55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

05/02/2024, 12:32

240205-pqz8zafga4 10

05/02/2024, 12:25

240205-plsckahfgj 3

05/02/2024, 12:24

240205-plefpshffk 7

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4116	AnyDesk.exe
4116	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3436	AnyDesk.exe
3436	AnyDesk.exe
3436	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3436	AnyDesk.exe
3436	AnyDesk.exe
3436	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4116	2704	AnyDesk.exe	85
PID 2704 wrote to memory of 4116	2704	AnyDesk.exe	85
PID 2704 wrote to memory of 4116	2704	AnyDesk.exe	85
PID 2704 wrote to memory of 3436	2704	AnyDesk.exe	84
PID 2704 wrote to memory of 3436	2704	AnyDesk.exe	84
PID 2704 wrote to memory of 3436	2704	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
d6cea3e17669b9ba63d23c2c2dc85a4f

SHA1
2d8341144e35e2f1aa12290fd210c6ee5b5cf2bc

SHA256
bee582cf3cbadc233275eac3d3e8d28971f5d95f4b294712af0ef07b0bfb428b

SHA512
a7e7bd4f21867d307bf966fc47d2a3c4d6c190f72a98402a930d9581d2ca252fdfdf5fcee6f344fb4bae9322b0992015266b8a7810b68d8401190ad1a30d0e63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
7bcb547ea0802d4d54ee4088f54514f9

SHA1
4614f871fa1763fb395cc9a36aa339d997214d7c

SHA256
a2f146d7e32888631328913238cf5b444cde2d2a255e5f08570718ddfec0b023

SHA512
10b5539779d932869673870c86e35e09fbfb9347e5cfd747b7ed91d20e32febdf4a6452ba59471dbcb783d2c0e97d3de6a2e1c52f15f52d68c42234fff539d8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2dbc1f8b76057f683cb3bdb9be414624

SHA1
44ffa55bb33009da6f482c868e83093f591b0dc9

SHA256
cc342b22debe3e0e06f479864451172ceb6530efc0d67f55da2e7107bb39023f

SHA512
4e34a300754ebc21ceec5ea393e462171030977adf9b83e7590924d8a10e44e8598375e94ec835cdcb5e835d7135eae760dea8e04e919c046cbaaa533efceea6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b0ec9797b0a94bc496a7652a13b96c37

SHA1
fa726c6f9a24c5bc94a2617c1c997e812844f489

SHA256
74bf19689827f286fa43d997d7bfcf906e8e1ef190708d1142c0d9abba130999

SHA512
dd6d8cf2443200f78c4dc185715d9c49c0cfc1c04eea9756cc620c605d685fcac3c3f328b19fc0f4223f35e97bc79a15c3d393998da65b576612488a2be6ade8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
dfc4731587b918f247ac8a5b1f3932a8

SHA1
d7b382b32f52d2e9238656b1e0b02913316949b0

SHA256
fa5d8fea2ac07a957ada9d611d84a546f130d8d7697e988952daf4ecaa1cf9ca

SHA512
f44d241262e26157af8e4b3505a366e7f54ad7b6f89360059996c91718d55bbc2bfcee2c4a1ea6b32dbf8936d49405bc6d03cfe684a2f61482afcbb52a2f2b57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
99c9cd49f95d86f5c97b03cabb4e2221

SHA1
d1e7b9776b802a7e4de387231b934b88a9178e06

SHA256
992c731309cf2872bca767f1d25329fe69953c58fa222d132ad0e124e4c8e396

SHA512
4822ae7d24bf94bf4b959cc68d0719f2086cb088e2e2eb2041419e2a8c710843611302bd7e2b93974b8df499758da945b152038b212e439c0191a5457cd89da9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4f7cc85411800b8a8feff488dbef5ee2

SHA1
55e10115023992cbc06537823f7f9695ed5d96d1

SHA256
0287b65b9e144bd0b1632242dc4bb408f96d1286b8285431fdd095144e44094c

SHA512
8753b0bc9fd6a1864a9ad789e9fa8e31461d14ee1a3f88f817d800e7929c0b6d0920c981894ef93be1d37667d7c09f7269bd10c06da000b5ace5b324e4e9e721

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b7b00a21a0bfc5d0c550c83c9b13ce7a

SHA1
f2851f0a8a23363f3da48191ee80d51c0c9f925e

SHA256
f414fd0f1c27aebe8318c6dc988243a7c558d48f6bd49fc274c0a840c6205fae

SHA512
2c00f5be9b5bda7920b33a1708d7e713ad76b7ea76d23a59b19f0f409461709e7cf1ea5991e25a707a0e1e98c179e13f4694fb953bbc21c339af7ee5e0c9d5a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
038bedda2ce4a572ede0049070dcaedb

SHA1
c19e9272f162a13f443597ef21dd752f22109aa7

SHA256
a4afe3238ff5950faf87672733adb535fdc559c018e9b10be530a360ccfd75d2

SHA512
d9ea411cb4346278b0f4eb0fabae487af3b424d3ff5bc11ef765aa05712aebf682230f458eeacc19c4f5daa9655fc3d82697ecfa55ae058261b188debc2d699a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a062c29b919701ca48ca67e03ca33d70

SHA1
e4da0298cd291eb13aa08430a2c68e46ec3dd250

SHA256
c8b1c030ff88519d91c0a72826bbdf48d168e4f023c6f4296433bc3ee77e31f5

SHA512
8da846549cd30e04a1115d5a45303dc53f41b4905ba70ccf13805bfe347254d1d1c56b1951b6d1426de512d5167fedfa8bdf44635d0e8bfe5636bcfd45c8a925

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
661a8f0038185b066d0338cff15c5ff7

SHA1
a955435636044c90c361a5a81fa2d1197b32221c

SHA256
19a53bbb21996022609a498376e04a6619409a440564066bc306c2cc40154eb4

SHA512
31feb37059498531787001479e1ff742b1d6ab4b58cc4e6339d749611ba5bf516617c6ee48ca79d499ac0cf9d246132531ed36afcfb789e21a77e07647d47299

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5644d4c07b5b4f933a70775ba7e35ad1

SHA1
9e927a1cc2b8ee0291c9990cbcb91204ccb1298e

SHA256
d3d9417178f09d51214c0df78277327259fff54085d439bea64d429c4cde072e

SHA512
c861390a03bc5e7d95271bc177189e151e88b211b2342495cb045c9f66227bdd0569fdb2389fd49db9166a4d5def5e74f5000fb18c4e16a8b8e52c438960ed41

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
47bde1413b81b272403156524416e819

SHA1
2691a6740aef62e422dbe44f189313badfafb7e9

SHA256
ee905ba3e5fd456421c3d1ea989bcdf2c9e5eb77df157460f7edb41d7c38d784

SHA512
3ac855032678adff440860f81b0932fdde879559f754953ac4cc7a0cdd31d6534f8f47011ae67af1f863d7d954fdf22466d037e6eb3febd22df74087d4e68df9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
01fdf39e3a6fb71d5f14cf8df2242688

SHA1
357d5ae48be829835b920ed097263a34562e5632

SHA256
d5e7b95466df4942075b429b156057bad5aff42089e694d4ad2c44fd1ead09ea

SHA512
e5b0ac60a6dc9db46c9a8197f989d92076d831ec39ced4d240035ec561866d5a3a784a4acc88593a2ea88c635833a05459e2791c081f780b3c0c53bdb79a1f85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3ebc7f4cdb08abd4d7cb1adbac34d84a

SHA1
644576fba020cc4728d3cfcfd3aa7e18edf476f6

SHA256
bc3bf94b1a8e6761e74c4f7acce324e163da0c71834b1eca9f439900f55a6ae8

SHA512
65598bd06b494ad6982270c2975588a937067d9ad2d8165c7f007c20b9f29689f71d533102cb57af9f323d4fbe5bff5d0c01921ab72ac4b37484bb63169c3c47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a16d1b5e0f195109f5efc992f8e434b1

SHA1
f692949838e183b02db0d6ea9900cd7624890a7c

SHA256
b45a59788f654eae6f5d9e451ddb02dce0a17e9ef7684502b0b11cef6598c589

SHA512
6bc1790520c4d2a43d7f190a87449115fac8ca0da9125a656c986f6de915f8af0c4779fef5d25153604e7b1b9e87718485c6372a1096f7d82727a0207d82fd4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3d30ae3cf3ceee25f1a88308d6ec4eff

SHA1
c66ade7ee2580e3e3460497cf4dbb7f7df39096e

SHA256
37d363a9e6e41dc1b20c7472f2f375515d99157eafa87ff3a0b3749c7fbe383d

SHA512
48711c42deec40d36d68013bd26b0e7aad3f5b0d75ce2b8c872ec0927cd438e55010ada130e3518ffa45b804cb94fd6059614ccabddaa47f45b5398b88e807bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
531b33bcf8ae88ef701642296d028559

SHA1
bd254f16316611244845deca37874837710aeb0a

SHA256
172cb6339f92c0e0e5469e7b243e57ea0de5b66977f2690a3b28967978a4cfea

SHA512
fb7687777c5ce1407d50f429e68b55eb667f327a5932ea8e2a6b13bda0bba757624390fa6eb44e138a756b416c3c676471eb0114ec1c9c809ceaeb28f2febc1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ff1afff07e691b19311b88bb942b2909

SHA1
2411f158b059f172b4b77f9409efdfe9e2be504c

SHA256
3253c874d0e3e57580a48643d0f1c4705a6f65b67487d777c0859616f2a529cd

SHA512
425a7825c2030645189cd2320bf610546082a5ea61307d1489b2f9401ea71704e0bfa690c940703c5be79732fb7d1afc70866233a5e0006406392293f7dc213c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e6897363dd11207d8af62ea6a0497cd6

SHA1
cf3c477370d4d11c7b835758bb261be644698920

SHA256
025d5bb30d23c06dadaa067ac5d6363b09e34d661c9d77c8383786d46cf57e6f

SHA512
a1c457766bfe85f2653ef57ed249b4ab2a83a2a7acafa638b7d293ad0e374b8697ca0092e5460049b5e4cf278974eae47987ec6c5714843e87346b156571873e

Download Submit
memory/2704-86-0x0000000008B50000-0x0000000008B51000-memory.dmp

Filesize
4KB

Download
memory/2704-31-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/2704-244-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/2704-1-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/2704-0-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/2704-233-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/2704-89-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/2704-32-0x0000000006440000-0x0000000006441000-memory.dmp

Filesize
4KB

Download
memory/2704-4-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/3436-33-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3436-12-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/3436-13-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/3436-246-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/4116-11-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download
memory/4116-30-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/4116-245-0x0000000000DE0000-0x0000000002517000-memory.dmp

Filesize
23.2MB

Download