55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-02-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2732	2528	AnyDesk.exe	28
PID 2528 wrote to memory of 2732	2528	AnyDesk.exe	28
PID 2528 wrote to memory of 2732	2528	AnyDesk.exe	28
PID 2528 wrote to memory of 2732	2528	AnyDesk.exe	28
PID 2528 wrote to memory of 2708	2528	AnyDesk.exe	29
PID 2528 wrote to memory of 2708	2528	AnyDesk.exe	29
PID 2528 wrote to memory of 2708	2528	AnyDesk.exe	29
PID 2528 wrote to memory of 2708	2528	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
8d571efc7b4aa99281184906e8fda6dc

SHA1
b6813a3f585d3a9a7c3a5a067414743a47adbef2

SHA256
6901dabb58ea9e0f16a618b6bf29981a65bb3dc293528fa2f277686368577b57

SHA512
393e42caf4fecbc43a5022f5188553775e7916e30acd131c4607c3c69da54b7a829da5585d85f0c5110352827c17ba411f20f4d4df20d89db55fbe015e372186

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2d0f31395bdaf7058f7ada46998e34ff

SHA1
88fcc2ac04f04d192bd3219ec6dac7f4b83f57f1

SHA256
be859f77754794dd89c2e817dfb87abcdd697025a938907cda6a8335d6a9717e

SHA512
517fad1870ef9a098bb877883c2f57ccd199c8719215af2c64015e7357428247723451688cb6ba7ba34709c6444c8507905fb8d06f67fe8db370f8769968260e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8a0e3bc26c60e9af759d037bd7c78d60

SHA1
a53215c93b05ad79c5e16ce6d80d99e107abe448

SHA256
254c87abdb01f8372e5dbc03c69ce78797e25c5fbb2013979d9f7c7909d528ff

SHA512
283b2583b194a3c868b872c028a797df86af6e9b7c5d174f6fd6c40a898f52157a6d90326fdf37904252192a5be87e5122615977a8d124d5f1462654e4bac253

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f9f80b9850c693a0f1085394f4ccf981

SHA1
e44ec41d1b9040a14ca179f182d70ea3df95db0b

SHA256
04b9c00fb08ffd47e64a80c0bb267df935c6600b1d03dd0f3c77d4b36a46d4f4

SHA512
44a3c64e016cf762a711f74bf1679e5513f39068d64432897cfc664d98ec44043b0cd2d00a5ccc18734a8be4ce09f4649781923f2bddede88d3723d788821b2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
fc4d3b2ba0d4d7583029014e680051d3

SHA1
42fd0e9a7d543ca7181ed53a227ede0662a0e94b

SHA256
2fae39fd4a6490648b2cb4dd22fff4e2f0014855c65c75fc695d7eb3b77910f3

SHA512
25e63d1448133f02f00cb69c48c512fa9812b0827ef66975b139e42b1ba498c76074fa0ea08203ff47c7a7c8e99f5dc8f2610c047059396ba5f60eee70aeb326

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
13c418961c3275561ce49fae320f4a75

SHA1
2246e2a0c80ca27dadcb41313c3869a6adc49d95

SHA256
41d3e92320a63a04df5e395935d98dca2308e5905a61a75c43f0949939f1d810

SHA512
da1eafc60c5460bb6e3ebc514864b9008175a7dd46b4e9bbc4b5cf9a0aa6785081a0066c33b2fe61f3a0041a282c08051359a0c6f41e8af2311ef58a4ea2e9b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
573274d4a6316d8f98ea46e811cff13b

SHA1
2e461861a01ce784fc323ab58700091a61859f4d

SHA256
bcc26872f14a1b8c0c7598d6fac68f46d4b4f09e32b4a4482b16ca1d7f6f618d

SHA512
23c6defd0bba2cb196a43508f21e60f7f6a03f533173eb36eb41819e69b41526a34ab25d1ad063814fafa4da19dd8b238880f0b34677881724443f5d63becaf2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
070be9917f59e50a734b829e67afa6bc

SHA1
6e61e9d984b46c181645d3e5e85c21190360f5e7

SHA256
3e94dfd9a42b547028cf2e3bec6528d482c0c10b47e0fa3ca8b57d6c40b6f2b3

SHA512
32eadc0d60ef2252a0b232b954225907e5a1448997fd49aef00fbf57f879ca71dc8ca076e4b13b7097d41cc5cfb14df708f4012a2e702b6fb15ce3de79e1c505

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
46621513c559d063e917a2406c295850

SHA1
f43415346179bb368296627a5d558ec7dbb5b76a

SHA256
0453be15aefa6600538ac92025eefb0dad30749d5f144742b513c83b8e10e409

SHA512
c58b68fe6e709c01600d2dbddb034f47090596ad53b75d34ae3c2650e985536fc17cd24b35a2bc4a21563b48716e5309f8f79b3870621d865ebfb74f8a288855

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
aec31150467d97dc824c2c9c7f2daa63

SHA1
c4ce9e92d774c0bc6be57ce1a9f3371918a276d1

SHA256
f60e082e85b5af870352b02abf0ccb13ece1c5396263da33769e2d5049f9a61a

SHA512
c21b1e0db76f3408de32e471667f9a9e80789e5dd3bdf161852f2c50ea6cce23ea146188bc760fca44c4ab3d36a435254783956d5a1efb7b62bcdb5f1ae10950

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a19758e085c29a5cbb07aa8cf9f78f1d

SHA1
1788f3854b4e51d540728ee3f09ccb69bcc0ed25

SHA256
e8ebdd87832315d6799b74704b02c6180e9b4b77f254de2e1e501abcc302e616

SHA512
1bfe7b2aa93880eb0c91041704e4c8f1f085c38f13a895c820b89fb4272fac5ed4d8d46d5f96559b26cd36dc9b92af4e8de2b18af2375e8608a1a86be10c3b35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bc09753b5df9cacf2a8f3a36103ed782

SHA1
64bb9831329adbc1eb78b0a49d563e70748f6d53

SHA256
1ae553992ed267354223bc326db10a8025826aedcc04acd495ce20f1ba9778c9

SHA512
4598c92b6cf01d37c2d6776816790d377bf0ff635a68c3495eaf4d2ca6756ce0e6278473cd41ca4136d9bf714073d0e76f29661075712752275adcaaeb2e8f60

Download Submit
memory/2528-21-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/2528-0-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-1-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-311-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-33-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-98-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-4-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2528-22-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/2528-302-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-303-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2528-126-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-305-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/2528-304-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2528-167-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2708-31-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2708-313-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2708-11-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2708-125-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2708-39-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2708-85-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2708-247-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-119-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-186-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-136-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2732-129-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-65-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-35-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-312-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/2732-12-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download