55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1192s
max time network
1199s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4660	AnyDesk.exe
4660	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4496	AnyDesk.exe
4496	AnyDesk.exe
4496	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4496	AnyDesk.exe
4496	AnyDesk.exe
4496	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4660	4976	AnyDesk.exe	84
PID 4976 wrote to memory of 4660	4976	AnyDesk.exe	84
PID 4976 wrote to memory of 4660	4976	AnyDesk.exe	84
PID 4976 wrote to memory of 4496	4976	AnyDesk.exe	85
PID 4976 wrote to memory of 4496	4976	AnyDesk.exe	85
PID 4976 wrote to memory of 4496	4976	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
2a56485c0b6bbad59c3b3864a1bd37c6

SHA1
70131bb9010bf8d21949b04cfd2498c2ba8919e5

SHA256
83d474b7ccfcaddbe19bd1265b9f9a5211b0fe071121fad820fc2418d1171646

SHA512
97ef4ef40c707554c3b4995551c77e3a502f3f594c7a052bb2361d86894532dfdf197dacd02d8d6dda7ad06a8eed395e7516afc98576e99f8c5a084b19850647

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
3b075026d936d204badb6c98f3ce774f

SHA1
bdac99a4d436da74b4ca3195787bf08568924116

SHA256
92e383f6328b984015e78e532061c10317e31f4d1b338a1eb7bcaaa5d9860e4d

SHA512
07697e12a9121f16d7622ea859689a466cc58793a395846cdfabf843841729090f6fbf5d22a280f5523cee8b4cf7443d1ea5cd15b93edcbc10789c77517ef769

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0cbd45770d90832e0a0aaf5013374b3e

SHA1
2245321ff631404b89fb2104d855da6c4e04fff6

SHA256
597296ae1f35c21fc13e89b7332b00e6f9c65596ca08e7803dad38707a526462

SHA512
bb7be42c9eedbb4d1fd91dd7b32f010da13564ecc95393dbf1ab8d88de77a6e38cac51be3c5a03d3a3fac9f4aad374baa1136adaab069492ee47316242ddc660

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d9123300d6f418928446f310c4f7d13b

SHA1
6d20e98be6e46e213797e5b9c987af9437bdb5c1

SHA256
f92011913112fa4d2b4e8370bec42efbe8119b6e647a9550ea2b870931fd2ff0

SHA512
dd0af591712d5f622b7ec63e8ea8c172ee8ca4f244d88d219f555a75260c976ba89abe1475e8e1823a5574a2783f47017913e97f3cc1fcbc4f6e34782023f5e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
9006d5bf8fbe4c18706aeed699f41d54

SHA1
59bf0c13c2644eb74ebccd5ae06355a02906172d

SHA256
627023ecc2d88a260b470246c2164815b29f16b53d227d38c5299a239c78d125

SHA512
4fc46cfb6810eec8804c80b0bbcb2e9fe2593cabbeb39cbb92cba0d91df4844aa23e88118e9bec0f7823091dd98c21a372ec57d181ae11856bcf7549263a212c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
5cee7038b3d244fc9151ea19a350d830

SHA1
635c74c0d3e9f74c03f45f242abdc5f4099735ec

SHA256
21c61d9f09b958962039ade3b973cfd1c0baeb291feebb4ad6f764a8bd7d6bdc

SHA512
ed31f274b169aa41acf409ace5fe2b11e8e09e5825687b40a13224fc1410ba46fe4c35951f32edabbaf078a5acbe81110b60c6ba90f7b44002fbcb16e94904a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9b3060b9bbec936c82df57e20d654030

SHA1
5912bbbcca538be3dca80da4080d00bd76ab1d28

SHA256
9030f29b348263dde8122ae6c3c8dc4e1e2dca69b5dcdcc5e3594cbd898eca7d

SHA512
a62021059dc9563e832be1f10c3f26f72e5c8c06814aad2bf6bc01aac04edb893e5c3106e3b757d058973beacf712d3c88b33a066f90b6a063a2d3cd1a63b759

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
5f0e83f4ed191f218fe5ea14b7c3cc2d

SHA1
1886117295d68c2535325c99da578fecc1685867

SHA256
9d97a62b6c94fd32720ea6a305bc56396f9cb2742e24669acc4b115fdd3c2693

SHA512
fc0a6b98c4fb5f058f648df0a75678a64aba15f137f751d7818a4d03ec08abde9aa101eff90a55c20c4517d710b12edb2065fcc83d77f5f9f9c8dd23abe1b031

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
92516d692a476c05ad9052df42960450

SHA1
cb6edb1d1663b77a3eca04c9af146dd22677c7c8

SHA256
b6bf01a161c4fbc7e3fd66a16741656ba5374011ce9ca42a32191ec3621e1668

SHA512
d94abd66fdfbef6b44570362f6d23c10584c5177271699babdabc7a94ebeb00c167e3fdf8a3a26aa9a6952c7e15bfda0b7dd94c9eade155ab1d09adbe4041411

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
667c8d51697ef1064fe33bcb08d86ff8

SHA1
3faf4ec5cc711f1d83801e3f2b7ec649960666f4

SHA256
9d97c77c742186a6c31a399b07cc0ff94150d5c14aa2606ead46d612d78af3da

SHA512
d541751fbc411722536fc360ead05d211fd9eab44316e6c2355827572d88c6fc99d80e98dcde1473b6b6e53a34bdca07952a95a0c196d07a9b65a0d8543a5a91

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
1566614cae162345e353904cead03c08

SHA1
73e9c597a5e92ad6b9a3bbde9163a0080663fadd

SHA256
e70c33598dcc43041461d32ce7fa52b84658e05c108c09c053eaa5fc82a7c7d1

SHA512
c297403f0034a9e75a1a7ddea8a49fb2f15fdf410291afd1b907a134d353aa88445d4ef059c5cc0b0d0b1fe5b4749e3dd968f697a8f52e2e11438b02f39ddaef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35d4a8608a8090645c415bf1dcb416ee

SHA1
4ed160efa1c69b4195f2986a5624f7d07637cfd8

SHA256
d9374946668ecca08f3ca911405812d37d5de78ff00d82d0417631705ab073f3

SHA512
68f89fbde2a8e2d483fee04e5a49eaadf8187cb0c246d65fc56368d971939283080b059356eb22cc0af2820daf4bc07cf8b668d6b74245d7ccff60f522f9c67d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a66dd21e1719654d87d1ca85142b6588

SHA1
177d5c2ef33739bd418bdcebd1888b17c67433ba

SHA256
afb675283bbd0fc256e0917b681cee01554a446663f57719850f221bd63c83a1

SHA512
0d3adee01621d55715ed3e13d8cb91ef8bf28b3936e14ab1ca3553e66052ed4fa343cf3f4854dc8755c164976f32ec1f299a664db028b1b923eabdbc58052c2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d9d6fa8d344e01a77455d788ce0dd092

SHA1
c26483fe257d3abf1efbd1e9e7650dc8a3891c03

SHA256
57bc3174d2ac021cea43e51f13c7a5f6c819b3612658d4c171fd6c0aa64ab773

SHA512
b8e36399210f7e767af540a8aec81887d2dc04ce9edb1a9dba148fe6153601ce1c44719c365134962876502bf005f1fd30d8d3d1f3eac3707eaa95c780c07bea

Download Submit
memory/4496-219-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4496-34-0x0000000003EC0000-0x0000000003EC1000-memory.dmp

Filesize
4KB

Download
memory/4496-18-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4496-102-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4496-32-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4660-11-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4660-99-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4660-33-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/4660-218-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4660-20-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4976-87-0x0000000008530000-0x0000000008531000-memory.dmp

Filesize
4KB

Download
memory/4976-22-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4976-26-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/4976-23-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/4976-1-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4976-4-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/4976-206-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/4976-0-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4976-217-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4976-103-0x0000000000720000-0x0000000001E57000-memory.dmp

Filesize
23.2MB

Download
memory/4976-88-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download