55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

06/02/2024, 17:36

240206-v6qx5acbc3 3

06/02/2024, 17:32

240206-v4lkmacaf3 1

Analysis

max time kernel
1792s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2024, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	AnyDesk.exe
2908	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2064	AnyDesk.exe
2064	AnyDesk.exe
2064	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2064	AnyDesk.exe
2064	AnyDesk.exe
2064	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2908	2680	AnyDesk.exe	86
PID 2680 wrote to memory of 2908	2680	AnyDesk.exe	86
PID 2680 wrote to memory of 2908	2680	AnyDesk.exe	86
PID 2680 wrote to memory of 2064	2680	AnyDesk.exe	85
PID 2680 wrote to memory of 2064	2680	AnyDesk.exe	85
PID 2680 wrote to memory of 2064	2680	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2064
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c99b4d4f39182522ba0ffd1b6d99367e

SHA1
b5dca9dce1b8f14b88ce068c28541e2fc2c92134

SHA256
2953c053104f98a13a953457aa0b88c31794173d64c3adca1a3cec169e54692f

SHA512
4cabf62b682531a06c53e6a8776867a24a57e486aaf25cf8f8155d8b951bbd6770be4eb26e41a87d8ea59410ef7e1ae3cd456ae4c4506f138fbffc5cd319429b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0349967ad8f2a51db4b019bcbc25dde3

SHA1
f7fdf453c4df1b793850990be280272aa4bb537b

SHA256
122b3e7cb115f86ddaac894f9f9e143fd2caafdbe0a96b2ea40f04eb56ac2d14

SHA512
f768a705278835f9175a0f1843ba470c2f7387312e607f399fea1a32ec21a9ca3298be84ac4030da05cca1bd20303cc8f70ccd6b79b54647eacd47e0d9d4146d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
04f46b66374faa0ef3f60a381290373b

SHA1
57297d614b2697aad1fd9aea694b77d009fe3813

SHA256
788c850128e6ecaa4dcc5f17203f80002ff81fedca7b2ae475f28031fcac6f56

SHA512
212b2b331df184107af9e3ff6b0da676b002f1fcb0b13b1292fc06ac1457a482032adaaa9c01302e9a323cab419ed67214bcab54e62e69c52ff700cb4cd36671

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
890f8dfc07eff4d08effe89b9f983491

SHA1
18977a562fb61cd645aecfeece16b3b82f0c1a51

SHA256
1d9cab518d98e2071ce37e9028895e2a69e81352b0fdf41f32e35d025daee47d

SHA512
21b69bad2bbdd1125d411196bea0c613231d66fddddc6164535a1e80ecb1e84a494e9fc5e776b8e65c821d6229ea6e08630ead1faf9e7d47d082e705d45ecbd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
1d3c88caaeace7a63ee56eaf50229995

SHA1
600ba5c941d549c51660e166334487e8f49a9b4c

SHA256
3d396e60658e5f6fbc72cf1bbcb435952190e68dc0c7917d3f65aa111a80ff27

SHA512
6ca97eed4e8aeaaf35a1ef099051b062ec20590ecacf19229a59cbdf9a3c94668a9d3e163fe901a22da9ff8b9d538ff3d1a1e79a46b1855d30617914d6e22b08

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
781c4cda857eeb890901453e1037f534

SHA1
8f5dcb377560dc85dd1d327d247278dd4e2c5ff0

SHA256
ad4fd63d56048a9f52531cdf3bad95f05c39994e83d107ae492bef8439420633

SHA512
8b52a15d955b56074af90c41d9f6aa9327e57a4244c2a2a6ecb33ff13cd8ef3b25dc63847a14096494d4a3bd1184b65a18dd1e929769812215661d7775df867a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9de6b0cf10dd2fcea699fdb1048adfb3

SHA1
3d0d1bcef8c1cea1b6473eec5fb507d2237c4b29

SHA256
86cafc19e5371cf27584f851022c7586b1d30066a187577b05722138a0ec74f0

SHA512
2030fa1011c3ed4d052c2c61492c5db39fc1d9ea6775690f078d74a4daf7f7f6cb617e105f0362f6f1e4a983c506e000c1f56dc998753e8929fd7545892d3a34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f0fb1f52f83d12b4256c25fdfa795874

SHA1
58220debb25c72e58d52f603ef19b1eeb757d6d9

SHA256
67996482629986833afca460b17192e27426dc910d0ef0501f5c5eee2aed1d0b

SHA512
260116c5dd0116e7b7591b150236000f31cb8ced898faf9e1945ae909285962201b0256c3f7f39677fb68aeab61d4130d93049829f785a3ca842887e891f1b0b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
cba17425331f3f015bde9d48dd281391

SHA1
2968643528202e270e0ea3459b1d43c7fe35cf1d

SHA256
86fba6dbd82fa89b66925fb2d80e7bbd8bb39d288b3dc8e1886a4c2942747b39

SHA512
de15e9fe3985e09531708172da290790e87fdaadb131f2bd9b813fd92f6049710750fef5d7711b8f0f894ec3c7dfea9e59ebabaf0ad37d3df2cd1bc805d62aef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eede153d5195e3ceb84ba4feec23347f

SHA1
0a6aeb63d27b72b26fd55e14ffb7b91b3c746764

SHA256
b1dd79e031f430b0b1e97f4bec672e6173e9a858ac7b1e50cc85ffc5075005c1

SHA512
dbdaf49a45b13c70df3fdc8ceafd8a6f0914eb8a6c0940245be476e6e088659d25496d46d33b257cf32d9892a9d3c5a6ae20687f738d230edac864fcd86f2e4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1be9ceb26b7a7d5b6c91fd2e878acf7c

SHA1
a39cf5f8d70f8fed2aa63184f195f369b4ccf11f

SHA256
03b40b89d840678d787736eca99a55d43dd6199ac383a25237fa2916fa5bbbc2

SHA512
88535eae0e07b066777c3e9ecb778fbc19d0725913b53ecff1f14f342277d52927a6446b59be5b7b376be1e862bc142807955bab04b59428dcc79265b2f683f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7a01adac7c1449630573550becb295bc

SHA1
bda7f9d3442b7fe42db194d62f26932554162609

SHA256
5a12b5687a53744d77ae8132e60a08be4121fa837735c801a5b4dda02f5f6b4f

SHA512
26a5104ca858d6fae78bbb00a5baaf8e714bef7079a0e5932b97861e7b31b11140b4d044e409aa64bb67d8e42e000876e1dc3d8624be3e2c8e24445ce45fa2f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7955427ed988e570dbe25db32e417277

SHA1
a569508fb7ffcf125273dc86e2a7644f049a0d62

SHA256
b4293fc9489edd29fa443f0ba762813b1080d200cdacdb10c4a5725838276841

SHA512
64afc06afe369aff1a926a7d78aead3b6d3c431ccb3b4329351110c7cb3b79c3ab3a5c01a0deef30ca29a93248e1fe06b231a4b07e24d6df48d24fbc4eff337b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1e648c4a5a6437ee1d7dccad61de20be

SHA1
2e0b217dc36c0c77b444a746f9138ef1cb53e656

SHA256
c5c78b11dea72a0da843b155a8fb7e8d5e3e90e8671d744c6db626262c4579f6

SHA512
778c1cdf0fa7e7c762204ecb1864ddba882a49ae2cf097cf6bea2a44158ce50d00956fb42c0e256aa0c15b5d83d4663cb9e413aec49a5a7866f41523c0e7ce53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a99148c09e95cb010156a85c87ae7303

SHA1
df69807af823adfcbdb57b697758041054d782f2

SHA256
fe4298ab34fa87495995a5ad79358fab0742cd3d0fe5bc527a9acd75ff77d083

SHA512
dfaf85189bbc628b44b5f27844526590f3d4735d7b20e69bdf09ee5849be839d077c94cbe1fb21aed93eab8d687886396a7903db5bb868e1743b16c2e9bfcfcb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
21b09d57842bc4d9b467339366f4ba51

SHA1
94cc9b362764b71e0d3502404e569554e23fa32e

SHA256
037dcf78463b48fce2626d3217d7757f45074b4f8f16ce6dd6b8409993e94a4e

SHA512
d6f9759a383bfb24bf20f8b982905cb4bd1176d037bbd085d31d754770d8eaa435803f2945235b80a00eb772b4014284fc3afdadde026190b4226bf78b49b8d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dab0bb1984f4b9a4e149c37a423aa9ae

SHA1
3810053b6a2e2ba9d3d61b02be0efca6d3b1a76f

SHA256
d429b5bc290fa685b7e16922433c4ce0e97679bae05bf1d45a137cc9f4c3df8a

SHA512
e4a092c17ffc0357e48101a71c96fe52b3f2c200fe79d5765b3a1181de4ab9461fb6433da38dbbce376f28afb2f6f1a71f904196f89c5973abfc5bf2c4dddfbf

Download Submit
memory/2064-12-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/2064-231-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/2064-32-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/2680-0-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/2680-87-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/2680-23-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/2680-22-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/2680-216-0x00000000072F0000-0x00000000072F1000-memory.dmp

Filesize
4KB

Download
memory/2680-4-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2680-1-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/2680-227-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/2680-84-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/2908-29-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2908-19-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download
memory/2908-229-0x0000000000DF0000-0x0000000002527000-memory.dmp

Filesize
23.2MB

Download