6434c4bfb9ff2ebfd7c3d

SHA1
e35166f603f7e227119d7ce06d83c837e8662c31

SHA256
5de5cd22a8748d55b7194ba23155c642e0e7869694f56a5620d5e0f84d0d71b7

SHA512
e63f4a286cfbf970dc74e94eef960b42299abf55e454c5edc7c7d932d3a922485ee27c4fe23792d167ddfd4047fee52eb86920c41f016a8f496b47ba5f76132b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7a7353a5db615435f192e8244fdb8c64

SHA1
223407ca7e324b576a59c715a26fa41656c78903

SHA256
297bfb6a6b65618bf0e8dfe63ee9022060f53ac6dc8d41da4842ca033eafe775

SHA512
0e833926db861814b520f094bd798698d433185c208c1f07d137c39a211010a4fa79012ec5a88238a8814c0f07d39e76f90b53db8c7899f27ff79a2ed04e1182

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
032aea2d5c2558fe3ab77d7314f28144

SHA1
45439d43f9cc08f54f7f7f2428cc9a9571eb228c

SHA256
ddb35e2d9dc8eec951125a1999e4021f16ba76875b9efa0dc2ca9e1540306a6b

SHA512
b4ce10f2bb82bbe3a6adea7a46735e551562502411cf2ba3de309e8dac0f1fda2457096895ee63131622799ede0450a7d8287483897a056c503a6425640d3a2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
6c4b915421d8a54cf8d089543d043325

SHA1
107d0640212d0424368dd495f6862e58a0eed9bc

SHA256
cc9cf51f788978572c0f8d478fe44be6715bd7254a8ec565c172a93620a57373

SHA512
c6e79a61eddcc47c4312c39090a7bd02795945eaea22b126afdac4ec55ab7eb77ea3e02c79555bc4c6275b22ab7c2019d139f9f48c41aed13d27831523d98203

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d466fd0fc33ddd114d01987f8ba8349d

SHA1
cfb56d9e4eb78bdea44b5a36b503b98884babec3

SHA256
0ece73f6c98f1c2ac08e174da036811c48cfea3fcfc0b8eb8e7862f6774c26f1

SHA512
626bd87ac3717205e535e20b7272826200edb315b765d4400b035217bcfa2804a01e14d0d3047c79039374534ee9171daf2517edfeb1fc367b122635f2293cc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4fd2f21ed288a085df587c1b7ee09c15

SHA1
12360cf056d93fa8e4acf948581046cdb7c1b3bb

SHA256
80f07a1771ac62b0543a472c8d10963641f05164e85776901b2c79f36153bdd6

SHA512
de5c585cbb7e4fe647561e2696c1af24d8df0cace16a1127c96be33360bb044c9d8bfeebc446d09ad46402e96fe3fd294f12ede2815a4e159265bd84c95180fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ac9d26719208a56ca80ae5d9e92aac76

SHA1
297ec3967d0eca4d08ef95da5a326b3ec7282451

SHA256
bf1167a053f19629df7f5812f5ef57b28db085c3469dd35a09a0eef95d6314a0

SHA512
e8dd00515f886ceea3933e287a7ac612d7e65dee913136c4f19c956ed079dadcedd3fffe6217c82800ad0b018af73ce817cee388392bbd3a74f17f58f7a06eb1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
63f8fd74f3d8a8e2b41941615fa79645

SHA1
8c36cc65d6ac98d57bfe0f050ffe47a5a9c0282f

SHA256
9056822d675e62214b72815baf3e700515e5203a1401e6950187b4205d0de584

SHA512
bd15f8b8ec12f26fccba4086e9bd9e2e0f8c7376b15cfa5981916eabaeddc1096650684a91098656418b6371106f9bfb0cc8d58e9a237c0dfe3f0e5b5317f41a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
207e60bc0a33b71f1d70c2599fc3b708

SHA1
473427d035f8cd9927c5e1e296daebc6bfefc16e

SHA256
86bb332082e33d6ab4be2b3371acc3b87f1d20d3154fe9425fb7fb4c4adcf816

SHA512
51b6da831e9d29301c7285fecf26470345ead1b101085bc9b6af713b996bed6f031b31754a7b8c60c43520d70ae7dd9278a3fa23877e3bccab6d3911a2d55c70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf77406a.TMP

Filesize
3KB

MD5
c285967d6d7b3d71d8111269c2da55f4

SHA1
c63aba433c6963308bb9fe12c004b221c1854289

SHA256
4e0f3fe74b1c336a55bf27364d0ff8baedce4f4a909b290c6e69cbcc6c0e0bf7

SHA512
b18fdb27a5b8df758e4fb078ac547d3bd72129e7e808b128937fc49463ef1f428f164a415c3c0873050f512285944a913bbbd9396c86cdd0cb673feeb513f70a

Download Submit
memory/1172-241-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/1172-249-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-88-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-242-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/1172-135-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1172-240-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1172-136-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-0-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-30-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-235-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-26-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1172-22-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1172-272-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/1172-220-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1172-4-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1172-1-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-39-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-28-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2828-12-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-145-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-236-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-98-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-278-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-273-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2828-53-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2856-121-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2856-40-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2856-19-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2856-60-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2856-87-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/2856-283-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download
memory/2856-237-0x00000000001B0000-0x00000000018E7000-memory.dmp

Filesize
23.2MB

Download