55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
292s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	AnyDesk.exe
2176	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2224	AnyDesk.exe
2224	AnyDesk.exe
2224	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2224	AnyDesk.exe
2224	AnyDesk.exe
2224	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2176	2300	AnyDesk.exe	86
PID 2300 wrote to memory of 2176	2300	AnyDesk.exe	86
PID 2300 wrote to memory of 2176	2300	AnyDesk.exe	86
PID 2300 wrote to memory of 2224	2300	AnyDesk.exe	85
PID 2300 wrote to memory of 2224	2300	AnyDesk.exe	85
PID 2300 wrote to memory of 2224	2300	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\PublishFind.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:2952

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\b13e9b32e2fe4539afba23a1598af526 /t 1080 /p 2952
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e637bf3228a3cb9bc8137b7581eafdac

SHA1
2bb5ba37e297ca959528788346ef7ff6d0da6b15

SHA256
c619c446b3e1a8dfe19b74a9de3d915804a4fa9d34590b5ad32b5b45241b7582

SHA512
bce74042a30451e1e45e7962b2324a4b908c9638ac075d3599245d8d1b16361766822ba517d456446ec651b786325bbc6a12874a14a628651dea0c864e0d369b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
8178e7975e7724215b638ffad5336c23

SHA1
1dc8faeec7f09fd883d5a01b974d898ae5449563

SHA256
5982854768dd01235bc2b13c8d9f5bd6ff6b48f2cd292839b3f9717159e494c6

SHA512
ed105c8b42a84d7f54aba83e1e32d47985210064df0fc7ec6865b945236b4854c75fa1aa48f1cdc3d81d0111c8711ee3a4fcbaa3f244a361fa39a699e1716579

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
45aa7bfb070329f3a9fe4e376817bde4

SHA1
61ff861a64a36e995a3ff1ebbd3e174ae7fecb14

SHA256
7acba82387a390450e558d4981f166c97d608806aa6790da0703c6b4b6c1c4d2

SHA512
503043cce63e45be12cfac8c986f67feb530b82dc713748f96f8dd7e577cfc117c53d9ed352a1b136b674366375eea6e5f14b1e981eaf8b329facbf42acfb737

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6bcebc2341bc3d122e3b602c8d4f8144

SHA1
5eb2e35dcf7a33276dea928685de696f3658a98e

SHA256
dd703baeea163eb50de54dca034534a60f728bb84f5e055e0ec481988a4c4bf5

SHA512
4df1056c38f1cb1d75de9329726448f7477559d69daadaa53dab806db8dcdeb8eb061d514cdd4c97d656324135ade179d731d32b7118a894e46d8e35c9f6d818

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
8e4074661d6a6c84018888576650e562

SHA1
e6aa8a4ee9f6e4bf55df8447f7ac852127d609a8

SHA256
f829accb236c6bcde6eb2e3e821758bbcc8a15c10be74022da702711bdbe6132

SHA512
bebaa642a538f7d74a5bfe426dcc572e7012149b236f44abd674abb28057b1fdb1918e20309a10b0f2d2cdb4d2235b0708201f1f102ad84b9efa950ef82e1408

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
9e52eaea42adef00955b678c8548e03c

SHA1
66393ef270bf1977939999f1be91f1aa92d81fa6

SHA256
7b092eb5e758d8a40653153237611fb4932b01832507127bb4d36734048d4e11

SHA512
e5855bb77a4f33c9318ed2e399427f96fd92940d9398e9e2027caacd5dbd97152384378f19385371db6ea8c922001eb05fdda64131dfe244999a6dd3f053954c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
a22221a85e5b8a135c01473f6efd66fa

SHA1
e00696b7bc6508bc95f612417cc1bb5b199a94e3

SHA256
9f62a5bfcea2034aeae5b32297ed09ab33d7dd42336aeaa5e850b8c3e626742d

SHA512
daaf5645d52cc6645b05448ebd5520d48874eefa75e0bb93c491eca9e052efbd3d7516eaee8e2b8d8666e903fc851a48e89529f67e1c5cc5bd82a5b84c274313

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ac446c57b78ed466e1d2239ab4716f33

SHA1
aadd7a52138fe74673c1460bc1089bfbf00d2be6

SHA256
3906918b5abace7628fed58f009d9fd4839e650f12b0d8cef76aa555c410161c

SHA512
5580ee40bd9144fcde567951426370ce837681dd7e42ca10e87c7768148b96748440adaca0f335b91e3731ea451067c2969174d42dafeda89c3a1559912de7e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
280f73cafab2246a4557219acb012fbb

SHA1
18931fafb108cea275dbf1bd0032f04a4de53a28

SHA256
ff8057adc4b07ba74dbc6340a279719355225277ee601f76b44b946ed3c6d394

SHA512
cdd226340d679fa414a430d32cca255053443e5f53cc35a24d7406b426d2e55b2b19c625d9c576e7f4f351122c3b91dae43f9db35052bfa092ac5050eb94df89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4922e72c123cc14f013fb752713c905d

SHA1
9b9b390484285c35fd19a97427a9d9452ee6bf67

SHA256
bc36b6bcce8d48489873ae2f2fbe46b826b7c800672cc3e8a9e23f850b2e8b8e

SHA512
ddcf1b2a8e4787a16c54bac9c78a22b8136b1ac9997789c7c58384d052a9eb12e1e54e1f908c0f11ca5f32d08ca5c6852097970046a7557ae2dc271249f094a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
af31f5632b03a0956ac6e678843c9b2f

SHA1
15e7e00bc92afc3013949a81413d581bc63ac2db

SHA256
666700f19db52e3245ab1302b7d2ab6545afebf813d0c2f4b8d15e73b0b8c5bb

SHA512
07e25262b6915e6013917bceab44b99094ab15fe867f8b5c8f6a2a94bcc852e3d4a5f103ea28cc2197884d06d65010608bfc83a10c9aedb7d7be97300229faa8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e6ecc5802095db8d38b58825ee3c6634

SHA1
b984f25d114fd86524ead2dd2f1a3069cf268004

SHA256
7dbd1880c74143c8bbf07af1f43f01391211412847c3f467061c9130beabf490

SHA512
8137dbf1e7b86236dd131494e208142c7d070d15f24906fa35f98f3e785b284149220ef3ed0fde10343f12daf77cf406e07c496b543b2c07ac338629873f300f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
646e2a15ef988d09ec3ff77305b6c075

SHA1
39523c9f90e04b87d88aaf915c1bd90010cede5a

SHA256
8dee1d13a0443ec36a9be197f99b23bb7d9bf2681ed48a56ff36df3eea42d86e

SHA512
2ea490a0b7fd94244e5c925a91957879076089723f9caca525998b2cd7d73e3c8fcea5fcdf5810809d318535005aaca291039d25f1e08e85208c29deb536cab8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
881fca1a602ccf1d5eb56d7c3ba98455

SHA1
018fa1b438d843fecbb283fceb631c7e1a4c3527

SHA256
2facdc7d636b0031f6bc01e405a8e7f0a1399658f016749ece5e03199ab0fc54

SHA512
30ad7480f0c5f421b78506846620ab1a373141e09e3885ef07d55ccc42762efd209b283ac1fe3309cefe951d380a11d334968fee3047183b3ef25a4a247d382f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9b718575a082d1b142c7981b2c664e40

SHA1
13436cb050a0c299533851d194ed39897b045a16

SHA256
36c4ff9e7f9b7dc356e85e831030e4b39723e25ae7e24f70e51ed0d29f1791b1

SHA512
18cdca561ff7893d4b595dc15040334172ed3344ca7354fbe8f39b471cc3ab0a05908642d599d02e3c493459690c9f499264c0b8145c505b806adb63d5144ffe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f9e2a8466f0af1c13f69a522b40f75a2

SHA1
8193cf6772c0d255ed90f2d15750493f29b95858

SHA256
53c751b2618c57e3849562501a5500e4f52f5e538af9c97c037d22fdc20cd9a5

SHA512
a8bd4a7027d0755ca1430a49f0fcc16f639c3abd4047348c067e71123f2632e68f2dbb76bfddfbbf7e100257b8e3b58aa7883c9e876ef3a393e113d711d48bf3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
73b435a11ce82b10aae9e6815e230cf2

SHA1
4cef1edf0ebc614b0811ce833544d21bfae9d391

SHA256
2eaaf78fc6e3f95927fd1e86692c35082feee61e8d8ef77a894df5749837baaf

SHA512
57c4600b27c6dca240e74e20019c29dfbe6f70386fa60e11896e898f70be9ffe18ada420fb77a3dfc680eae45a70c6a6059180bb6c63fe96ba597f8ba70d4ae2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8179bd40e425232f07c609bfaffeadf7

SHA1
f8df1d106fa43aa5019f03c4da48f72a350278c7

SHA256
c114813991d8f37fc68fea4f593818d951d01f26b5ba62ef37f7c790b68a2430

SHA512
de014a9a3869264c9f92bd2d39a422ac8a6d3ff8d21c6f9858b2f60496fdcecc4c79e68594ec679cce92b763d423a3ccdfa343f32b36dbd334d6b5411005882d

Download Submit
memory/2176-242-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2176-26-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/2176-11-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2224-245-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2224-31-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/2224-12-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2300-21-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/2300-24-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/2300-0-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2300-4-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2300-230-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2300-241-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2300-84-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/2300-87-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download