5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371

Analysis

max time kernel
1799s
max time network
1796s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (3).exe
Size

3.9MB
MD5

d9f15227fefb98ba69d98542fbe7e568
SHA1

248795453ceb95e39db633285651f7204813ea3a
SHA256

5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
SHA512

76f8fb624bdf303f7ce7db234775b30385146734aa5e94830efc0601aa7a056d30f37d59c6f86a6ed0ab59da3134bd3a2a07402d08474e4e34a2000e6eea27aa
SSDEEP

98304:4FuXMFkEMXhX1cjJZWp51o1xCw3YnoBWr+/vf8A:4FuXMFkdXZMJu5ujb3YnosSXf8A

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (3).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (3).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	AnyDesk (3).exe
2940	AnyDesk (3).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4404	AnyDesk (3).exe
4404	AnyDesk (3).exe
4404	AnyDesk (3).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4404	AnyDesk (3).exe
4404	AnyDesk (3).exe
4404	AnyDesk (3).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2940	548	AnyDesk (3).exe	84
PID 548 wrote to memory of 2940	548	AnyDesk (3).exe	84
PID 548 wrote to memory of 2940	548	AnyDesk (3).exe	84
PID 548 wrote to memory of 4404	548	AnyDesk (3).exe	85
PID 548 wrote to memory of 4404	548	AnyDesk (3).exe	85
PID 548 wrote to memory of 4404	548	AnyDesk (3).exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
ea343ddc319bc412cb20411c98dd5b8c

SHA1
300ca03356e4b5a53998dad7454e043d46d48796

SHA256
c926d1aa40754ca273d9e6574efc78e2616c5430de2bdde891417275d5059404

SHA512
701990e806955def5d15d5881c5e740e3ba6e2583821c565a457e5552301416eff76d4c6415311cd03d99c1921f863216bf951958ea76dc1da22e66aee865d1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
2970434a326abeed395d671f317a4271

SHA1
4decc32273cf674cc28899012312a998e21dfcfd

SHA256
c6fd55b74ea29b1c3af058739dc3d0d9854c00990e4f12954a0830867d2e3b44

SHA512
4549f8ea3cda449e2b510310215c81185910c69fb21876f5f1cc27c63b00b07089a724fbb227414d65d42a437156b66b7b864593feeb82c8561d04610e83a38f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
45d50a9a468f76d3ed97e7051a06961a

SHA1
88d8c582e22725f67e92ef8ef3f7c6bf57d8538b

SHA256
a8d974bd60352970fbd654b29fd350da865f1781a7ee59ffb1ee91c6cff46a98

SHA512
de06a37ab44865bf47ddbed9d4f20d2851ceeb04cd0d8f7a7b8f1f956cef171910bf17ed0b7016064ee5c0d55515ef212f4ffd5fa604a3cbea3cf772f043d780

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2a10d4f909646def48b497920f884c3d

SHA1
5175a1004e1e7954ae2233108c0aae8619641f88

SHA256
7ad03f1001c79c93e38a501037b25f8ba7cd43be02edc40cc46a5aa8830e0b90

SHA512
e01f95405e2256049215f05f4b5bdee2ba2a67d485390161e689f1a82125319fe40e322ec34170ee717d4cd300b21c2c79686498cdf2e518668b08aa51227a9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
075f405e3fa67ea5a3ce605011c26281

SHA1
15ea49cfac7886e61511274b97d8a99c66aa604a

SHA256
1ba69476264fe72fd8aef2b30b0ba8c2e0563ae8b5b74f268a908f62ca9d9f5e

SHA512
a0348529c7c02cc27f0e52dfd3efe46fab7a402c50e8367a233cb63027a17e1d87622fae2a9dae072b5e80fb76cca76120cf594bbce3afc1ed87d16896f3f088

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
780B

MD5
96e208c86f8986396f6b71eae2fc400f

SHA1
52db293c229ba668a7ffc7201cb5322eb347e203

SHA256
f2048019b351464823ecbd3f679b5117636fd90ec17f1b4d0ff06e3b2fbbda81

SHA512
dd7ee61f805a78e00a73dbf4165968bb7d186e68c31c858a6afe1ff7f5870aa97384d29edce4e6e144c55261d7bf0be35e28b2df19b7fc03e43ff05ad0b74a85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
ec2e38a1c71b61ede353d68164fc00fa

SHA1
3aa1681172a75637aff5419ef4bcff8f36a6ddd0

SHA256
50899e65f09df7c3f46a853a118d8adbc818951d73e239432f017d971df730a5

SHA512
5aaf76c2f66ae3725340e992426cca4976107f279a945365fbb4c0ae99cb28166b153dee094292863eb036afcc09168faf74bd0711c953c306f1386f40798735

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
777226945ca86a6bc9e383914f1f65a0

SHA1
170c6960dbbb0ea100e4f3d7ca3d37caa1ac9239

SHA256
4e875ec24d4da7cca288d2b8e2b35a1217b813055c04ff63a4e82cdc5781e355

SHA512
da385b74a339b405de0ee519a9553061984025546f1c129c948c03c7972a220fa80b3cbd3dfb302aef5c0144e39a0bf3bed49f87c07ed39ef722f529977f0fa8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bfe45952220721070a4b053a9fc467c7

SHA1
8228d1041509fc16ff75c29cc1b2e5c89c1b054b

SHA256
b128f9db2e7587b3fc2085843b4e620e164104c0b87513beff645c3c958e3278

SHA512
504556b3ecdc8ea9493fcef5305282474acb49763ddd61e30040ddf23d29def2364d4b144869a6270a2491a43eb91a6712b9c0e8b8f42e1dae2aaad7786afb8f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c1569dbae38f7c606a8435838e5e9a03

SHA1
a887a5eb855fe40cb00780a671e3696004e8921f

SHA256
2c00c47341d6a06864fa7dff8ef6482fdfa0b17b53112e25fb39f90ef96628a1

SHA512
266a77dddd81644c0fd747345f0a659eb6611dc28c0128393bcb8f8d90add1c50c0b5a85ce49c2550d4161877d932a50d75351bdbcd1f869e191b6965df37400

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
61052acc3a1938f62292e5e239cb0829

SHA1
e8281e87b2619e5dab7d626581689654fa309d10

SHA256
84e821e06235c560e02d7bee8e4ac6b063ac266eda7bbd2404757aea3b6b52f6

SHA512
3483df84a8c4eb9331260b9b015966ecc5ce31291b3e8b7b1d1a0e6b3252cfc6e5c8f1257bac7dd6ce06b16b6d53c25df43170d4ee6d00a6e544a620d30dd764

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d5418fe5cbe5025cf62d1298356315e1

SHA1
c7f8851a40b53559ef39df5abf91f16d6a034a0e

SHA256
23dc4e9f8f32f16e884a85dc0e298721adf8d4d530ec6484b382e5548ea8af5a

SHA512
c0bf28ab0afa83e5003d52dfbae0b910827971dadd2b8756bd110e45528f33a15063841aa4b84aef0f70a4d11ad9c45498476b92db691e38e8a7865915206275

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
480cdea48ade12facaa51d7741592776

SHA1
d31dae67a57d169c0f3f908016df9369ab1ee83b

SHA256
aa5c184daf2cee474333ab2361e4c331ff1809aafcf9d6ca1e37726f8d537124

SHA512
5fe006a8959474798135d89c6ad9440b2656273f92151074ef45a229db937bd6b4b9749c69253d17aea9115f974a5e8c324fc9d0f001f0ee708450b1e95e1a50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
574de321a25eae8b47d3bb23f4cc0ae9

SHA1
1bcc839ae9e9fc978e1d0bd3d850b599d3c4a51a

SHA256
bbd0645565f7089c09363b8da18ce639a4e83f39aebc751a4d1bd28e723ba8ee

SHA512
9c28f53fdffe583431a669a4f5a03d7de63049587aa42bacd47c334c409e9609e6c48794bd35a63c59593739e0ecaf3dd49ad2b94eeb26c65d131d649c8c9729

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fabedcf79bbdf726c1eacdd1a3453549

SHA1
73301a1134f8215dc5f3a250a65bf2d3e3695a45

SHA256
24da377d7585e37be3c34863cf449771c130abde13680bd66e9207b23713f709

SHA512
75d3a2a9ab04c61c7e57da0123a912cc9383487b48e252818fc357b4edbbdb329618e01660c46a635d95be6650c91c181bd7d93313e4f482d0f13d98540707d3

Download Submit
memory/548-3-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/548-0-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/548-93-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/548-24-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/548-27-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/548-1-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/548-209-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/2940-11-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/2940-10-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/2940-210-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/4404-29-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4404-9-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download
memory/4404-211-0x00000000007D0000-0x0000000001854000-memory.dmp

Filesize
16.5MB

Download