55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
65s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1044	AnyDesk.exe
1044	AnyDesk.exe
1044	AnyDesk.exe
1044	AnyDesk.exe
1044	AnyDesk.exe
1044	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	AnyDesk.exe
Token: 33	3652	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3652	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe
2708	AnyDesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3404	AnyDesk.exe
3404	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1044	2396	AnyDesk.exe	85
PID 2396 wrote to memory of 1044	2396	AnyDesk.exe	85
PID 2396 wrote to memory of 1044	2396	AnyDesk.exe	85
PID 2396 wrote to memory of 2708	2396	AnyDesk.exe	86
PID 2396 wrote to memory of 2708	2396	AnyDesk.exe	86
PID 2396 wrote to memory of 2708	2396	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:3404
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x410
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
af827540dbabfbb62b689af7b302ebef

SHA1
bc3218d0994259ae80a18911042a498a5275fe36

SHA256
892a7bf525030b3470457556c924fc21fc921a8889c27506f621efddc8855365

SHA512
4e0121e9fd9f8edc7074d43551bfd1467406eb98255f6d8282a6f82401ca4ce58f1d2091e6a8773423681d0ea2c619a6f117fd14d8e46f595aea4359dc22fe38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e0ed60176eef16f1fef114023842ac61

SHA1
c36c2aa07efbdb1f5bee757fd0fbc0db9faf4ee8

SHA256
b76549e4e23a40d9bc384441509e7699c43c54620df0f1ea1309e993da51e453

SHA512
e17be1ebc68f82718789d4348fa594014bfeaef44b1ef5930357d918bc68bc2717b86225b6b72420225c777a171b15882c71d528f3410771751324a39e328eb9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
36KB

MD5
e85470429316f43aa96931589b7dcfd2

SHA1
bbdde7c67476a4a9a21327258ef45f29954df1d9

SHA256
9219b7362634ebe3ab115b64821361e3c7d844397297ccb431bc1ae9dfb383fd

SHA512
c69d3fa6d08751ac640da6bb47da1b9f944e84da68d5ebc1c0d69209bb5d83e0a2e36173a4760336ebe459b45d97e8e75e345f3d11c2f40544dd899d22977073

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
eadd011a632683a189e4a277e074e183

SHA1
070b725ceadd167633c02d7661dd015b4f83b607

SHA256
30a6ccad031f68566a0eb2a6f49906228ee09f08d75ff4e32d3038a83208c0c7

SHA512
0a673f5298317b4c6e2a4fd5de01f851b1dfccf80bd5334a4f832116844cfaf71724805d9ee519f2ad4f0e6cdc24cb4a0451f377e1fe67aa27a56ea54c9f6924

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
85d08010a3b3ac29d7b87ed58f21dc96

SHA1
6e86e4b6b2ce65db43bd9bdc48111aeeb8c32e05

SHA256
d2a1f2e1d219a9e16858019dc44153c8da28301a8813ed50018a842fae1f4aa3

SHA512
fe3072d93bacbd2e04f9173f19c5e918f8a555c0b9ddb6f0297ba120d0b069d0534cdbb9ff0991cd3773018cbe698e96f1ee96eace5e17399926a28e092ea66d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
667f3dbc61c9dae5b443e55885d10b3e

SHA1
adec31050983deea7ac38b61f309fff59552c776

SHA256
811a1cd95149180fdcfe1e4b087e20f6b26fcd01e07670e1363238ba194a1e1d

SHA512
85c8d183c76baf9b7c2aa967278b787f7ebc6122c2589dfea8558e4be730e8c337c2a7488df740084476c5a9c8ce068ea51abfec9e282efa6090626090b41e58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4db4ce01ae71308ca8a13b36f2d253b1

SHA1
17c7bbb5664280189e1bc6ac47be9d0a47b16316

SHA256
77c6d5a3bdac41437ddbb011d13c83e293e1a0e4484c10e11aefce9ad87b163c

SHA512
55c6940742f0131ad17ea21551879b160dcadd42cce20ffb5bc850575b61796544ffcff5ebd65a91398fde9db2680a907257fb6c688f41429b9209aa90b334e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1ced7eade835f1c5c32460043ec06958

SHA1
214f1f2602cd1f79f307015868ac14f94160e2b5

SHA256
485859e306fd6a5850a020868fd3c7271188dd4344251aa21d8d31bbecef588e

SHA512
f61521b5f626cddabdf73ce5ab23a8ddaa925e27a25b632d8f3cc6a69003c1000d5c64c0986fb61a0365bb074ed200d67cab08c48747f6a90874e570cae4cd30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
99246dcc03148c538dcd311eb6152e38

SHA1
bea19f8da5ba8de824aba677bb7e3fdd0a21a18c

SHA256
ac5253561bffb2a61fe32d03f7af0af4b3784312a987dee24f3b7cfca90b6a26

SHA512
785ae7c4d1731cd0103510ecee0498f18d97d6a45aa4ec144b8cfab9055a942f6fb514adc1ded8bca8d7e445ca5e4f5a75afc6b75472a3dbc128a9ae7acae96c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0914af239c2e78ddec53fbaf8751be9d

SHA1
4486f8b152de3b1e6e2d5845a600e6923ed0f106

SHA256
c5816ddb9cc16987486d2454a4f424226405bced45ea7ec5887a2306e87d8f3f

SHA512
b371b9b98c551c08bdb623d797b8371ac57a99114b4c7ff082bc220e4573b1e9f6f656770036ddd8e97770d0be822f7ecd65cb1b3110c02961e438eee2a0eee3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
53776cead97d791a34fe21d25e232e89

SHA1
29857e4e356eb83f4b4279ab1e8d356622e87b71

SHA256
339513260f9196494c841291f5230a356ffb77e6d7b21697fb83dd6926a86526

SHA512
c27005262f672622cec0049a3cc4ba3d72463b9ea4b907a44834a246914046e2117cbf9e6a7a68e5e20314e0c196acb04cf8183c6aaf119825d481a9fc1bc4ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dd1a83bfa342459acc19e89ce335900e

SHA1
bfc3a04248186dcb2dba99e23e197a53f9f1fc47

SHA256
92c568fa3f5f7d507f86d4091fb30ff20fc258354b8ee3eefe071bb9f9fc7cc1

SHA512
e9ac57c6bb1c50874136a23c3216d5e992e6fa956b8526070a77b8cff5035ec79a8c23bdcf271be22b4cd152858f39b90b8af0b32420054213aabe3715937441

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
42657dd76ced924441c71e0eeb1f7f7f

SHA1
be383a391d6de98a21ff6cab990c8637a2b55ecf

SHA256
8be841d0031fa8e4288b5fe00666c573b135580c9cee71dcaf8bade5be0fb0c3

SHA512
b611c6936032fcf5eee312fe23f3838016ecd54b78c934c7f362d3a889f458a6435dd730f355528bcdc9fbdc38773c4e7e254415f690ee315fc1def79454d361

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a9aeea12566dde0d12be49006e17a655

SHA1
c77a9ac4cd397df096eeb6a95fbd6fbf03750749

SHA256
1679a9ec7eae6cf6b51e0eff73fc41ab9fd90cb18f3a2b18a284a9a5789089f0

SHA512
fa0bba3001ff4189745cf8a0ee785d2fc62cbaa84d8d32a8cfcb149fb2bb048a6f855193f6397b8b5169fb6c80ac8f5a5c56eea82f8998274e19ffb42dc8924a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
78c852d474168ef91be9f71ab28b3997

SHA1
e70247675c299b2b5bbae71d999252ba09d87423

SHA256
0fbce0686dc7ce37293fa4dfb09e197fcec380e1c8b5ab6b4296613345f5812f

SHA512
46ba8437dc51c440348388b201666410afa0322a210d60242e7bee1cef2c1d265bc5363fffb7875dedf9e0e0c2f6a334f4c6165e98e9391ca2cd513adf8ccdb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
3cd4a8bafa227481237d2f31ce0505b4

SHA1
27f80e0b7560d0c55a5f7693863aa9a004256649

SHA256
61ba1ceaa5cac3e585a9b4be28e599b79fc52af927f16683afe9abf84dc50ffe

SHA512
db7e89448969c6dd937696d56b815b3438065be39b2df3d18542e29d77209042bfabd6919b318497bc96ed7864eda2cb5b6dee20dadaa95feae789648647cef5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e21d03313dfe04cd94db7aba7ac9001a

SHA1
b34366bd174a048e988b193e3ea4e2386763491e

SHA256
45187a695abf7655117b53221a8e51ad690672450d940929cd219e3ffb3132cc

SHA512
763a0273c2e0e2fdce7f974098b85eb5cd577792ef460e9b148af177aa8bea01a266769c00737122bf3e95f0ab9c868b27f58bc4711ab902cd0a4e4ee5ec29aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dae47a897780ddb1f8e2d75d42c98d07

SHA1
1615ff1dc7584e3de261bc8f0d717577c46e0046

SHA256
234d25f09b57b8c1ca1c91275a842c5908cec9ee51a45faa540a2593f9df7500

SHA512
b4266b21a611ab1326a630a2d0ddd9fb93dc897e7e8aed99af65cd121b8016989a0f6c12848fef7df2915c18d3e920b7f23b02ab246d02c356871fe9406ab711

Download Submit
memory/1044-12-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/1044-257-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/1044-231-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/1044-31-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2396-230-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/2396-1-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/2396-83-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/2396-33-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/2396-32-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/2396-227-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/2396-228-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/2396-86-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/2396-0-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/2396-4-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2708-19-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2708-11-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/2708-13-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/2708-229-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download
memory/3404-263-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/3404-271-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/3404-260-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3404-261-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/3404-262-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/3404-251-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3404-264-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/3404-265-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/3404-266-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/3404-267-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/3404-268-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/3404-269-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/3404-270-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/3404-259-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/3404-272-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/3404-273-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/3404-274-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/3404-276-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/3404-275-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/3404-280-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/3404-279-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/3404-278-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/3404-277-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/3404-281-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/3404-282-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/3404-246-0x0000000000920000-0x0000000002057000-memory.dmp

Filesize
23.2MB

Download