55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3336	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4856	AnyDesk.exe
4856	AnyDesk.exe
4856	AnyDesk.exe
4856	AnyDesk.exe
4856	AnyDesk.exe
4856	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	AnyDesk.exe
Token: 33	2124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2124	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3336	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe
4672	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3336	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe
3336	AnyDesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5008	AnyDesk.exe
5008	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 4856	4672	AnyDesk.exe	83
PID 4672 wrote to memory of 4856	4672	AnyDesk.exe	83
PID 4672 wrote to memory of 4856	4672	AnyDesk.exe	83
PID 4672 wrote to memory of 3336	4672	AnyDesk.exe	84
PID 4672 wrote to memory of 3336	4672	AnyDesk.exe	84
PID 4672 wrote to memory of 3336	4672	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:5008
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
192KB

MD5
1077fac63a246cfc5efbde46dab16f78

SHA1
ce1fb969d7f17640a5e3aa483a58ae32af644ac4

SHA256
7bc1c25ff3c29801251e465f2bae31f342217ddc36dc8cb275e7a80b51b816bc

SHA512
dc392f32bf05cdf2a47344971943e2339cdaa0c81605a158f6976604f15425739e5c22b304140459821b3fc92308c4321a05c794fc785225d40626ffc942923a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7eaa6da01db8108a9e4f61542c0b06ce

SHA1
6d945fea6a6ebf3f3ed665dc074de5f333576f54

SHA256
9343fbb6745fe96b0d034196d93548be400b888fac40f4972af0bf370b09cca0

SHA512
7ee11b2ada6d9f4540d68896ac68d4d82553e9856aea55ea236921c53d786646dd839b2123093fe42971779e6d85d431c6dfb9f9a503f71ebf43989a96508b6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
36KB

MD5
7a351d89e7ade2575cce0e9ec55d00d0

SHA1
953d8439c62c8a8ec93ca8c72d9fc23e0f9b23f6

SHA256
f04e33089408ea13c9dbdd8159bdf63c51eae33ba49cefe9b17cf66349eabaa7

SHA512
56510b8feff9b5005f380079342e98f4057cfbd8c75411c491dcf05b1ff217ad8a32c8b5145f19bd88023fbbe52583dcbbc4238fdc38021197600d8a3a6ab55e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
121451c8f49286638c3f42f25bdac074

SHA1
07612a4b9491afa7bbefc3d036cb50e550c1c85d

SHA256
2dcb95783b90a7a915a80589e14b629dc8fdc769b42a870fd835889ccb297f03

SHA512
9ec9888abfe25644659fce284f5d2f1768cb5c66e8bac05963e61ef9e7aa6f170e8213052b48e966d72235f88385ffc8f8359ed3d383fddb75f4b2bae715c1a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
409bf40a6b850e67d8db90d25b25c49c

SHA1
b8546b3d4700b83b627b9987479f69ee345b87ee

SHA256
7205c58b0ce384778693055ea65ce0616a57d9f94c631fc0518978eda3796849

SHA512
ea3771f4ec222f27eb0b23a2aa4c145fec80dc3157eaa7616817e3f470fc4efbaee8c916666c4db444668a4c7bfa7a1d6d36b09452da522bec404a7962fd3e4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2063188d342e637620efb24c04baa9ca

SHA1
ae4a6b99ca1f35ff9666f01717d9cec8cc883a99

SHA256
ec42d7d7f4d4ec25f05e56cc8a23882e7db68fe2fcce611355ee21609b2a99eb

SHA512
adf0c088a426589d3aeab21fde281c05163e1456fea94e41f7d54200114324e1bb27689bd1f39b689aac963b34beec528d0bec28c34b9d2736f7db7e1c3ec5a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
fa31c2b216d4f494fd71d1c03954a0b8

SHA1
92907183276a560bf9104fc5d77391c635c5135d

SHA256
c26766c601ef6363de4ff9a26a03dfaedcd3d341a3e6192d13c882734c76f4fd

SHA512
913eb3780995cb1ceb2caf1df54152a2098e1375c81c432b4e6dafa51945c0fc9f00372eb7ca910416e7dda58c037b7e674ae554034c9275ae1e0b76eacc7bd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
d841d714400d86672a194f6234c478a2

SHA1
88587f898a8f8988e584cde7e41af204090e767c

SHA256
71b6de78ff4a9e7a9c773ad24ab02f863ed86070da5be5e58c1a5dbcf85a2e42

SHA512
1ff3720a5e547bf4443b8fcbe797d9accb0355f0097f25ac9690d98d4a606cde4cbf87240e616f5b208fdbbe44c263a2af3ee1548245575e4c6e0f88595493cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
69c076a2974d4054289f5c3a02027f7d

SHA1
2ab01381c7501dda7b45b3f932460f3c52b651f3

SHA256
f73b1fc06b994548a914cd22ada254f5378051717ed0727df2c04e9db189d088

SHA512
12bae8580b701fe6e11724d8659ae9e110c7419a0f5f50c6636d901260dcf39aaaefa1d43ee37ced46ec4b0250add7c603ad2f2d7223e4c939e88c899b022919

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
282dafd0718dd1fc17248b856f4e2a0f

SHA1
fb935718f704cf34e2e76db364e27c4062993009

SHA256
3b888741e60855e035fb73b3e9e3dcd7ea0cd7b454448f883af8f470cec9bd3e

SHA512
8e673fd7c403e833f8bc4c98e41d94fcba00642dfbe408d10ea6901019c984e4ff18ad28d6303362a54b5690fd00e1abafcf09efcae63271745220c472b0140c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
14e24d28bec20a85f6a0ee7081010345

SHA1
09aa5038f793c759564c92be925a3d9fa5e045c8

SHA256
190940dd8197a8aaca337c4018be117427516c0d382dafc5f6f8f25fc48a52cb

SHA512
5d9b3dfdc51ac9a021d41f656ec6b242517ed1c281ca065b66b8957dd1681a3177e4055ad33a44625dfddd11bb8fafb70e405ca8e100b47f5e766d3a7b1e7148

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f213dc9beb16bbeecbb73b9f76b59c30

SHA1
3171a6b08a9579d5dcdc4e23713e200542f9ced9

SHA256
3ff00912677dea5390c01bf5e546b0a60f65e00e32786179e25d0717291ff335

SHA512
cd94309eb88025bfdaf206cbf342ea180f2d546eb93c88ef87b353072ae5a92179298a13f1bb75e23686ae24c7ef44b703771419c5dcd1df380e21c27ab184f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c3d1908294fd5106d5c58477b016193b

SHA1
add63aaed69ad43e3c861a35c0b3e2c561dce4cd

SHA256
49d5a8210a049aa5a33855291c7b34388533736e7877301c5a891fec9b0909c9

SHA512
a9963ef036522d837ca7bab4b145438e787b142f04d999e3ad073d3bfe3ecc7cca25ba87d960280c3d303043c8808795bec990d46ab0b19803ea89a666516879

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
90a579497c31656e64ff8e79810a1d81

SHA1
854d3d9bd20e0cabe6d26d7d1d9f49bec5da0a81

SHA256
20831b0ae0e761187882876154aabdc9bc7b1476262d87d3752b366a82982ffa

SHA512
169e3f25eeac35945420802cebf1489610186b905d1ba6d4c6a1a46cdcfc2f6084f91e088324ac6495b04171547c3009080442902ae648c56e1e8d261a2284e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4ae990f8fb05f27e3060dc901b93a85e

SHA1
63137ce15d3f9532a03a4a8fcb967ab1563a457a

SHA256
969bb46a635895367bd36621dccffa929f326a19550fa97f626dbb83a3a9af55

SHA512
2fb213f053bd00a837e83edd2358848ee970abcd97075e7015c84ac7a2e96f5ca321ebf455c89c49e9c74f371ddbfb41b261a5a959020746584f3cf93fb4e30e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f0d54e7e24fab09b2edbbefb0f0157e5

SHA1
c02968cf54897a64b20e43cf17307817ab181d0d

SHA256
7a442d7f42e291c8e9bb84ec25804e148253d636f5636ef3e38ea581e4716fdf

SHA512
955f7d0ba512e0ae5199a2788097c000b97e00f9111910e1621a7e4065d936f4ecd5530854a7e5a8edf85df055d5c8c99c843e58eb753a609a28485231b5c9c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
77c84b4e4910c45778bbe9c5893d0ce5

SHA1
a485dda1f26ae370df5f4d9b3029abd6970c9706

SHA256
94051427a34a3e932a8eac59b302a8a84fa018bfc36f665d20eb0d30e912a7c4

SHA512
b7272f6e3c3afba4df5626f8fdb309858fe80b7bc9f4ce68aaf7995ef0b7c6db89bb369996a08e1ac1b5fc8a73bc691565664bf7c0b17f3253df9c729d73af93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fce8fec74105092c6d2790789187779b

SHA1
338e071d606f9a431edf545bb432701f422ea076

SHA256
8247825c6de7f24b6e6842659b6aab031c144b9f1d7b141fe92474ad6423ce74

SHA512
ab373f89df8e4e08e7840ecd69e50d19c229703883ad97e9d3eb944a65e40adb811f434dd470eb7b6de6e83176baeeb9cda9f15272a423d30503672623b53e65

Download Submit
memory/3336-20-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/3336-301-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/3336-232-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/3336-30-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/4672-18-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4672-96-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/4672-97-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/4672-17-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/4672-6-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4672-1-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4672-229-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/4672-230-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4672-0-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-261-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-231-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-310-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-26-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/4856-304-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-19-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-300-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/4856-22-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/5008-286-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/5008-290-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/5008-275-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/5008-274-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/5008-273-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/5008-280-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/5008-281-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/5008-282-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/5008-284-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/5008-283-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/5008-285-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/5008-277-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/5008-288-0x00000000063B0000-0x00000000063B1000-memory.dmp

Filesize
4KB

Download
memory/5008-287-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/5008-289-0x00000000063C0000-0x00000000063C1000-memory.dmp

Filesize
4KB

Download
memory/5008-276-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/5008-291-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/5008-293-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/5008-292-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/5008-294-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/5008-295-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/5008-278-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/5008-279-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/5008-272-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/5008-302-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/5008-266-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/5008-306-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/5008-307-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/5008-308-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/5008-262-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download