55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	AnyDesk.exe
1636	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1636	3308	AnyDesk.exe	85
PID 3308 wrote to memory of 1636	3308	AnyDesk.exe	85
PID 3308 wrote to memory of 1636	3308	AnyDesk.exe	85
PID 3308 wrote to memory of 3620	3308	AnyDesk.exe	86
PID 3308 wrote to memory of 3620	3308	AnyDesk.exe	86
PID 3308 wrote to memory of 3620	3308	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
a13b7e2c3c585d8c9bf2a53b266f1333

SHA1
96516e4fd3b4c469dde1615de9f655e31e7a3804

SHA256
71f58535b00f3ec92eb58032bd961b896138de8094dd8398d284fb490cde29cd

SHA512
9e1a80c9c404f0d293d8b29bc9164f573c21b6008bdf58488a5a1fa7f9d74bb2480ccc87108fd4670c00f3afe76c7d5fa3d08b9d4ab59b7bdd3734242b748d98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a747b56785010af8ba8313d13be8400b

SHA1
3ae08708abc801028c9f640157218eca2dcc40e3

SHA256
26c36e0bfba0dee0649e0bd5841de17a0169d577132cb813ca06007a729481c4

SHA512
2527dbb2bbf23d5f39cb55e40e4dc3a534630d4958c8f308b154b2b9b6340c318f0bee009a4ff5efe71cc2e979fd282fe7352e53c3020885b0e50422c53a13ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c98e0cb3b881dd3217195678af71d925

SHA1
b0081ff73287cadc43577c65b4ccbd4f5eda4515

SHA256
4e236c1b24c65ab899b0c8a62e61175f0f1163fde891893b2ab23ef56e90c318

SHA512
64abb82c60bb0f40dc48976bd30f3de529b2cccec69dfae9096f9069431f67c121f605803e681b7257b75163dabd96e2234744f363bc0a904f490fa3ef8c9075

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
7a9ef4f2fad25d7bc1c9e28016dd4710

SHA1
3dee2c2238f2123034be2a0bbf367c0601211529

SHA256
b4df9816f4450e00b15ef28ae5ae91aff9c5a47b6fdec6612f3709c99c8052b7

SHA512
d73461a54047861bc6235ef57038f0c880ff830f661cf9fd9f9f49b17df9f42e60edd172cbeb87afabb07cbd7e973db90adeb9c75550b4e162cdc214a2a5f31f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
d516987b6199d770344f34dc07204a35

SHA1
8e6461922989929cce83e173f47b3bee1e78be45

SHA256
cdd836dfcecf4f808116742eddcdd54dad203dbce7e95b519fee193ae7b063f2

SHA512
c8a3c9ad401ae0db9adad1874abc480a91f3775bd0fa82f0f0833f5d03b09da9bb0211e5398fd4a77d42b697fa47cce2fc0a2727a13f9bc29a22ab4ae74d8575

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fcae9d46a63ad34f1f523c7912f62184

SHA1
94ff1fc4b5b8679ad4eaab63a6b7edf60fdafa2c

SHA256
25cbe98b9ab8cc47d3837850ebe23dab8702c2f2086df8f31715a4d96d80c690

SHA512
c6d40fffabeb4ab6429d6ca5969f41b72c3c8df36bac420321d25fb472ca00065d83013b12884b94a42060a6c8a3bc98f03f554e3f4f545b6c60e6ecb81777eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
41faf2b1cfce28359dca4cad50e65b2b

SHA1
408bdd86be58a3f0893066bbaf851fc1f035cb00

SHA256
dec1e1ac784421c497b58d32f2ab1a0d5bccc59b9e4e36172b8156b08ccca777

SHA512
02c4724faf0ed25c8b7c1edcc14e5567da53f3f089e7c494f9cf806136e0cc5273f2173a95f0f06593e7c0488aafa42ca4c76da598c743960e15619a04f07477

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
05b9e5254e79099953169cb7088c7a52

SHA1
cc308700ffe4e14fb20b02d305359ba19294ef11

SHA256
f2c17b87a5ae6bfc9e47a6e89f6e3a6526fa8c26049a0af0e3360f0721fea552

SHA512
10b72b0960c64b4f7c3ce5a2b6ec7c5ce3c7447022b3091972d277f0565969c42f783dc8bd218df0b38e9d63b932f32dcbe42152250351529aad266e5dfc4f6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
02869d75f2af30a04156a984a6f9f583

SHA1
150448a2497082c5d7550af53dd43297b5cfbadd

SHA256
02c7bc980db1df874011d1e10b5a0f85a3f7e30e6c2b8d46c8925746033ec25c

SHA512
cfecfb4bf6ebc5e11299402fadb2a4c4bdc3502750b0f1f25f8e42508913478d0e7bdc9c698475facdc2aac8bfaccd1cf62d2c01a90c161ba6610cdef792e0fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
777006cd55e96d720f81d6cbe7b715a4

SHA1
c81243af78100140fa5cfd9ab56cf5bfd7576ee6

SHA256
91c9009e906d9f39a785acb2316cc89f52c3a6cca3fa4bb7105ccf76a3a56c82

SHA512
fb75922e0940c04666c0dc2d3f3285c23363d90dc55b63cf5e84ede0a0e23829a08aaefbf2f69179f4f2ad39096809bc64d4c9cb6277a53ee7478e2e7407429e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7e2268b3d40e5a6637ec00e09dccb1eb

SHA1
b26415aa1e7dbc1204d420e28cfa9fd662240eab

SHA256
31b543a5957fa39aa2f30147d211ad4c16d86986ab96eeca3fa04a895497175f

SHA512
f1b35d20186ef7349f5e2805b45136e4ce52e93b24008be5f6055cf30b17de892e9d0922e599afc74572d2f40d8d8e13cf081ec77331baad2c4b72ae79ee3e9d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d9f2ce185fbd1ca10bd7de9206e518e0

SHA1
cf282c3ab6c61223b9b2c696286bfc7655758e83

SHA256
54c6c0f0e4a8d78f6c633143abb8954153e26d96dbf46e3b41cf1768951bc412

SHA512
8eb162eda08a7bc9f6de2b82d50450fbd4097da55b576eb5859a5e22e7c6a78ac92f269ae3564cf0cce18eaa0b815e7bd07a44fca1951fa6430cab537062454e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fc783e9f3eea1d3499494dac70989506

SHA1
24a8717fc9f7873a0b06d5b06fec235fca180355

SHA256
f11a08acc66f24ae928fef260a47c8afd0b1c97392e268c3a9fe43d952c3cea4

SHA512
21ec25611c91402665d817b342febb882658c2cd39d2563ada68a063588f7c68805a1ea8def260b1ebc12491cbbfa452d53d631c57ab0b110972f3bc8da240db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
81acc45dab2cdab404ee3dbe742c5329

SHA1
ca7da8c44ab3538a209202d2b65994e7aecfd3f9

SHA256
51da11d2779dd680f1d228beb3ef4a09111200efa431d276886ec434ee7f9cbf

SHA512
ad4796bd8ece06c350ceeb78f2079cc72e9dee1cdc22cfc0fa8640c0e63eb0482ebf83fee985c52faf1b03d4f30939fbd54826a8261ab5451f0e845687107d6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ee422c1665ba399cf7a6c96599f29e0c

SHA1
40191e51d5b28d20e26456f3eb00d07e7b61e550

SHA256
f70df9e047e6cabd751cdc17def4f0669b12173e6556d753ff1e6c7f0e28dc1e

SHA512
f1fee5345a3a7b7c9349aa81f9249692d87454b9b86035cbbea94ad897f7640a399f35992d8058f7e8bccf6fe86781b45a6e57e84a4a0e1161a879d50574a052

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d314274968c59323709ac877549ca5a0

SHA1
4e100795ca9522f6a24744e409e5441cc46ea22b

SHA256
51f2e0daa4d3b64b80e84589a792cab27425da3cdbfa39b7e771443f0a33f664

SHA512
46d47788c7c9f8a10c410b002f09a634ec9250b47a8d3835229e00f0b326be169b0502e161b4d22bdf4cf6edbfb8d09dd3ebb50028bd2a574d4e73e2923f0c8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
168b27c5401bef745c0f67a574570ffa

SHA1
07c188749a66526d46240fc8bbefe63eed98c356

SHA256
83d73db3b1622d38dde96c8b1795c8761f09da0f5592d4605475d0b93f9bf3c5

SHA512
61ebf97b84188a777d14789d35faadaeb6f55979fa09bfcc52b390dc957b0f0ef940f3261d7ddf98a68a9015b79357cd87fa5e42592e84cc1b08312c6b84aeb5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
33cf9371ecc506b62a8d72aa7ce9df66

SHA1
facf0fcabfff7c0cd0c2c4f524aa7f1b3629012d

SHA256
1b7f53e1b8cf27f99531f26e53fec23198b410a339cffeaa1f4ed1c301277ce5

SHA512
35b64d90d1477bd24b5a3bb82e657ea38d7fd0c9fe5e55e7462568dd443fc952b1b52e0c6b5e6c55057a3b1df9ccdd39be72d31909145f371f6e937e4c129560

Download Submit
memory/1636-28-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/1636-239-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download
memory/1636-13-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download
memory/3308-228-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/3308-1-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download
memory/3308-24-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3308-22-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3308-4-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/3308-88-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/3308-0-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download
memory/3308-238-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download
memory/3308-85-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/3620-32-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/3620-12-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download
memory/3620-240-0x0000000000730000-0x0000000001E67000-memory.dmp

Filesize
23.2MB

Download