55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	AnyDesk.exe
3884	AnyDesk.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4672	AnyDesk.exe
4672	AnyDesk.exe
4672	AnyDesk.exe
3192	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4672	AnyDesk.exe
4672	AnyDesk.exe
4672	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3884	3192	AnyDesk.exe	86
PID 3192 wrote to memory of 3884	3192	AnyDesk.exe	86
PID 3192 wrote to memory of 3884	3192	AnyDesk.exe	86
PID 3192 wrote to memory of 4672	3192	AnyDesk.exe	87
PID 3192 wrote to memory of 4672	3192	AnyDesk.exe	87
PID 3192 wrote to memory of 4672	3192	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
ab3b1a0f1c5ed6b16f85dfb8f621f88e

SHA1
a3869b0f472f2b952bd2de5b7c13fe3ee5f1c635

SHA256
0b5f709415e5fecca19a579560c577b180a5a0e7ad4c0ffa740ae56a2b2c13cb

SHA512
05c975dfb03a4abdf3d4f3676b4a56288021535251e2f71dba37452412e219d0aa2f522c7fce0bb4206260062aac0341089937fa9543c695e8dea3cc38e31276

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
8b468c3f5168d51fa3706ef20deefcf7

SHA1
d812e16f3bb602f969476b480835139e8e55b538

SHA256
14f784950152dc18a8161f0fd035a7fe42b2a9c535d8c37fce13b27c0cd131cc

SHA512
88a6afd43e4fc1dc0d22e4c67c00ae3c9f7fabf42a2c3d0595a1000b1f0839c371dd0834226b15af32daef3965faa0bc3dc9910389fbb28b89d3d56adafac4a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4b060697ef344596f89c78043bd51234

SHA1
2dd14bab0d08c9ca38b64d4f7fb89e566b17a66f

SHA256
cf08187b7d005fe27637a4d0497f4cbcb364e73041d6a13dbdd763c0ef56b7a8

SHA512
6abaa609178e2a9a361be35f3f80198382c231f3d84c4a2042b9731fc74f44f7e534515987b49a58c7951907acbc91e3e5f648be367c026974b2f5e610afd5e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
712af10653f796a801d7ef753a15bb68

SHA1
38763a9b7e0aa0c7f2e92ff9a74b91581c38d0b4

SHA256
21bd8f854096dec55775ca7c6d302b5283aae4b7add26f47174b69ebadd424a4

SHA512
7c32477d71690ac10f6acd6b61eaffd62786872ef285891b43fbd3a8a21295d225be0494fd1d761649a73de5c1f0a7870ecbd4998dc06ebb86de6bb8d89802af

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
3bd508c4c767be2191602c4778e3538d

SHA1
6bb7079c83516021ff2718b511db13dab2bbded9

SHA256
0511a9d60958cf0dd230c049bd09e8f27ea6d21607005b66759be67eb689e373

SHA512
9a673639589691c028a4a790440213d17800395a1ef98507c90ff8b9a3c99084ff9dc14de6113d116ada25bf36497cd43405bd80c40ae19b43331bb764dfbad4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
59edf24bc709b9673fef5c06fedb6f62

SHA1
b3f737e8a38a59c9c18d025f74f59cadb5f03bda

SHA256
8fdfa8a2c41a512c7c87903470646aeb1e2966dcd805787bcdb425cbca4c5c6c

SHA512
29d678a77392eb5860cc130f7785fbec36b7909145aa122b20beb2241ae393dc556255512847afd466a26b063461884a70b28469d807de95d62c15765397541d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
a646e445750add5b930828aa90f6089a

SHA1
59a4494bbb5c6fe6ddec7ae25b9fa0fc18d82bce

SHA256
f4a207ac7a9f1d962ec5c7168e494a1bdb95228cee71be8ec3ef976fed47a774

SHA512
4d89cefd426d1c06d9600ba294bce442a78e79e46729d29cb524563eca3d2838c643854913ebc152125647e10706c98a4934038a1e75939dc4f7a02adac12719

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9e26bef765509c123cdf93e06b57ff26

SHA1
d6d6e16d1629d012ebc0aa13d26753144732c1bf

SHA256
53cc7aea94d73a192d101a4e6b5741ec0e294f0ee04ff292bb23fc6c578ad086

SHA512
6be99bb8e6a8cbc128fe0bdb011d96f0b3d2505bf7b5be50a507a897af95c351b5c57949d8748bc4f6931b7675406a5c51998881bc5f5f53411a73b7b13223c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a11e06b01edf3ab433b5844b473f837f

SHA1
6b2de19ea347aae85fc032255a92d52485152770

SHA256
15cbd260b03b29620cbcef43938309112a37a2c4c116dc7bd7942899b1d4735e

SHA512
6ea0bfc70411f9d335c879f190d124c56974dfbae1987bb9f8f19a717a1e96fd81476b9dfb3c6d628482a3a78335c4ae32c0968d6d84c7ad82e2bd934e5772af

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
dd60f4ffdc05cd9233a91dce64c8de44

SHA1
772f77e3daf31d2df4c7d5972a6983d8da41698a

SHA256
c30bf039b0ce4cd8de0eadbbeea6673c69913311c6f7ab6a66eb9788feb19cd1

SHA512
4d243223daf95d7d31e4ff8fe58d4b5430363f918e937100de1382e5f48035d4fc107bc7f969298875c26861c7cd9088efe45df4a01ed2a469a5e820a8d35d34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dcd4f1b013b51a2d5d07408420a3651c

SHA1
2225982d97ab5835098df2aad4090ffdca8df562

SHA256
beb86e05e99eca2e70cc16998cb27b3c93da20bf03cd7258c14838f6cf7f3e3b

SHA512
1e2114866be04d175e14e38d40451f9f08dfc5b2dfc2ee042ef75f845de27723b58d42eff58f9eb8ac9bf56898548ad4ca12b83410c28c6745e5870a19d74a76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7cb3cfba96b3d48f99c668faa9ca0d80

SHA1
83d1302aa3b776130a14d76037ebf9bf49563ed6

SHA256
8d5fb5ff01ce6b7bd5b5219a6e313a09d5aa8a92798f4e1e37c975bc6e6a45b1

SHA512
b9c8e8a2fc328ee1010c160b7f09a2ed006b05a5d04132902ca73eecaa1c98d2aca428f71e13890e860ec7ee0658d3c6e2856c95af603e171fab4838ef9e346b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
619424a58666d8b40342472181f02cf8

SHA1
d0b316c924927ccf6c8b423f8607878c99d98f49

SHA256
28c95c5b643ac0a0e0a136acd864524c722487685e04b006b150b9004ab0e166

SHA512
d87e1138c044e1b86f7b1ad4b7dfeaff976fc5e687669b0fd37357969355e3dc711e0e48cb2cd11d7c7b441b6bcf50885d1ce697bd5e23f024c7c235ac556e5b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6774b6e87c8d86b4639f6802d5cdc917

SHA1
4d5041c499506ac462d638b667d992703f3d4291

SHA256
f9ad78ae78ff0ba1a56ba8366bc08a4c46c51926e4bfcf9428fc76ef2de05b5e

SHA512
6dd892e0e33c90e43c1a276efd5038ec0783d92cfe71fa3249a167d684e3d1a1fb371b6f57803a711146f391e127bc98fec45683056f7b4e1a4c0c7bc74a6c78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6a5d7147402e154570aa63e61934eb57

SHA1
79af4e1d1b8df8e176e2ea529ee7d3d41bbeeb19

SHA256
9c792b0653c1b463788599efce2500483622a2ade0ab7881fadc5df705061dea

SHA512
768689f81d86944db2cca4c99e8fe6c83e3a679b12ad6e128141faf0d5e68bc49c5d69b87e21c7740497bcb9f8d6569909ae65a552757fe7e5b555d943c8b0b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
277bdb9d794fee194a4c3cd9201e16c4

SHA1
2498bfb0095a5ff7771d68159f3a161a45882425

SHA256
4143cda667d8275652ed5d20ff5427bf969440f4b790a63ffa750f08fb951cb8

SHA512
a6d9c3baca1c54d9f6fe03af8880ba1505a7f09b8bb4722cd65a9370d94a330e83f08df17ce47d27759b7240aeb751d4d36971522631596b17b54e35d46e6397

Download Submit
memory/3192-0-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/3192-3-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3192-117-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/3192-253-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/3192-249-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/3192-22-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/3192-250-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/3192-248-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/3192-1-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/3192-102-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3192-244-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/3192-25-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/3884-17-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/3884-28-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3884-251-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/4672-18-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/4672-252-0x0000000000C90000-0x00000000023C7000-memory.dmp

Filesize
23.2MB

Download
memory/4672-31-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download