55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
143s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08/02/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2852	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2776	AnyDesk.exe
2776	AnyDesk.exe
2776	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2776	AnyDesk.exe
2776	AnyDesk.exe
2776	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2852	2380	AnyDesk.exe	28
PID 2380 wrote to memory of 2852	2380	AnyDesk.exe	28
PID 2380 wrote to memory of 2852	2380	AnyDesk.exe	28
PID 2380 wrote to memory of 2852	2380	AnyDesk.exe	28
PID 2380 wrote to memory of 2776	2380	AnyDesk.exe	29
PID 2380 wrote to memory of 2776	2380	AnyDesk.exe	29
PID 2380 wrote to memory of 2776	2380	AnyDesk.exe	29
PID 2380 wrote to memory of 2776	2380	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
774b42c60a0c2b3dff21be40390e504d

SHA1
9682801a95027bd1ef8abe1604fb002219e06f43

SHA256
10ffb5f2b50328d3ea4f5d14b92527a5266189dd8c7a28b84c93348eb8a20872

SHA512
b892b47e46a6cc864582d7d979c2af17e8f3416478f2869352db14c0070b665d9c9533c3559f2e28fd3a04eb7f1105fbb76506c05240ef0625ad9b818dc20342

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d8f10733a021ed61a37c7060d364b996

SHA1
b227fd4d34c1c88e3f9a525931b8864f7fe85fc5

SHA256
2f415b3f750eaa09bae23bf33ee1ef4a803b491d81895d0a72de29248b345a9b

SHA512
43c017240ac2bd84acf56b1e08b28d8ee6ec8180efe09171031f897d852749f6c2e9248fa8f5972df7a432fb4d6ea14d1c44572f9a2a7b573d5ccf08ad4bb567

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
23b96c855fd6a6dee03b344a2d0331b5

SHA1
c2c9e2995cc93aa467eea0bf4ec605b192413b9f

SHA256
69928ec2344536393bb9027f9f478c5efe19ff7ea4de63da1827a4890f437dbd

SHA512
2dac12776081cfe3dd88e1125f29752ea5e489a343faadc39d5c03de0ce2a6adc6401116ae1ef49c3b347e5e6240f9653546566d312bd93bed7cfefe7e5fabb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c1cd703bd3cca0fc7b56e456b6b63d9a

SHA1
3ad1900cb9f086b0e3d57571cd528d1eeb17d81a

SHA256
1d9b4e252ae6ea1a33bcec47cbca405ba55e2de6c2317addbe2b5f9c9c8500fb

SHA512
94f7d8890d580136083b7f4412f896d94414f96e429c7ebe3b20733c2609a12ec1c6b3eb7b4d149bf0f7ac73d2bfb489a9274f6cfb1e371aafec5dfb6c3e6e4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
677fbf921ec1817cc361c7efa845d581

SHA1
bbe09a4c080e242a874aa89daab516962ea5b346

SHA256
1750b805afe65e76f92b07feaaf27ba5a239157242631d35521c026b06d960e0

SHA512
de1429d7bdd3eec37ded4101fdec4a6e1be6c46a36245e96b409cfffc00048931f7ea48926875d1175096d0e5556e76c8331e47702c89db6ab10a218cf4b79d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
744B

MD5
6642d8c10ba4a3916412da395bf4e508

SHA1
d93735156dc6a4d3ac77977c412825a14ed97e6a

SHA256
806477bcc420fd27e53d6a426a7a455e12614b6b28f5118e6fc2bb43bd0bee42

SHA512
64644601cc4c8118618edf56f09069439ccf4920c3c86c8a3661925e6477d0471b3e6b2b40103ec7843fbb8a65ab54d47ddc813738b809cfd6c4bab0a8d2ffa1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
41f50e037c15bd770af66fb03060530e

SHA1
f94f9525cfabb66da84bcf0b014dc45ac20a2477

SHA256
754cb66d0593bf098f0884afbe2805bd6f91354adf7b62231f035d1d731b3fe2

SHA512
180121b7e6c5b6d46fab8d08f9fc16b3c3f7f171bcade1aa6389d6dfb5b834e269979c4802c0cb8c10861c0089edbd4a8dded22054b64358c5e0846d5e164494

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bc41054ac6cb12afd4047d0c82a1185d

SHA1
109ed6c24cf54e0161e05e83c2f3c54419bbad8b

SHA256
6812da0c5f03cd9f50327c467fd1a3622ddf087e5931f6fca3e96dc9770146e4

SHA512
88392a661652cb694930d8f15cb1de3086850682dc1bd4d18b5067831892e19201ef449e088a00d6dd15db2fbddd4e4d909d6d30fb8079c94d4f494d7e51c61d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1dd5b6830d32ca22221b3a0b6ff68abc

SHA1
8f96d9f9c7088db9ab4d2a56f4ce4424503e8feb

SHA256
64a5756077ef488bd743b2e00e41d04b71fb7476b6bab8435749f317cb18a94f

SHA512
643cd2c3598fca48eb03601d0da17b58864b9072913db67da72c917669aac449a52a7a19186007bc6fb6e5bf74a3a94218e8939e0efc5f70ce37285746552b1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9be1a542d1984675e2cce557ecab99f0

SHA1
91b77c572d9e66775a7dc6aee9d439a5920be13b

SHA256
6638da1c4d1d5dcfd76717998997b452a8703ba6255b5a721fe277c155df3882

SHA512
75c9c92f985e704d800db37abaaf38134d4fbba7ebf4861bb4ec131d8407b82efbcf0a484161db56dcd36385834b7741f56f3d3971717d37f5d7f17b98e76d82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
689478e7608f46cc29531dd52a303c6d

SHA1
dfc1cc57ec1e33664d7a8d76928bc16b0115e280

SHA256
9287a66f5da06dce0ef078261b5c998bdbf591e91ed6060369df7f3e6621414f

SHA512
ad466923ef0a17242b26008830a13ebf648b4f0fa2bcec0896d9652ca0a86f85ef1b3a2980ae2b8f65a3add19ff7d9d02af3f6b7a6a488fb8df608eb6349c015

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
90c73f3f664f46bff49de068daf270ab

SHA1
8aa54b31e05de095ed4797812f1fd66670305e6d

SHA256
528923c866d59b122b7dbd0c4ddcac04910b3171a5939640d80f358c5b274470

SHA512
b777a3c52ef8d4ec340361759bd0c2d04157342f6fc46bf377a1de6680bd4a6d373f4ca29b704c17cef598484dfde390a7822d1f72dff804cd1bd5e7a5c5455a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
586d6187839967875a99547e4f6cd917

SHA1
13a4a972be770afe50332b3478cf2c192c657c31

SHA256
592ad8014814bb555d93283260a023ab2c9e4f4bd8d964fed4fc144ac9b4a815

SHA512
1cf2b3224debdc8584c4140cf8440e8f6ffab7cafd15ae5197dbcca1674aaf9b870358e5dac897c78552fa8a8dda25686235b8a63c781076f4cecb14334ecc28

Download Submit
memory/2380-228-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2380-20-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2380-97-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2380-100-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2380-239-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2380-0-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2380-112-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2380-21-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2776-108-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2776-11-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2776-12-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2776-26-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2776-241-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2852-33-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2852-13-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2852-101-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2852-240-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2852-243-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download