55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

06/02/2024, 14:17

240206-rl1p2safgk 1

06/02/2024, 14:09

240206-rgf5vagge6 3

Analysis

max time kernel
144s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
06/02/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	AnyDesk.exe
2844	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2120	AnyDesk.exe
2120	AnyDesk.exe
2120	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2120	AnyDesk.exe
2120	AnyDesk.exe
2120	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2844	3108	AnyDesk.exe	77
PID 3108 wrote to memory of 2844	3108	AnyDesk.exe	77
PID 3108 wrote to memory of 2844	3108	AnyDesk.exe	77
PID 3108 wrote to memory of 2120	3108	AnyDesk.exe	76
PID 3108 wrote to memory of 2120	3108	AnyDesk.exe	76
PID 3108 wrote to memory of 2120	3108	AnyDesk.exe	76

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
effac5cea5b093309637d5f0f1d5d53e

SHA1
bcbb34f063ebbde885ac24edb28978c1c644c620

SHA256
b19b3b160236454f029fa71f16187de38033933fb9c257b7ba27132b232a6438

SHA512
12d143a52a9abf1663ae99152032aff8268083fb1f7e2ed962e0cb9029c59d366e4419f431d67dcc219484550720e8e2b498ece546ca31284d7bec2a18e0cc71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5309332b692f03dc74e178ccad34cc22

SHA1
fe8b5103143a3be172242db4ab777ead9ab60ea7

SHA256
f4a18f84f89716d45513601f384f6f964fe23a2c3722df808fba719ded8fcbb1

SHA512
244175bcad30da0dfe3e2cb087446d5ed79875a5b5847c6da68bea64cb6c85e69c32f7e8688dcd9f536436361a7f41c805812598b99838369bd2a6923b9397de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4e6af13cff8f41539262e83a75b5d11b

SHA1
142bf452a7f06255a916e101c887f9063ee13059

SHA256
8335c5814c93ae1280e94e3d9252c31975d0394cbcfbb24fa5efbda463a27ecf

SHA512
75578aa3cf96fc7352f96570f6a07dc774c598d29f802add67154c73e779edef6f1029b67f3f5ead472c67b41835687e608b3e0fa8f2d8d3b56038e186db05e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
350e5c8e0f220d0e978806b6e8835dac

SHA1
cf77247c7c106f421993f9855ed776e3639d3e85

SHA256
bd78e38c1de303fbe90629f70151b3a673c1dcd2c135a504ef177fbd7cc12f0a

SHA512
295f192e25f34c9ce2443b2421a9cb05717baf03f324397fdb958094b920f24ec02d2f7c1d7ba45c5a4940ae0b4f052da0169237b48c579de29c7f329bb953ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
b4791b9026cea0b7f5c9f98941b3a29f

SHA1
c246720688833d989159af35ff8a7815e29bdaa8

SHA256
6c578c9fcf94c6f4eb597fa79130cf6eff90bab60f04add6d72c0987fc45757a

SHA512
e98f0cd038618e1b205339bc4d401c6884fccd6d477fda27b99216f391a510aaa7786bac77dc50a7e946c8b252070a5310eb194e0ec5d2213cb8b687716c5ebc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
94128cd461bc0abb6800d4f0523e5ed3

SHA1
6dfb40ec9d5ce47831d19deba7697e3d3016a590

SHA256
fc14a02c0127e6ab9bc106d324e7c9af23fd5c8b2d2f3dfe6fee59e92b2de171

SHA512
77e1dd44e7c0491135971e2f7ee4df0ab8cc7b79ba5bcdae99b5537a245e8ce9c65bb4f82f5dfcf394421f053161289b71fe471c9f06f608a5e2c2c6413c50a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
09c948bb35de2d88e526c7fa3053aded

SHA1
dbb0870cdd0538a8f4d9dbb454469881410fd81e

SHA256
2c06ce8e6d38b71adf7065fc908f0965afd728610698dee48fd30c28c5920e93

SHA512
20d225757814ca6da35be849f2f273886b54f240eec41c00844298bda20953cbb18ec4bb4cbf58fe3f52c16bea9b50a58151af46b3de5c4cb0dcd6ebb6bc8427

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
bf9dea02568d4b429ab97390e249def0

SHA1
d6f1c728fe5ceaf618232e20c259603d7ab0cacb

SHA256
08d4bba62d4651d231dc3becd91b647b655a0ff36e9587859c152af702d12a9d

SHA512
0352d45910cda29a0342aff200ea10f1f8a8aeab91b09ec98a2db1cc00cfb6b273c213ade0043e763d18c42598ee7ea18e6f3ca456264d77aff9d8f7f78309ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9280e2dc846c9959914021155cfbe06b

SHA1
0909a7ba6d44c4a5a8463dfb7059624555c49c82

SHA256
1858d39af5c0d4f5581237a6e5c7e999b909d28ce5e5d5e55d96a054a729b286

SHA512
9fa60bb0b0ce8d631453d2539b605fbcc7bda8435d07a829a786830bad8e784a340e4485ef95c9aa79a499000ebd8ff10803d5dcc1fb694ef1ee03169de180b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5be6d47116c6e6686c05b74b98095699

SHA1
99747d6e03c881ef2411928ccc2c29c643f2c1b8

SHA256
28add08d9460d00e6a28ea0eca1892fe1438264c6695776695ec687b8e136723

SHA512
fcc5550afbc59f359ce066939a2fe79ffab6e9f293cf5a27853ed4d30f4697b795e322cf71784cd5205257576913ec7df0c7003bef73559670cb1513bb875140

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d341adc8233dea6db5ecbc16142ef0b2

SHA1
8d5aea7e10704c1b66aa092e72dc385e9789d86e

SHA256
4cd2e377360a9a698958744b8598d21ea1f2f4c5014709a482f06615e977320b

SHA512
49211383efdf9aeb6b2ea42120ddbee070765902fc7d784b82379138426957fc51b3a75ff494e173d1520c3152ec71aaf4422d8afa35a6d9f1c6a5cc0d4a6a1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
61f66be4bcc13016b5a2f129b8ce1cd4

SHA1
10140ea520e77b62f266fd4d232c8df50c3273a4

SHA256
c48a9ec62f623c79ce6c60a9366f0886818aea0551303db1465e628315fc8ced

SHA512
6caace25ac74a277ed1dbe9101a48b445283e593816743909617f9330c582fb6ac01e1c9f2c3146a05b7341b521cb1871381d439e41bf5bdf796a4ca861ee2f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
55d0ed21d9e86d4d40be3f84cb3058d8

SHA1
17f4a9a3dd2e8303e9afad2aba17a330ecda55e6

SHA256
8e8c1a60595040e7f90ae19dd2adb88bc5b85c9383d8252f553933c3d4fb8a95

SHA512
0c9ee13725d79aad56d53c33f5c772d22a79c726bae010a3b3ac4d02efd8d81559e96c751c2bf9bd9a41c0f68708839ce776d6691aa82bb5b82ae6494f79a6c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f6febd467a035640eeb7813a5db97ce4

SHA1
f6b56487163d1d8d7f614e94c5c8d342c438acc0

SHA256
a0e12f9f6fdd3429b0064528c5fa7be01d23395dccbcda96b4ea26a5c08f8464

SHA512
dd30172b7c51fb8a8e9471361d769aae81a2f72919767de903d25a3a0b8b5d9da9154ebbf165f23894866bbfcee2b0e41becf81015940493f6d7b56dcab06e26

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08b47f1f4b11c4e22309bbb37720e62b

SHA1
872a3598a68b24201dbd5bc169afc02eafc21f5c

SHA256
ace1be19b67a79cb11f3c352c21f6d30c125e2c4fbdc82b8aca33fc72c52d7ee

SHA512
b0d87edc16792ed10266df646e0cf34e59883627fa3bd46ca0871be8fa08b14349140f1cc0e61d4e4c8e79197f805462cd90b934b013a3a4d1ffd3219fafb7ec

Download Submit
memory/2120-29-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/2120-238-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/2120-13-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/2120-11-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/2844-12-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/2844-32-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2844-237-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/3108-23-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/3108-21-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/3108-0-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/3108-85-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/3108-3-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3108-1-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/3108-235-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/3108-236-0x0000000000EB0000-0x00000000025E7000-memory.dmp

Filesize
23.2MB

Download
memory/3108-84-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download