55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2400	AnyDesk (1).exe
2400	AnyDesk (1).exe
4220	AnyDesk (1).exe
4220	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe
3660	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 2400	4220	AnyDesk (1).exe	84
PID 4220 wrote to memory of 2400	4220	AnyDesk (1).exe	84
PID 4220 wrote to memory of 2400	4220	AnyDesk (1).exe	84
PID 4220 wrote to memory of 3660	4220	AnyDesk (1).exe	85
PID 4220 wrote to memory of 3660	4220	AnyDesk (1).exe	85
PID 4220 wrote to memory of 3660	4220	AnyDesk (1).exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
85422366d251630710bf7cf8f9e8fb5f

SHA1
8439090f592a1d12740b56743405074cf908033d

SHA256
ac8e2dde74d3143601c07af26322af503e8ab3fa3cceae7adfa0cb57746bbf10

SHA512
5778ac4d9972b5316de3dd81cf10de36656fbba0a03a4700044a7c73f91e610f3f5355bf8ed401d137aa92b8ff0e0d1411d757bbeb9352dbb683a9d22934fedc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
6aca9c35a5d68e5d22c7dc09e994724c

SHA1
2e4819eea05fb321979f80f4503c23818c5f58de

SHA256
97da3899a09783ff64b2ca459f2d47bf97d1631ee8d9d4e523905b806134c5ca

SHA512
e47a76462b65c9e9748dd166526854f24bd56f617a5894f07a269194e5e0b1315f1dd0cb8995eb3b79cddbed000ca6855e87edabdfe2dd12349cfd31a9b44293

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8c67b4ab98f29394ddb1c85720ebe9ff

SHA1
d4ed6936de5c9404a15c2ab365f882ef0fd75bff

SHA256
037d30c236f64f8acd3c7e9f4f9bf61132443ae5e224ddff44da9e6b7824baaf

SHA512
e1e8cece809fe0a9351a1808c85f4eeae2115e8407645edf848b1a88938c3d1fb5ec9fc69b8ddf42cc631f43c486de20953441a36edb9bb38628fe7eb1e5ced9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
35218aa244bb1eeb390f866d2c416e36

SHA1
f1a281c21698b40b6e8e24975d9a1c33354efdfb

SHA256
51f2d2bcbf0f597acd427e1704440ae08aa55fcea0bd8f22b69d352586d0ef29

SHA512
6828d7ab1a88e3d149a39d755b5413bb51d1901a616c38782a47798a390ef853bb79fe85caf7c58bc27811f6e2131a48791b662afe21f6a5b831993f6d82b111

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
4b23cfb29902d77582f845fd1da9547f

SHA1
173f1ceab4d42b75dfdd97d4395bf8f0dec88217

SHA256
bb818958e0063bbd2e82477b44a671d25956319bea207c4df981f2d5afff417b

SHA512
fe8b796d36af8523636a33c2c07790982cc4745b666886102a74f4d0f5ade11b26cac0b2234f987a5331687a241830d49f10d8fc01f3f130292d601aaf94b5d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
a9d5cabdb4468daffea3ac5fb45499f4

SHA1
80fba829e8584bc0cae3eece23f2a9c3bb8cebf7

SHA256
a3384006d95e44c56a16d1b00dff304bf2a6da43616e9493220ebdb20dfcca7c

SHA512
67c387170ae6cf52c9ab392b17b849bf57b356801687a3ebd1967c31d3f8f661ecbfdc186dad9e838c3a2d9b4f3bf5c70ce60d8b18adaa30e762755973412a8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a2898e62ed91edaa92ad932e157cb8f3

SHA1
bcf9123d327c262fc5f74797f01788548e67b380

SHA256
551bd1780704508b0bacde387a8dd89b902107f191073b29788cbc6a8a65ee77

SHA512
1227624027dc873ac99f4a7c700fd874c808d3c5b5ea4a0fb99132f3d5026006befe1d7573c4158037cc5c1216bf17abf2948c2bef3b01c210e925764ab222ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8794415f3f04e73ce2e28c87ce6068c3

SHA1
d143662a5300276ab7f5be859f4b1241c01e0888

SHA256
3b700c0b58c3667fcf494030400d074b98e892eb93c5e0f4814c19ec84bb0c0e

SHA512
e97674ce20ec49738a637ad992eef457c3f4c2fd0c3d80302b075971faa481e607d44905e654d4c1d9966b96f28cc255da32b572172b0754af529d93da4c8e12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
72a5a2f0058e25ff33afb24e834a81e8

SHA1
d44ff4ccae4b53f5143c2a84b7701ba4dc20a3f6

SHA256
123502dbd903f72c6bf31ab472d7294019adf96fce1992c4b0fc4074a7713481

SHA512
8ed7b3130cfbd35e7d00e17199e2bef42ccc8ac65af54840566bb2f522b8cb44bde0309f8d485850f77abb837fc47262cae212f6092ec512a4da44acf48f2285

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8b2748a44c6c7321def85df3076fa079

SHA1
40e0f67d4e153154bdb151ee5530490d6e7d7205

SHA256
93f908328ee97e21782c6a0203e6f606bdce373e871fd55e223df49c479cdc2e

SHA512
212dbf99b192ded84e55601a357b96dc36d38f7f858ca8d836f61eeeef11cb2b8e8c6ea443b82eb8fc55232678a808014a14f282dd29df591e47d74ebf486a3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8a6583c9605782d75407f3f6e7535ec4

SHA1
109004fbcfa66d513875338af1d62989bbd6b187

SHA256
3f33a56cd81164507fd5665f68b3428b57670195c34e75cc5a0b917f4f7ff0e5

SHA512
cf1a612833fbb8c4c273562959275a65dc402e6d59c76f4bd11573ad13de742c0a3084047ae0b2ca3d35edc6e16dd6e74bb76573624ca485c88de60e2c0c1c96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
eba1b88c456ae29ffdf0db30b8eb5810

SHA1
fe76b213a9a5aecb02379c511a6bba0722eec505

SHA256
9c508b7db6f7ac217e9047f77375e6797976188599c357d6c703b0adc3b8ecc1

SHA512
81b84954e2d2515fb03abc15848a51b0982ec652badbf0e3401524bb43d5920830ed7bbf9991c3397e88ba17829cfbd38bb0ce58481bbd484491cb718f15dbd6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
30bf288a74ba169f5fe17789bcc77d0f

SHA1
1c2e11957adabd4a48b6bc8c9ac1bae214c950b8

SHA256
bffa0df1c2988db9611d45a72313d7fd3b6df70ccdf57ee75b90980a72c08275

SHA512
cc228e4e28687cce24e9ad96ce6a9d45a7cdd2585d2dede86fa997610b400efe7720f27dbff2b33ec46f0f606d94e846064f26ba4f82c59628847c7ad79d8f73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f6b56f6154b8222fb2e24e468c9d5996

SHA1
66b4c23a21af63b25cd01dca4dffbc6b214bb63d

SHA256
aa4ee79a282b0d05c87025238fcbd031fbcb76f061f75f618131b307edb93010

SHA512
2a972d4c75ea803a46236cc81b918318cf8c4e6f3442c0997df0d20d76b8c290af93e7bf6b516201ea59ef1a92aac2ea5822faf32c86ca8058532b39f6869d73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bcd77b53236471cb55995787eaa67337

SHA1
723d63ce3587000a228074b220f81e76fe25c881

SHA256
e978e833cc9de21dbbaa7666ed7a07aa3608a44d13f769cf3f086f14aa3561ae

SHA512
a1ad868d25c661777e80ad21c6e394fa609984a5393855fccf04cb43841e10c77713847236207379ea6bf5d3aa34e9443129713cdeca03d90a0414a8d1befa3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9a8d41975edd55eb854502a145892485

SHA1
6f97c8b235c0525504fcf3211ba71d1232bff3eb

SHA256
877faaef32fb33dad0436d79b7bedbc4a02aaa83e6d9f26e91e398b263a0f6c5

SHA512
0f5fe5cc516e7ca58f8fb0e3e5928c4741abfbcc22a7c674dcef09a84f6ffc3a6e3852f959ec1dbc281046c81777add4c57b8625853221d6cf3c5be9dad7d5fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
41e8030899445e7964f490ad49c65cce

SHA1
94a5037aa9a17f238babf0903e77d5d18cb81a04

SHA256
9ba33c62b4ec092ce3a27aa10d8de8a3806e5e34e29aac6d0373439016e6a197

SHA512
380e529ce69ee462e108720b7184b298440ee5c57906c7450b6f5b2221a4541cf566e609452ff4c8db11082be61a29c3beceff7b30b07ab5e0864f0691a21664

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ef538a3a45c07d252a5b4105deaf60ce

SHA1
bfb9e58afac3d63b4339a039c28e7c2edc38958b

SHA256
fc80cdced768274e5ee74d786161479eeb606d55964513b3fc7f771824fbd5d9

SHA512
789531bb9ebf059f0cfe9fedb3f44d3b26e171be696449487a1114c719caa234f4d6a3f18481836933efef3480a022b5c5eb9cd5111216003b5ba239b8171d23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a6e641e6b114fbbc64d649a975215252

SHA1
a76b8972d21a75f13499913518fc58d601a78555

SHA256
aad44582e101d7c1118ddbe80a1e9632453af13af99afe216e73dd8f41e4ee6c

SHA512
33699ba0cfefb89b3713ea8333e5a9eba36251d369d73314e70acba049ba47be52d1b6123e15acb724b046361dcfb3dc7c6c58f058e7d8486c659e13c5a7b3ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b3701c6d27aefc6a197c269ce40818f1

SHA1
7eff966d5217e0a4dd59074ff31c98b67e7a3cc3

SHA256
d201b50dfbbb93e605cd6b6002b1f1d75c386fd0cd29e09dc0ef414f00e61410

SHA512
6984c278d0f87f9252497cfb9fd635f8d2f4a7d2e888954eb65c58e9cccbc620d4ca6ec0d93c6c1baaff1c4e725131fcdebf638281dc0d915a152a4266bea317

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
f3db18678c8b90d52e4e1c3882ea4753

SHA1
afa4488f975f477b80bccf2dd7ed29782f23d405

SHA256
e132b1fbc79cf2310dbb3111b5d5ee7baf6b0664571a1addbe6dec0ff13cb86f

SHA512
e4a00aa7899525801944c0bd3741eeb6e747f2d6f074ab4cde1642546b2fb6d3dd3e887773d032716dbec9d4bbf857d96b9aa9ef603dcdfe01d263eb9b39a717

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
0fa1cad4292a3b3d7ca5040669464071

SHA1
2334670b67b87cdac8eebbe6d29e3568b082a0e8

SHA256
7e368ce557a74e0c4acf2a61a170a6c2b5910204ae775bc1ad0392392203b07c

SHA512
a6de95624f11c5116fb28295efc0b60bd6a55c553a01aa1e58532bc4be860333d95af5e96ce30625ca8d15e290d662f5973e3a047b5bebedded416dcb70f311f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
bb907f787c8c9742146f2c9116ae4c8b

SHA1
00ce328e4ba2ef10fad22dd4944f85f14c7810de

SHA256
8120e4685a642a2167bcb3718854925efef187b8ec531866a335429caf838afc

SHA512
c82748f20af1180abe9a80c5eb420b7f1d4b1695c26193f17297aac8e9af883338d50ba5349eaab1124f6372af9716bd8a81d4320430f69239112894534a8aba

Download Submit
memory/2400-285-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/2400-14-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/2400-15-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/2400-281-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/2400-240-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/2400-33-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3660-12-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/3660-29-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/3660-290-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/3660-235-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/4220-0-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/4220-237-0x0000000009030000-0x0000000009031000-memory.dmp

Filesize
4KB

Download
memory/4220-238-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/4220-239-0x0000000009090000-0x0000000009091000-memory.dmp

Filesize
4KB

Download
memory/4220-236-0x0000000009070000-0x0000000009071000-memory.dmp

Filesize
4KB

Download
memory/4220-241-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/4220-232-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/4220-222-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/4220-4-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/4220-1-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/4220-280-0x0000000000E30000-0x0000000002567000-memory.dmp

Filesize
23.2MB

Download
memory/4220-28-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/4220-83-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/4220-80-0x0000000008B40000-0x0000000008B41000-memory.dmp

Filesize
4KB

Download
memory/4220-22-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download