55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	AnyDesk.exe
4996	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3536	AnyDesk.exe
3536	AnyDesk.exe
3536	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3536	AnyDesk.exe
3536	AnyDesk.exe
3536	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4996	2140	AnyDesk.exe	84
PID 2140 wrote to memory of 4996	2140	AnyDesk.exe	84
PID 2140 wrote to memory of 4996	2140	AnyDesk.exe	84
PID 2140 wrote to memory of 3536	2140	AnyDesk.exe	85
PID 2140 wrote to memory of 3536	2140	AnyDesk.exe	85
PID 2140 wrote to memory of 3536	2140	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
d9d9db0a0281e327a84715f1588a50f4

SHA1
6da095eafdc3375380881f13252c0f45478a1944

SHA256
0a8f5ee2f9a3fbe879284a68a0c6e4108dd9579ef4e821c435214c8dc3decbb3

SHA512
ac4c085343f58177cbdde53e7a1cfa7b8398a83ad2bb90d241e4182cb8a6fd8586542df6d19cd5d8a23b4ef790107eb99ff5966423b03389d724fa5fbbce7d24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
27a7f22b4da1f5113be3e976ab0c4b5b

SHA1
aff21f1f078edb77795087683cfb4edba80a9674

SHA256
5e249dd7ee224db0e7a9de449deb315a3a7cab213a31ccc524c92a8cb3060031

SHA512
7966040017712e91eb28d683c194fed9a96be2b16d3d678f2549c930d0c486e82ca05d413c82e49295ba9633be33dbd11cce56bc1bdf097a33c30e4d309b3ab1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a6de8c157c81a91d63cf1ba966d08003

SHA1
401e4a0dd74c8f5c195b5db7f0c6b86053f43316

SHA256
8cb6d22bf6e0755078403c46cd09681be81309295c5cf3b7a1799337efff0554

SHA512
112cafc16971504e74eaf8f0edd463217bc2c9c5834c2987c11ff6f8a7990870354cc35aa9f12e215440468e30d45af4177755433047b02dbb708ebbd0939d3f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
6b3573858b7c474fa2cf367e5af4174d

SHA1
dbac15bfc15ef2ea818557df0a87cf6ae8a7980a

SHA256
aebe6d0e515dd1534d113490b168827c56a7aa7539c96bf33abd6437897f2e69

SHA512
e9b346942dd56c4db7e222b57e4ac7819eb820abd4b445893ca79ef14a10835f0e8b86914fff398198ad62f818ea74ede22fdb79d9d53e303a2a143ae802ed5a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
98c8d5136eb7d3d62822c64967bb9285

SHA1
b048a1c5652608ff5bf2c64c4574cdea0e89b95e

SHA256
b130a1175e0b98d9d299fa877bda261f496a011bd539fd99f79e45e52763bfa6

SHA512
27b208755434ad84f3b494336ab00d2fd54988c7a44492609cb6305caa7692d3d18f633ec0ca981758efae42ccafbeb6e968afb7ddd0ce9f7160b3d91dd7cad6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
46fca33c883fb0dc9c2c330e5893c13c

SHA1
5e90e94d617dc918e87797249233a3c03a576242

SHA256
9d43a45c516a97c3cbc88f1e8a908cd32a0fd6b9ba93c04cb1f1dc3f4def70dd

SHA512
2e9a032a2e1c87321436f7a8696b54a4bf54db39a398d6cc3c4afaf6e1036224a075a8cb0dfbc08edf0df97f61cd4eced836609b1a591d465c2bba9ee57c6149

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7deff54b16499743fa96c98cd8e476d1

SHA1
594edb391921a297deacf9443506e74a646594da

SHA256
e5a51efe12f0071cd0f8424039a997c6a06ed69dfae2de9d4893c3b5240377f5

SHA512
26a01186b7d797a3c6c7c748286d274c66a5afa219c7dac5855df4db5d624070d26a56d756c66710b69044cb7d8e5f8c6a3e2b964ed9a39be3376733ba5df202

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b2414f797ab47d32d2d820dd92969ba4

SHA1
fd662cce1893cbeba0fd0a35ac4e53d00fca7589

SHA256
488213672b66260fc7c5c4eb77ae18994918346b167f1f99740f8d78706399c6

SHA512
3a163cabbfc332861cca77bd62d0443e7676373df3cbf4fbe74523bb1cf34aa60480939682bbdf46a27cf187209eaa3d8a01ef23455d24f6a1511f1ba5f6884f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
432b3b0dd4ab3cdef83e58c86cb81517

SHA1
4a5b15e9f2f7f97bd8ca7327183d151e6de48fcd

SHA256
62423bc1b80ceb68ad8495772d6475a6aae8560f4d26a8844538f2d0b31a9ae3

SHA512
7bc0dcf74562c73ee9b3a25b1c7ef3e880d62b49593d18c75c18423d2cbb8d6ddff6daee8482f722521adf1757db486c1fc62b868d383dea2f933c944f9f6385

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a1b51e6777a27faf1785ce6cf0079b36

SHA1
4fc7a1f407a48befc8cd1702587387dc0ed551b4

SHA256
fb4759fcbfed07e143cc34aae41cb1449059f12577a38ad28c308f1fcebd66f7

SHA512
ad7971f60c4a4996fdd05db263a687c5e24d9592506cedfbf22578895820acc129df2a648688fcfdd4cd4129628dbae88d85e3ca47f1a1146998f29607d31c4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
6bb21af564a588d8b5ccbabef21757fc

SHA1
a4dc83b7bdebe2a7b575180b3c005335852bc5ee

SHA256
2ed13ebbb1027ad85c7a45ccb2e1a301c020b781d690be5de59616a132406e6d

SHA512
2ba44c9a1a59b3c66c5087f24869334db80a2cf2930a5d3c10e859de395e1c3084562b1bc06db809ba647e33874d9133fe9a268de2249faf4af83bc103eab18b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
93625f2e829e518bd98e9122978fa98a

SHA1
90807d5471abc16bea05d06ac3e7940647d374c4

SHA256
13ff5bedf841fd4bd3127db2e856e8d5cda13c5ae98054f2c06ce638306199eb

SHA512
8c5799f543b69638ab526f65263042b9d797b9a2740aca15c032b8cd4910a14aaca35e3c9959963931e54b71b094bb5230fe5062feb8119a17d9df4fca725f92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b6f4eab64f82df72ebdb740bf481ff40

SHA1
0b455a0b050fdefe2c7784555f446d32d4b6e404

SHA256
914ab8b1e32785bc3f7e83557b8be65145a5809d496f186ce44f05b3cf58f221

SHA512
5359cad5b72e40ee0d97a691e69acbc8111f436df6371c72988c2b6e43fb43f61f60045b885961f506b9b1f60d56a192a2ad147b69a0212cf147e3171d46f829

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7cec55e0d8dbeb73275aa97a379461b3

SHA1
9c2c65d04a2aa6d542aeb5fb3a0d9e8344ec78a2

SHA256
a1fe7852c9d7e842d34b728ab271c18b637abc25d5b5e00479ae8c5bc8ee1252

SHA512
c43d7c84f9241492080260bed0bf2448bf66cfd7dff072df0a2e69a7af2a9fa0552c9321e6e5490f9ef25f5296bf52d134cc5a7164c16e41c89647ea7e873c0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f44678f9169976718744339259b8bf16

SHA1
032d44ca5494531100b5982659f0665709a0caff

SHA256
28e2bb7bc6f60a7302dbe672985daa410abcdd7b8090eaa183d2dc79a3c93c3b

SHA512
7bae884ab37268a3431f21dc0157618bf254efb607f35236d331389acf6eea54c75eb00530a30f075856368eaf2275116e982a428a256a81d101209bb8af4cb9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
36e9b0155ddee1fb11e8dcf35cb71346

SHA1
a0d83c1dda8742464e6e9b052823e1ae6f07bb64

SHA256
19e9e44abc89c8911c05a0c2cf4a9f2d523e14de1c5e6e387c4fae26f3b3d48b

SHA512
35b7cc129f03a991846829209acb824c632a3d45559c24db7fe33f484264c187a1fd7bfed92e6ed8c649de41efd7f8ba4197e68187649872cc51619c9b902548

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
43de62db843e0e5de7e9a87186c7c1fa

SHA1
287574d7ea66f590d205c2dded270bd2a9ae82a9

SHA256
04b3fcbd50c57abf5758e5cd1749e492802feca7b5768719592ac7a4ae01abea

SHA512
8440b48eab295bd1f678c8328f1f3c1c3fc08ed183b63d4c7ba272f1e34556f681876f878065248ef789b4201e486bb56d51d3378ab12070e6ac278d7bf9a323

Download Submit
memory/2140-28-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/2140-115-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/2140-83-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-0-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-114-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-22-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/2140-264-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/2140-3-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2140-218-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/3536-29-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3536-263-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/3536-11-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/4996-32-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/4996-262-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/4996-13-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download
memory/4996-12-0x00000000007C0000-0x0000000001EF7000-memory.dmp

Filesize
23.2MB

Download