55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
11s
max time network
12s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
14-02-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	AnyDesk (1).exe
668	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2836	AnyDesk (1).exe
2836	AnyDesk (1).exe
2836	AnyDesk (1).exe
628	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2836	AnyDesk (1).exe
2836	AnyDesk (1).exe
2836	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 668	628	AnyDesk (1).exe	74
PID 628 wrote to memory of 668	628	AnyDesk (1).exe	74
PID 628 wrote to memory of 668	628	AnyDesk (1).exe	74
PID 628 wrote to memory of 2836	628	AnyDesk (1).exe	75
PID 628 wrote to memory of 2836	628	AnyDesk (1).exe	75
PID 628 wrote to memory of 2836	628	AnyDesk (1).exe	75

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
96d3af4bb26162d14684f36c45b3276f

SHA1
ba2cb158eea650f51308c2a70a42836d50bf39a2

SHA256
8f8630c33735abfe19bd382d1b0e0ed76038ee0f29150afba94d9c7336210b70

SHA512
dc2fc25a01f456cd167dc6eac712e315d105bbd58d30eff4748168f4b33f8f15262e492e62a3cd53892ed80b5235f1ede9eb295b34f8a7a0758b8e8c0bd1ec7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
31a2388848baa49ed8f7e4c413835265

SHA1
4322dd2874cb5e7ba791ab246714c15f282a5790

SHA256
d079ce92192463af11d0c32b67f6916dfae7ab9d841fd17d2185143451e22a35

SHA512
87a9176c43d2600a431d62a877f9d4c2fa1ac66ad8016633d494c06c211b02552463d5f129549c755e690f4cf6f5fa1105667bb19d46beb15843fe43e82e82f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
86746b592832097eb9728ad905c1315d

SHA1
a6b26d46fd14596c842816a545765745056823e9

SHA256
07814c134e8010de86af18f655340fa2cfc507c009231b44aade209d13505102

SHA512
0f81434509707d58c245b4c3c405bdb2e5323f00e18ac99f602d9a3d4d106093ba9e9c082c9aad33bff0f8b4fd738961ef020a3e8cb4b45e22a9f4a7b38e4921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
695f1db3f89d54b5bab0be0d92205683

SHA1
373f0e303348181c3bbb0d34f1df70464083a1ff

SHA256
7e39441a6b805962aab1eb485e027fe60e374e3f887e08693ad3872653e69325

SHA512
aa7dffbc0f1c476f5633dfe6dda284999a3b7bcf8af4f307d7cc8be0cf1a5bba287cfcb37e589c93e40d9f819aa35f81fd46cb4ce801334a45d2e8aea24ade4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
4fd146f24902e9906e010108abda2b5e

SHA1
0d2ed72a4bfe077fb6c35d7c50367fc469d5fb26

SHA256
41c36636fb7eef844d6595ca94be70540e9033723f64b8dc2b9e52fb16fd16e8

SHA512
b22e597961f2c12f459d6bc6e7dbc246892c201d8895d53710c0699fdfc7f6fe924b3da03e6d778143b2bbd235cec4425eaff97165b81a1e6eda8768ac206231

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
389233dde848e3bd089f49c270304f3a

SHA1
2942eb9401ffe2fcbf8a8e12a4dd76f11682fe27

SHA256
8c61eb829978e2767bb4722c25c1595df33b1f92c6502f41d1831349d5f4d43a

SHA512
d4aca31855be6f7c790e9066769e25eed47734de687f9e98371fe88e7dc6d6f0d8691f74d7b197c0756ed80d881b5803a70f27861ad670a3c494f68b7cded6ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2a1c17e0dd4eef799ff6c706ce2e794d

SHA1
42dea5da22bb59a535a9498c5aa4ba4572f53a1a

SHA256
9e5507730ae63f3e587860d95abe376cf6b9fc5d3a124dd4f69bbb89a191e7ee

SHA512
ba6eb543e05066db17448fbeca5ee862aafb5f5c810a06425f95836224cdb7d2b61849843fd3ac891e106ead51934a3f77a433eb027d0dcbc14af9c95a9947c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1a3f1dac96497424c8e70f0960d2053e

SHA1
726cc23f06fd151bee943c2cb7616a0675ed8dfc

SHA256
b35cad2a03a60b5bf9aa5e2c8b7b181bfc770e5f498b592deabd6ec960a1fc68

SHA512
b16e692df0dd65d4b415da209be27063cdfe40b590b6531ed565a2b972766f26e76cb46b80c3c122774fccfcc8bc8fd089ca894408985b2890c90ac042585900

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b49b6576a40671f18602f89c98805b3a

SHA1
af38b83499db9d75ac0d47eb7c61a2125551c394

SHA256
5ee879d148c6677a81f5e4fdc3860582ff8809c05d4604209c7d8b68986e9e85

SHA512
5c11d3e170c2d8bdb6a55a7a8fba1987ced6df9a18126b7596daa7ab6834030b3bbe644b01b634072367e34fb9742bbcb42de9ccb7209ffeeaa01d389218e7a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d7288bfeb89fb6c3626e1d5628063043

SHA1
5d85350b059efa10584dddd6346611f6db433c61

SHA256
541f91776b13367ac7009dc91c2408912bfdffe4bc7580cc5674e56f7657f0ab

SHA512
40b9c1215762b168cbc2e6f89e00fb00953ce388a96b41c86303b896e2be5f06b105ba30d2d6e18dc358fed106caa239f901d1e795b97b99058e8204959f38e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a0118dc1daaf00226bdcf58a63a97d9c

SHA1
98fa76fe9dde2e044a7a9b641ab6cad560790a8a

SHA256
4a5ce8c9ea8c5f9ddb98d84db2d411f9e1d12d2cb22b8c48f34e0db7a3633a51

SHA512
1fba811f13c66b259efa082ddc120ed2072f9017d3911d6682b848129a3279295e01611ace93144d5e88594193ff38d0bd1e4f22eb8c5d027aa650d0c6ca5a9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
059f75bd17697839c45b8e384a1247d2

SHA1
356a9c8ed24bd71c96a84d1cf100e2215b010b9c

SHA256
6756fe1d36fdb8922fb7fbeb16aee5a2440454353fa7e128c4582f26f0c7b8bc

SHA512
b6aeda6b80431ebfc9bb3c4ee39f3be4bbd5988ee15d8d4123381e46c98bb4fcf777641fe7ad36f8db7d385cbd4c61c79e9a5009b87e19e7a9bc6ad1258397ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
34db529aca2e760d947ef73589e9dd2e

SHA1
9df6add054205df43f3dc5438d0cbdae110ea94b

SHA256
85faf43557536847997751c66a7e7c477ee25a72f7bbf955df67374cbaf3b7c7

SHA512
1800a7bd0e17518258746c63229f1880961d231db19ddc1b98ab02b392f58f98ae9db4a8423844ceb60f19796e69df7cffefa1cd3f1ea2fff39daae3af7931a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f7c6a6ee1026428446b7311b02dafb14

SHA1
1b57625f05abe0274423a989358898ac8a42ff18

SHA256
7622bce3f0ef27b60150d654e3aecf66acad2ad56a6d80ea34b8bbbd39541119

SHA512
0b593b609fdd3c1398916976690ceac251a40c8967f496248be02b10e5ddcb857400c2138ae5cd4b666bd34c98683d1db26a9ab1faa999b4e232c3ba2a5cfb65

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
37f82436c7c9b296156a98b3be089c2b

SHA1
20160e4658ee2b27d6eff43735cc96beb9898bca

SHA256
8a53204c9d865d3db5985a0dada61e48534324142bdcdea537005c6162e8b4c0

SHA512
8f513f9cb5b972144f8f683a923454333fa2bbaf52aac080814662d31b0ed391e0e3d4170a219f6ccf761f78f77feebe4f34d96dc5f201780a491d754956c806

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
662a32904d640c0fc160b077c271690a

SHA1
574f392ce3ed73379e4264e5764cc2f48c037104

SHA256
4804ddb862438afb81fc5f0293a1527683fb43e381ba6c9f4c1641959cc77431

SHA512
6a0f9b1e17978c4418314c38dca51df4c1476421289e6ea7e1cdd894180491266a224d5dd143d4474cc4ca0ea7736b47f55931529303abd4ae4c6adc0dfb033d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
142d2fc7cab290833fb809e2f464e7a3

SHA1
2c12d6efdb14006073a6096f2f89427eff64f8ab

SHA256
5602f978e0f2d43762db5c34e7a829b5038e14868475b708e92dab501a34bc98

SHA512
b331053c010e51c6f3f5e932099371843058fe1aa3e2dff328ffaafb0cdef696e5d8ee5a155cbb962c395d944cc5d08f73fa65102593287a08b0c5c8b9b2d0e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
82148c778a2ec69c102251198c11a511

SHA1
0d73a18bcb5b635132038921ed1a6b7e27b94509

SHA256
b4aa9977168d7da4bf928d49d200e594704901da9e50ad57920b0e270ee7fda7

SHA512
21a88a2e6d523dff4703d9cac5a8a0aa3e7a15afe279275665c9a0cd8e4c611b33a71dace8fcbcdeade787c4b5cdc8e8c152f2739977bb4f940514b3c05c42eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fc40e3f10595e7182859a5d7516e5ef4

SHA1
a965aec193ba15ad8d1e39914dc1b82ba028833c

SHA256
a1841672628785fc55fdb27c77ed0f7b64c6b3cc1cf12d6bdce7555693205202

SHA512
6afe141a697005be43a9618e557954d58189e4b8ff56c3910b32ae0825c3b51941a14e6e5f990efa59511e07dd593ba8db787844471846646d4c3f8402e96625

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
38603ebc8f3b460cbc049899dc372158

SHA1
edad0a793c5e8a1bf073448d086ab73909895274

SHA256
fc5509c2e4c5e8b6f848710e96f5336609badc41dcfbdd9f76107ea4774d3bf9

SHA512
5bc8665a6ce9df0fc635cb42703b8d8ac68f370701f927f8c0e1705d167aaf118bc56b58fb996165b8b1255d8c0b0264b534ad413cbcd05441c00b983273766c

Download Submit
memory/628-86-0x0000000008640000-0x0000000008641000-memory.dmp

Filesize
4KB

Download
memory/628-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/628-0-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/628-33-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/628-87-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/628-30-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/628-242-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/628-2-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/628-231-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/668-32-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/668-12-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/668-243-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/2836-11-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/2836-13-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download
memory/2836-31-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/2836-244-0x0000000000960000-0x0000000002097000-memory.dmp

Filesize
23.2MB

Download