55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-02-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2648	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2332	AnyDesk.exe
2332	AnyDesk.exe
2332	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2332	AnyDesk.exe
2332	AnyDesk.exe
2332	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2648	2916	AnyDesk.exe	28
PID 2916 wrote to memory of 2648	2916	AnyDesk.exe	28
PID 2916 wrote to memory of 2648	2916	AnyDesk.exe	28
PID 2916 wrote to memory of 2648	2916	AnyDesk.exe	28
PID 2916 wrote to memory of 2332	2916	AnyDesk.exe	29
PID 2916 wrote to memory of 2332	2916	AnyDesk.exe	29
PID 2916 wrote to memory of 2332	2916	AnyDesk.exe	29
PID 2916 wrote to memory of 2332	2916	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
ef9aa23aeaa118d48aa67092a9a140fd

SHA1
6ce06befe6c8f9c9f00c28add22e5fc6c9b6caa6

SHA256
471a0b7ba1cf68c3cdb9e4248a7b9f35be3be3b9a0a4d8ceeddbd69dd5905ce9

SHA512
2177953ca9d2d1e101f5e3386263a6a97fd49007f613d2707067ece0f5246022569225ca709b2751c58dc8d26ff06882b700b97ebae12ea32e090a065747f527

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f4ed3eed96268fd302564314f62fc360

SHA1
f97817e4de7929df01a93720f68ec6021a6961ae

SHA256
f245c2ee82f74dd8ee2ca914958b40f165ffb4fad33ee6d28907e245b2bdbd6a

SHA512
2ef94734f2dfd9f2c791dbd30d99491968a72d6b4ceb06f407aaaf7f6ccf3a67aafb81789c238515bec18b7d029826ef3195e361097af63eb1b3cf1765fea462

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ec657da228ba426e7efa57f4125cb987

SHA1
7483024ac0fc3ff968edba4a5a66602d8d1a4a18

SHA256
1623a0da155c28cfe680ab92c9fe41aa1b92f6249673d03c8b9a0908484be2b8

SHA512
cbed807b12a7c7ae18ff32600358247d417775ac8be8f524bf4b6f2710623f6a492bae2ed1694e2a9dffdc79571eee615495d6558342d86a686bf37eb6f266d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
730162a7fa33411f55985288913aef2f

SHA1
3da04eae711adc60067d221677fdec2107521270

SHA256
2c1aca4eef5d829a6a5254b749a26106291199cf84dbb5c2432fe9d8c22097dd

SHA512
803093667f5b9226adc7894c017078a4f63cf6b235bff6c72396e0ed0653e6ca5ce36224d3ab753701816193bbac8120825d6d5917138928e3e4036add5d136c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
b395782d4c5c3a8633c6776480d3942f

SHA1
24d5abcb606277fe6b12f089810ac321ba404dea

SHA256
f3d9713a9dcfe93bbb6acb8c1b995aaedc85589c449f8bfc3beefbd2eff2810b

SHA512
915ca87c4db2e3905f55a3fc34fbe7ceba4b61ad0ded476824414547f021a79cfc2209da01718856e4b77701ebde1b0fa82999bb51527d83ce7778bf54d08b6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
ed32e3df203f788cc1d1cb9f21bc42ed

SHA1
a90529997a667e04a50c17bda3024632348c6ec8

SHA256
c5e080ad3a4aed2fa9817d8bf6a068d1d5b1653c599497a4b726fb3af23dcaaa

SHA512
5d00ac2f9c8da320ef36596986bb19c78c1cb3e44d2d0853b013673ad274b64ac5b3b8aa590122c6550ed13cb42c9a10f41ed4cf646c08dc687d6b57d4c2876b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8a9052e1d6ba443317ad2baaeb796dce

SHA1
11ef3bb58f7af78f692996497df2ff70db404a74

SHA256
1c04cf5bcb64566c17b40d9f97b836639ec6522068f93e9cfbb10ee419f49f47

SHA512
cb2164098cbdd9bf43a692d65e16c94fdc9d29b5f448cffdd7f22c58892d4b24a922a888e9cbd1b57d1042228851ab8176634d9d544c810bf5efe4b29c0e0741

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ffcc20bec125b6ea69538cfbfb829f2d

SHA1
7b7cdac550cd4bfa44b1cc5ecd47d4b5da0702ef

SHA256
e4f00d1b31ce7f8e01b84ef3f90d2d74d46d65d56d92dde0e7ce172a21a3a2bb

SHA512
cdc34f6d686f16b7b1708df969e7b172a6ba9c0cd289b994c9a699dcf4998c92c79da7a7654ff76b7a524e686c40db23cb433174a4c90ec916d6343268fcd3e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f6760cf9fe56ef2d95b7013c42bace8d

SHA1
9a163c7e0ad87a1e4716a9e180c9d4c5c7405af3

SHA256
ab02eb719075e5a34f28b78481627ee5d4abf3c8dfe038f86b69569782d76456

SHA512
6818bb9041a1a0b6903b3574652427f74269318b45d5949387e8e63c175bf86a70c62fd6e561702107d379c2dda4c46e2e057c896a583fe106d6e536a0df9796

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d7d4365cf39023f861682afdd63433fe

SHA1
03b27104a7465ec79d9ba3090d9d771c27428010

SHA256
22cf41a274a1585379867352e837d71b97d4f04efa2bdcc20a3fdbfd000a2179

SHA512
e36de2b58066bdb33c3c3f0381e1f58e6a519e36a3409c9c3ccb71a4efed34776a0e1dcef38392f710fb1503d55acc44c49d40bf20bdf79423cccb354944fb09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
53762d729a2612f930300bbcadcb9f77

SHA1
3a873479e6e95c41efd84521a5c00998edd9ae1c

SHA256
2266a2f4323a8428e861d4e8fc2ae2558f6da7c2b2f9bdf403c99baab6bf8d94

SHA512
550879747936979eb19085e427183b43108fb08bc85fa2a266190007fbd956945c97a5b9a5191a3feca24748b8dc420eb0e169b621aba37f7c041633c85477f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9f3009df12a30e36816334167adb8e89

SHA1
6838637ecf365127667d16cc684ab6fe1f6702c7

SHA256
d1afc1c72d80c12aa6fcda405e561458a084d6973e04758b0497658ce42d38f3

SHA512
50dca660466a421791566a0ba2074a402cbef49fd96c17a37e0d34990a9a5c7acda69aac21223be27d9ca40b8ee5d594633be44e678fe0c0f85f2f57c202a7cf

Download Submit
memory/2332-27-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2332-122-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2332-41-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2332-250-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2332-19-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2332-269-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2648-249-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2648-18-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2648-268-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2648-40-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2648-108-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2648-31-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2916-23-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2916-144-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2916-0-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2916-33-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2916-251-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2916-252-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2916-253-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2916-21-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2916-4-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2916-102-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2916-1-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download
memory/2916-270-0x0000000001200000-0x0000000002937000-memory.dmp

Filesize
23.2MB

Download