55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1191s
max time network
1200s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2764	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2784	AnyDesk.exe
2784	AnyDesk.exe
2784	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2784	AnyDesk.exe
2784	AnyDesk.exe
2784	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2764	2140	AnyDesk.exe	28
PID 2140 wrote to memory of 2764	2140	AnyDesk.exe	28
PID 2140 wrote to memory of 2764	2140	AnyDesk.exe	28
PID 2140 wrote to memory of 2764	2140	AnyDesk.exe	28
PID 2140 wrote to memory of 2784	2140	AnyDesk.exe	29
PID 2140 wrote to memory of 2784	2140	AnyDesk.exe	29
PID 2140 wrote to memory of 2784	2140	AnyDesk.exe	29
PID 2140 wrote to memory of 2784	2140	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
b79f1b9018561e2487e33e38259afb05

SHA1
669a11183f97cbf49efff10443fcc651e06d6e15

SHA256
3c32179d61b475d0f3d927b489b92d304fa173bedb0e5a18b31663ac34758ef0

SHA512
cd9ec2122f7cd14326f9b9067b2011bc80f579bcbb8881f4441e77c8ae52b1057c7219db641c22353bfcedd9ffc1dc96bc222d4a9ad26726086bc1e5c31eda51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
517bf5e0755eb084eea8b0ac03b1cb8d

SHA1
ddea229c1109a97dbd3a2a1982bb55f9c03e6055

SHA256
3d31b1955296807d5360a75c1713765268a605e5339f599aff88cc6f55478c6d

SHA512
47dac14bcb99edc0a0793a3d87970210ee12fdf4e675aba2630469368025198f0cfdda4b491d55988836d7cb2220f619b95e51c15dd6dea7e6ff2640f4cc311e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3319b5571fcad8332a84c54b8ec8c5f8

SHA1
a5dee855d882f7a85592d6409e5b0607acbce09c

SHA256
b271401603b933ea4df950b68f0bd7bb3389e8f2de24c52bc593e329ca7e9420

SHA512
1c01cb67a375caf9b87de6f2e78999696ba0d190fc5ccada47cd0cebb748476ea1a2c0a89db113058ef677c976952b86b5e681d3639f52bbbc264effaf502b42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
76d929feb511edb996bd521cc2965a24

SHA1
bc41122126c5a41589f2adb0669418cac20e10b9

SHA256
7734ea743921c2691a58d301a916c77199b1d3fb9039e33a31ee1880fa2ce0aa

SHA512
b084619fce9ecc1a5c72b452f21ff33729306afe888b928cdf29455e2ccfa2f6b23a68722bccbbf2b9ec3d3ddf5a7eb9bb0bda254da77ef53cf96adf0ad57c7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
655942c15cdb684b3d7cee0fd5f31ebb

SHA1
57118c17c10f75268ece2d0583bdb8fca2a2facd

SHA256
5c891b7ff31c83d355aa40d71955e79726dec3928d3e7dd84420551d3a4bbc73

SHA512
9106dc49e37c6f1d0d293e2d3be41d85e75cd88792aa70d1f8ae41f1616d5774ec9f76f6623e26d4fcf8365a9aec19e5750b8bcf31298db036ee38240f885664

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
8f8e657a95b90d010960ee69159c615d

SHA1
25a9d09cdd92feb790ba4f86a949f51a5c568f20

SHA256
053604d914b255fb943fbb8867330d1d087db33dc16829f8c2db0da309d4821f

SHA512
ca7e70274bcc9f27232540cfd91649d3bc902ef83823509b72c5870faa96017bfa7dc4467fd52f187c1c07d7d1d7153041d1289254c64f37c492d6dbd1e84c89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3c2feed450f9628857ccac352ed2c8d5

SHA1
0a7dee7a799392b3f86e26374d18a638a8843e53

SHA256
86403fdcc31e0492bca596c93a8f1175870a338edd67bde93643f9c8d43ede4a

SHA512
b4d449bb82fe95df6d3698dcc51c8dc209d7fe095fabbc36593be45ba8a8970290ef4956223b617a3f755ed601998f360a983749b668d609a524f42143b04d64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
581cfef64aee5a0166067d010028d60e

SHA1
37a204890e50c537898c30f0dc587fce28036a43

SHA256
0d4d3a075daa2ad45992044c49d053137fc74f4fd882c4d5118444b86ba1f36c

SHA512
00f7855b175e6bdafbd5d34c6d250029a9b7c77aaf165133d6bdf7dcbfab491e95fb56aeaabe8f1a030fdd7ea2066b086bb70aa2fb99baae3259bf485934db50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35ef9caad0bac65f6a73ee67c265ed06

SHA1
ca9d85c8ce00ffd60f6a6b9ee55f1468faac28ce

SHA256
259835459a7defbbeb96cb798669375d41a06e31c450a62e0935273265b1e927

SHA512
ffea7cd4b38222c166569937d12561362ffbc06ee150c3068a5885fe840358e088ac1ce120757c852f2aee3a92afd8de05198e0d569f54bf671d196821ab60ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1a8cdbb0009c720612c334fca50b1811

SHA1
0a630941bacf981de4efbe4417a684dac51ef23e

SHA256
0e7b9a8581cef8f21e2c02098eb3c2dba8aeaded828e70d27f5c7d431c413477

SHA512
7c5caf9e7eb7c3926993c7ef36b8054068fae648c0f88209fdf625a4993b7e20abf2c2d397219de16e401970f71f1c724b30c4e9f46b13fd1ea42516d57e5673

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
82f99a9d3aff211bc92e1ae1089ab66d

SHA1
999976366cef3673b08d618d313adcd65ee0fedf

SHA256
cb96a551cb666a823bab7c3f48b2cb2f8f0f50208d522b510e0f92c75dd68c01

SHA512
aa4ff026af172da610e2fac669d26bbf5aaa9b94729134e06e22fca28e935368bb74921ad0c2e8d97c9bdbafd87927bd22ddfef3b1305f57e46430a25693ac86

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
60ff7411c935521edc6b158a94126f8a

SHA1
34408ee25412a0922a55c63db48da09c14d69e8c

SHA256
ccb188bd1a724f45a67488e7be72484cc4c1328543023e15edb4890580edd2e1

SHA512
b49f8acd3d7a719c9da13ebef81d49dc0e98ef1edc77626809c21e2ad0b406bfe9d5ca80b0db802313ca5f8542de369949004782dac93c1ff234929c95f96bd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bf9dbbb6fad4993acb1657a1aa979b80

SHA1
5a1f4b37e65d508b5480f516227d52e09d591d13

SHA256
517b5c2612970b554ea0762e2ab192687c8d963786e363de87ec0c1c22139b78

SHA512
aa9215ac67b711e65407b68945dc76f5199b225e77c1a3cb640426e4599354920f41265b937f119ed06f69c69e6bd3de2ed0e52f67eb8bbc9c12640765943fa1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
55cd2e7eaa60ac7bbc414a4449ba9bab

SHA1
f1b68efcba556ed613f5b82cf80e7160ab64c627

SHA256
501fcdf9947571bd3c7755fcf32bf89cab9b8f8c8aae63c957f93637ef19709a

SHA512
87b15cb2c3ee4c9aee14d4d0d345dc9683b1438074f9c4e2687d9bbab96a04394d7ad04fed83d141bfbc72a1493692df46519d35c5262859dd7b563f62dc3589

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
da29c39b5c19710829d3dc89b1084e47

SHA1
13eca95d340ee2840b4d5a947a69f899613b63c7

SHA256
8c7a82c5153f2aab8b3298e58e923e67c389edca48ac97c8852a59b2b826a394

SHA512
499233f478367b0e874188f67a26ec5e2fbe649b4fa0e7873c01731d7c4b7424356b0ac021688b56a4c4d30b40f0cd82cc0db1f99977ea4a9d9cc7ed77bf51ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e794cd2b6c54aa2b27f4fed0d8e95c2f

SHA1
28402c643444307f8067623fc5e358cdfa3e2c23

SHA256
51cab3fdec298421a5cbc911ddeaa887df74715add8e108ce02a3150d4502e28

SHA512
c186fb8fc13af534cd576a468c8ea2a6eceabb32a17293070f785c36e3cd1613733aa1595b42fb60630536f84f749a28326179f83e2a8e762250dfed8716b1a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
27365c111446935299b6a4186ccadf56

SHA1
f581bc67416d435fdfa9ae8922a8c7b50444de2f

SHA256
f4820a241d6c96f4504a4ed79ebc7d5e7f01f72339428010adc430becf76cb37

SHA512
cae26348ed83e52dcaff6617892d545d20de9e39bdcc8509e1d65266dc645af02455d7b121ff034d9541bcf449a5dcf9a13003cc4fbc4d47e2c3a9524f67708e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d797b957997b74dfafc523a05d32d2f7

SHA1
03f40b6a3332d27e2de8e31b8af1def92e9173fd

SHA256
d23470d6ea5da523b85dd34b5a200004c2a7752c632fd2ad0b1b1a265a37d90b

SHA512
7f53835331fcf14ecf141762e9afbc6fb3e7f34cf5e521ad18719c8bd644f26169f08efcc94a7beac8c119aa9fb76f1af1788bddda321a94e4c26322eb4a977a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ff27a78a950c36475ca0227390109aa5

SHA1
ab46bee7d347f496ce0ad6a90cc6b3ed2202b9bb

SHA256
2126f7ede9ec9568b73bc0f833bc9eda2e196ea326f68d24ed4588d1bdcd10bd

SHA512
352fb258aef912d32ceaaaf607b91384ae9afc1ea03aa621933e464989d64ba72463cc229ab4043de3f6a928d27fc0f6723d0dfa186263faf15f92d4385d1e09

Download Submit
memory/2140-41-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/2140-31-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/2140-0-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2140-269-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2140-150-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2140-102-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2140-99-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/2140-113-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2140-265-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2140-4-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2140-52-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2140-1-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-266-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-19-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2764-11-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-13-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-58-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-103-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-268-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2764-281-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2784-12-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2784-59-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2784-61-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2784-267-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download
memory/2784-106-0x0000000000810000-0x0000000001F47000-memory.dmp

Filesize
23.2MB

Download