55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16/02/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2716	AnyDesk.exe
1512	AnyDesk.exe
2908	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2908	AnyDesk.exe
2908	AnyDesk.exe
2908	AnyDesk.exe
2908	AnyDesk.exe
2908	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2908	AnyDesk.exe
2908	AnyDesk.exe
2908	AnyDesk.exe
2908	AnyDesk.exe
2908	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2716	1512	AnyDesk.exe	28
PID 1512 wrote to memory of 2716	1512	AnyDesk.exe	28
PID 1512 wrote to memory of 2716	1512	AnyDesk.exe	28
PID 1512 wrote to memory of 2716	1512	AnyDesk.exe	28
PID 1512 wrote to memory of 2908	1512	AnyDesk.exe	29
PID 1512 wrote to memory of 2908	1512	AnyDesk.exe	29
PID 1512 wrote to memory of 2908	1512	AnyDesk.exe	29
PID 1512 wrote to memory of 2908	1512	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0e68e35a464b6ea38ca8ef9dcedeedd5

SHA1
40c8720fbb7a1f3388c89c21078e2721c4a5b742

SHA256
185137928d41fa4c44c83723576fc9e53ff696708911096b03bc63fda86e040c

SHA512
54a254c695fe713bca211753808643835c3f4112d93576348c6489d2e548c3b9625b4fb5030f22fae39cc010cbe2232c9ce3c4fba69f0e81b15cfb5c50f1e266

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
39d923794e7a1eff6ab56375d0213e7f

SHA1
27ed3ce584d0cc516b8653b4c4f1e37bfca3b8d0

SHA256
cebef172a18c61b471eee94326453a7a544cd57c6484d14058523f15c7c442e3

SHA512
a2aaea5818b13dc2848450b276f94209d68c5e1626d58ea8274336839b7f9ca0e6c580a844974380984ae2ace8687063f18692b95ab4fdd2074d0b61cdb74b98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a00e3d67edf50a0be92e163b2efc2d01

SHA1
d60d652bcacb751c0117ea602c4fd825f2fe7607

SHA256
fde334cb12a5d15102c497fc2331734d19d6d87966452ae3111d7ed6c95ccf95

SHA512
b7f1de33d47167e62b067d86de064f566a55e2407b4a6b42c4c6def4bbcd450d9575cdea702249aebd6ebb5cc8a9bbd92fc1094200ba59ca547388c5e02a67b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b1868d701c23ade1402171d3ea13037c

SHA1
31af2409ba10109a633e0b7010b2c3f9b1e42a8e

SHA256
a74c8da0cfae9c5fb15108b4a1be52f8c88457c4b0393eef309a70f919fce62f

SHA512
e5eb4790200a721dfb80196ccf443286053e191b4f84ec25f757159098f41d22a23d796649d72156118516b3432baf282a843f97f7b51814a1ade848c052da83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
4db2dff9863ec4e9c378293cff4147eb

SHA1
8e4324406d700905da4f630406ab6c6b0a89cad6

SHA256
93aa129535a094b3fbdc32d3f08fb9127e63a957ea47c5dc50cd0a5a0a0709e3

SHA512
c242161c3a34dbdd003556f1c77358a2d4cc260d76361b1dcce8f4ceb66c96fa226c0f72ef4e4c5339b59898fe32f402be3c46ed66869409415f6eb77e83c3b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
b7d3a1f97811acaee8fc7fad408074fd

SHA1
ec5a3865b329916d9f68e1ec44604617cb86870d

SHA256
a68339c5833c115b5a0eadbd0129a416c0ced12e8e92a9d177265fbdfd81f840

SHA512
c86ad8b173ae791a6b5b030ab8406ef8c12e6973300a337325405f2fe5967b78c659f91efcd7c948a5ecce02222121781894adbdb9dd36b680257ccd156b336f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
75b6dced42920188712ed568c7f28497

SHA1
ba4febaf0ea66468437368dcb166becff0152c4e

SHA256
9383a2037d959bd6e1010bfdcc4047a39d867ba349ec8a9277e91b556fcf58aa

SHA512
eae10bddd484a1c47edb449392884d8d3a2d0fd8de60a33f46c612d59ccda5c463c2f8816f7b567643d8ca05db74ff6cf651fc6a75b0ef934e9d2b54a1be205b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2a24572d1786c64d9aee37e340998240

SHA1
c254623bb225fe5df055e25aac4c4702aaf13f75

SHA256
6c223161eedc5b4cc3ad61a6aac2020eddd1e5779170546869084a5f56493d3e

SHA512
39a793a8a886c064e536e750395d0e870b11a4a66dbc483a6ea4bfa42a326638352b3d596e0606bad2beaa5764b64c6b4578204a067e426dabf2e8ddb0590dae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c203d6bc0c3a3274b60e535b0b08178a

SHA1
76815a752364d30fd509685a364d36eaa73b6a9e

SHA256
49671b90df772ac69594f7e9e72b0d6c4d53ea7050b0ea31bc89ec9b22dfb399

SHA512
f29f0032632c75fe7025c2ab3f6433eedb887bd431b815da130bddb6847fe4eaf944322db540c6c594742c2b363e192aa4235660f881dc9ca587cb32b42209d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
0d7880d374239f6a6a9aba914258cbe0

SHA1
fe6a83039bc77413dcf8da9adb1a094a980eae10

SHA256
424757e264cd5ad16c4c9642eda7d5e99178e17b7a3ac64a0ad392e4533baa62

SHA512
064e8023ac784077462077f8ab08d8b65937a2dc9d4b91165135443da8499037c642a884a647d1e280e07083a543b6c93655efe6dd923fe76037068859db5d75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e55a03b3cfd3bea246a76bc2243ff7a3

SHA1
2654f131f4cd6f4ee7d2fa38ac98fe98dc0d4b04

SHA256
6803de40e3a2debd05571a4f9dc504eb7a5e4f3b70f074c9117b5ebe029687fd

SHA512
d7e3800a97b6325d0fdd3aa2091eb6cac4ce6ef8e33b93e8ee8ca05683575fff02de40a671e9c03d7e7f36c02b9ce7c352fc4950517d492912004cb79e707bd7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a1c6e8d88eae26c5dfc70a95e22aabcf

SHA1
6e48b58bf72f4b1492bcc42104d4ce9c82209beb

SHA256
2f3d0f4618d813952b04d393cae9b0750af001ee961404f1192c6505b8016ac9

SHA512
72642b28b34af2fdb52cb9c7be19783ec07632a07c57ede51fabf89ac764a374def83c52771a8ab7866645a4f8bc8e5375fd473178d8a0df5528d9bf7576f41c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e6ee6418f9780f5cf2b0b07c3710bca6

SHA1
8dd448906daf9f2918a5cf37e50dfa2d9aabd4b7

SHA256
81171edf72375fcae8ecf5de69e30d5ffec06d9265b0cb8f9b35352e000fb7f4

SHA512
f2e7fd204ce49eb0bea442faea4438498bafe4605940a9c2cf55f98ba7a12a43d81103380c27767af9239a402c1b64703df1be89dfca238fe4c79880e01b08a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
ac7c1aa0b1c68ee908ba22be96792830

SHA1
e8b5f4ad8aa03195f12a36384b79ca105b26f81c

SHA256
e0b469d8c924ad2bd28ab048db619cbdaf192dfb84df5cd18aafdb4b826bb9ff

SHA512
9bc14a94ec468bbfb3744ee7766a6f045529fd850ce38c51ec570bd88ec743987a85a8d02f8214f0bbf19dc0ca9af289fdc3615853e8a75bdf12a3ee52b93ada

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf76dce7.TMP

Filesize
3KB

MD5
c629d8fcfecf7e8293abfeb3dad427f6

SHA1
69625bd1da5f41c75151e7cfb74e96272d4ed6cd

SHA256
bbe72744f572a03de93abedcb3e50af2db746317c2cfa5f8549f6fd5ff347cad

SHA512
6c9dd08de4eebe5c74283c87d86143a131e87f4206b0c3ecb99a12ae388c4c6fdbf24eae64c97764104661dfd805bc01d26fff6aed670cdd55115c05d4d0fbd5

Download Submit
memory/1512-33-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/1512-22-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/1512-64-0x0000000004510000-0x0000000004511000-memory.dmp

Filesize
4KB

Download
memory/1512-101-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/1512-0-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/1512-256-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/1512-1-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/1512-103-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/1512-4-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1512-231-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/1512-23-0x00000000039C0000-0x00000000039C1000-memory.dmp

Filesize
4KB

Download
memory/1512-217-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/1512-218-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2716-139-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2716-18-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2716-261-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2716-229-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2716-27-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2716-257-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2716-69-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-19-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-17-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-72-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-230-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-258-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-148-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download
memory/2908-45-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2908-266-0x00000000008F0000-0x0000000002027000-memory.dmp

Filesize
23.2MB

Download