55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2192	AnyDesk.exe
2192	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2680	AnyDesk.exe
2680	AnyDesk.exe
2680	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2680	AnyDesk.exe
2680	AnyDesk.exe
2680	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2192	3004	AnyDesk.exe	86
PID 3004 wrote to memory of 2192	3004	AnyDesk.exe	86
PID 3004 wrote to memory of 2192	3004	AnyDesk.exe	86
PID 3004 wrote to memory of 2680	3004	AnyDesk.exe	85
PID 3004 wrote to memory of 2680	3004	AnyDesk.exe	85
PID 3004 wrote to memory of 2680	3004	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
6b4a2da79cf1f8f0d8d4a1650ef2830c

SHA1
c299c893d353351c4657ae1eb8546c2b57eefa84

SHA256
374a5691fcaf325aa2471717be5bf554dac27fd560c62a427f21a9806587d92e

SHA512
9907ad71b95fcc32c3423eaa271020e20d47b9c8a97697cd0068a1e57a4f152f5c62dbd0fb5e2b8cd397c743dc8bc458d46a6f2998622d0a800ed19720be9f07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
88df187c112579fa24e48aefc4ef04ac

SHA1
97c1ce6d67757a435caab435176f872b607eb050

SHA256
7e462fc547328fd5167aa0c066df7f83881b616fc3420ea769c081d63d1d01fe

SHA512
f0c2e43dc348e304ddfcbb43ffcb41a33b603132437431e3ab307da2f70b2ae3cfcecb4820367b31e8044620d740384479a34583b8a8d9eb203aac3b5e917d9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0a05e7c27c2ab0f0f902d4517f1ec139

SHA1
082ab0e6ab71698cec2dd3e8f781a957009e8d35

SHA256
63c94dee49f6559c9603690efd54309e3df64fe389716927b6cd906f2cc32b88

SHA512
474587189a593238d40fc343fb3b5ee6da851bdab3c63c6df29bc2ee8ee160e5a5f5bc03f7275d2209cd21beed9d5c6c0fef6d977c5bb2e0e50298e617693ec9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8ca2f629f6a6f80611b237bf34559c37

SHA1
b38eda353876e1e9d135118433eeba1c292451c6

SHA256
6069e728ce2ff6412c4e93efd485ab3bb0919657c4afb39bdbeaaa316c8efa38

SHA512
67994fa808f7e43827b893f58f27245ada002310cd3d150084ea027fe6f4576534fab1dad7916d2100653ce4e35a3efac75604570172df6fff1783d4105ba88e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
ae93740e68f25eaa1d2069e873d73519

SHA1
b3d256a0a90ef7b2071a4340514f5034ab1af175

SHA256
dc320a95ea6f36bb75b8d573715ca1412696cd1a3cc81611191caaa003f4c585

SHA512
ab1f99bd8c4d499be7eec8e2dff3dda2ae6ca7af2746dcf48781570a923cc83e1cd96108af21d3465c91c535d4f57746b1356be31f4807f6e1396b91bdb30cdc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
894301078150133aa6b9ca32bab81682

SHA1
c099a3ff7075d6f98ce6d930354a6da7d3d6d076

SHA256
5f42b6795472a4d85c6d98ee736674010b95146d312764472667cdc658973a48

SHA512
f3d5682c217519c3693f8c037c61b351bc1c6b54067d5fcc0ad0faf8579dbeee714926a9383ab710d846056d26b8505ba9426d9dc8ffb81426cc81681e6f83a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8e55b0e437d6deb048fbc4ff6ba44376

SHA1
e79a87637647a9b619f8df1510b6eef36a76f2ec

SHA256
b7e777a9f23b717cf50c21377150e14d0384593a286a1ef4d42d47122d658e36

SHA512
84cd5f0ae859dfd015266f26348454ba96f3b9cabf52c223b792052118d6ad3962f7f9d92e4dfacaf142c665ba3ad12f53520dcdf0f4c993dd62e84bd20efe4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4758e24312b6739df8a2b4e53834b1fd

SHA1
baea6a8087959e057ebeb1fe5fec67bb53e2927f

SHA256
fbb4544eebcb827ae216bb230cb0d3119248715023d929921bb18702a06c517a

SHA512
fb85f5d30e33ce4c0a7757d57eb84c90caefb4a46f379a653c621e62f1b25b0ad9bba5a8a468e087488e422aef06d41556e2c45f35167b46974ff5a6de6ef011

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2c24392a5e5fa8a26637d43ee1a8300a

SHA1
0a8df0234461a28c94f8a190514b9dd1b77ac931

SHA256
2851f55d07667dcf037dc8836fc574dc61c255024be01794491df8d319edb9e3

SHA512
25d31a8e50a27d1aef2ac979bef483e3a30d2e038c85623f40e6864b883bee6fb641895ac4ca9097b16e260cc26e590be30d8fdf5900f2a443b07d35f96785d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
96bbfeb45c1bedbdf9a15bbf54fc40e7

SHA1
ca476a2bb98d52331221603b86757aa2cdca8598

SHA256
3d65faa9eab4185387530756c3f28890309150f32b0eff462bcf40003dc7dcf3

SHA512
516126ba1d61c72e45236f335e86f2de063f97e434eb87904ed9986795d09b8b36b279d236c05d18e00e3bb4a0f3011e9ba09b62b5d63674fb31cf4006b522f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
371ee7c687a09c71725a576a6e714712

SHA1
e0e71df6116e36176aa5d8c6e07fcbf5b70015ae

SHA256
095da621d290fbc560a1fe102678ff1957f4eb34f3d12d054ab52c235781362b

SHA512
5c457c7926d8ee8eb2fcf8f1c2bb3cab2e8113c7af0832e449c92fea5a1f4ab19bedfd7c6b326da7ee54d6266ab1f0eed0a43f663a69599eff2ba981d28a327b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e27fc320461c8f9061b5992a7fce9b7d

SHA1
cda5526f33e0c30a10b5835988977d9c3d34eb08

SHA256
23f2f414eddbac2208e2cb21c56e686f6d18dc4622fee9e573c9cef9c7a121bc

SHA512
fe89cb972ead7097c8c93eca3f6f3381d86d0a28df01eeaa2ff40403e17ecbb347ee13f15fc9d1226ee7c362acd399da9ffc1a5722e123cc35f8a7c8cfe5a0d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3890a38752e166cebf60d24c548113a1

SHA1
42d7de5b3a097a8df1504362c9aad4e9aa9bd9d8

SHA256
d41fa0dbf3d2a789bb1aa919a2ce20111b9d90650d480676e07c73efd3c83590

SHA512
75ba4e89c7c939dd20c86bc623cb3c397742d646bf9bcc709cf50f330daa2557c9ea6ecc925f834bf6740bf455fbc99ab5d1f4f124a76e477ca4c93e6321ea6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e2f1fa3975366f8ab59629b5d4413561

SHA1
2a27100b9d06eb13db43f3846cba917b8523cc4a

SHA256
98474ec17ca4e33a796d3f1e5ae87d9aaa3a08a3bdf7263f1f0646af9f2087a8

SHA512
8829d00fabebb6605396c4641c8b42c3aa2902bceb82438520b2c5beb50860d57ae21454fee7e4b130cbd572f3f82e1618c36886f227aab0a785254b6328ceea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35d5cee39bc87855dfd95e403128ed79

SHA1
a829374dcecb2034be03ddfdc5f453b4bf4bc24d

SHA256
9af887aa45d84d3c31bf03e140694a811f3114589b1d89918a7c7848030603ff

SHA512
d00e1866cdc7d7c6b3cab57a0d946ed2a0192c4b72687ea29c703a24fd07dca0263a731b947f0afddc3f99e771289bf6ff4ca7282da578acc38581bf683c575d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7c08f0856d46f4109db3588c316e2080

SHA1
722cb58f5dc2812efb5eedffc88e8ff5534369b5

SHA256
7db98b1a3541332912f5b4be0224d6d7f2cca804a4daae206abc022efed44a1e

SHA512
432cd3854af07fb23f62613a075c8c2bf05c7a74de444f576ac0aaf3768e1fed8dae911acb972c313df86febe804468736eaf22d18705ab234e9c7980317fb63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0baeb7d1d541624768a80338562ea9e7

SHA1
7189f4ae9c70207b5d8d8c3444cfa3abfc55bd37

SHA256
988a2aecfd6542f0c57f881bfb70a8a6abff29dc83a14160d778055b9271a44d

SHA512
9a66cb53885bb53ef45ec164625f967130a95432e5ba442c310203d3464da1f54dc83a9b5be450cbfac970f55795ddca57dd4f8961a0cb97a95fecc3bd7986cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8a8217840ad7010541126dc7a7a4203d

SHA1
b09f149d919291ee79bfbff4e5e2ca1b707bcb23

SHA256
e50185c46d74453e9102a6fa3527cc393b1f619538260f35d0109188ee1cfe64

SHA512
147bd21022d22234ae3d05c639892c7c9ba5bcb5e1051e41a4e6f1c599618a3f189846f69b0d30bfb51d99f3c574430bf902b0a87437de92d5d3afea6d79f5b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
16931007e7e4cf6874cf4e25c62f714c

SHA1
913b60fc2e28f1ade3ba85c5c9a3d3b4684beb79

SHA256
9586441f47c220f80868c35d2644e87646d2ebe46e8a77b0b551803f7e621e31

SHA512
3c3bd30e782933eb4efb2e1ae0e8476553d10f98fba120e6b352fdc2faa1baab76a226b7616f36ad18357acd83a5fc9ffcd8b262e48a0089ce8b093f9639a9f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f63a9be57dfded08764250b961457ced

SHA1
fc4a65d64202f8af1d8d2904922e116d207278ee

SHA256
fc89ae7f10aadf3dd0d6aaae017b319b08e8af54273b0297d3892b5c092d06e9

SHA512
addb3511ddfc058752ef9b4c6388436c745091f8564cc79042b3605b1f8ddc5df677deabf4bd8491a1c2b982fe9365e33f5ecaa740195003c0c3ebd547f0ce70

Download Submit
memory/2192-13-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/2192-33-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2192-11-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/2192-249-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/2680-32-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2680-12-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/2680-250-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/3004-1-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/3004-92-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3004-27-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/3004-4-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3004-237-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/3004-0-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/3004-248-0x0000000000A10000-0x0000000002147000-memory.dmp

Filesize
23.2MB

Download
memory/3004-95-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/3004-22-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download