55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
96s
max time network
101s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/02/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2992	AnyDesk.exe
2992	AnyDesk.exe
2992	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2992	AnyDesk.exe
2992	AnyDesk.exe
2992	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2876	2492	AnyDesk.exe	28
PID 2492 wrote to memory of 2876	2492	AnyDesk.exe	28
PID 2492 wrote to memory of 2876	2492	AnyDesk.exe	28
PID 2492 wrote to memory of 2876	2492	AnyDesk.exe	28
PID 2492 wrote to memory of 2992	2492	AnyDesk.exe	29
PID 2492 wrote to memory of 2992	2492	AnyDesk.exe	29
PID 2492 wrote to memory of 2992	2492	AnyDesk.exe	29
PID 2492 wrote to memory of 2992	2492	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
4717d149bca3a08cfddab7f1f7394311

SHA1
026ebb8dd01c5aecdfb4b881955644b58a08a694

SHA256
481462f13d40eb1229026779256d40cd4d73e3e1a2ef9eaad0d3f60704740db8

SHA512
d4fc8a49c709ab54122700e690b0dd0dd02f5bb20f335e8bdb1e494a9bf8b39f78831c145bc6100c7ce11fbddb476e70e5b31a2373887c61c65c7813138b9eec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
845eb922473f59eee152ca01c8f17a35

SHA1
63c43d4ad497ea25d1ab76a4e24c4c2e53b30f36

SHA256
91fe2e26cdc8d917b6d80492d9385f8a2e06d3f95564f325beaacbdca20fd0f7

SHA512
67442b04c345d74aefe370fc1edd737cd8051f838b103165ca7cb5dad6f85219ca3d5749160f62264f8f28ffff7e1757002fdaf21a33fbc84995298413dfbc0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b3f1b0f92e834dfa0c7803c58714e1a6

SHA1
dd13947007971874385555d4d622d35289db3e86

SHA256
ea7e871012a4d579ec3977170805268ccab068f23e4a9629ec209fe16b3f7ab6

SHA512
1b7e2e79bd8388f0f855f5125c5b732ae1f69e3f39199b5805f40196ee66939e99033575449b44956d23b74091834012eca7f55d12274c8c7d3c409c1927bf99

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
064b182a4ffac84fb326bc6713ec1a57

SHA1
c9f93336b75d197f92e6f721eee528b598b728ca

SHA256
4bb811a7b07e47591a7155ede9f0ad2252ecef6a1c5962937dc1bd4d823067d0

SHA512
29e44f68bbeac2ec0b3e254965dfdb28dd20b446e5c5670fc0e271ff0d66eae309ee0d3c5fb605cdb07ef3ebb9b97acc13adc16edf581cbd673dc2b752cdda05

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
0b2630e61999b893cd8c38b82fd940a4

SHA1
a36b49109d012598680dceb660e164cba2866083

SHA256
1e5aef5532cc4ac125b4277fbd685941076c0c7bff4f2bc85bd6f449644326b0

SHA512
ac00a6db42491e0b6e4970e6cfd1286633cf74485a77b10d0cd6acd13cfff2dc4ec5c4fff76d17bd692b979e63a10e383e88112f2d0cc22a2eba6cada8979731

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4dfc48139b45faf1a790fbf0586c4d1e

SHA1
34ed339de5a768b945098f8ce6795c7c0c831fea

SHA256
bbf4ab9c8dcef57defb94404baf6d34eba4f70c9d4d9d718e8209bdccfd25b9f

SHA512
ab006f8aeb1db5997503b37802031fab019d79a8d6c34b91ad24a31c6765b4e56968e843b59ddea8cdd270f08a7bcd98bab98a2dd1730adf102a3dd821bf2501

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0294d6199e1d3f4ed8c19021d6f247fa

SHA1
59ff9ef1023616f30979a58f66a739dad9c1bec3

SHA256
ee10cb97b3d4e0067d3f34f879a130f459640a2401fede703b35912fd846c7b4

SHA512
9c6b1bffb83e4d9784e0cb603e196e7ee9f29bdae98b38f004e1fce87d90f5c49087663c5513b0e48b1214ad034049aeee81e35ff8aeeafd32329a1e89131c43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
76f50d8421a34b19584d432360605f06

SHA1
fd0c18ffb7ee9f71aa0da807a6ee663d8545fbf0

SHA256
775fdd0d38def10603bc50ae4e0aa79cf831609024bbaf38d6fcfcc4dfdd5820

SHA512
247c6733966e35dfd339b41db4d674e28d72956b4377849933508438c24ec2946bbdfd7b667077ba0e23f3d333378c4434a820bb3ee206326d0b38577b08620a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7599f0c709ffee46e800a6fe596b2ca3

SHA1
7b116dcfaf350e1625aee87c73581f843ccd59c0

SHA256
97abb9c81cd84855956f976f8a8b879439b8d872b523d0fb6795c690ea10dbc3

SHA512
ea92eb9bfcc806ae43dd2a78a27d4402bcd06be5b16f5dd6b86b3b5556e79e81c7cb979b678216dc481cdff3436f2ad3381a4246f65e89d276450bca2df1981f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
23fc6d42e4fba0b72d1add9fc4059706

SHA1
d2df4d973e4bce38110ddfc3858fd6472a6880de

SHA256
df7cfe189fe56b49e3c8ae455169c03b74731b41437ab4bc8b4773a70dcca0d3

SHA512
c3e8a9fa0b12447481c8e3f0b5e7893de9567195abda93f37391a9ac7ec51fcd20f1ab4fc42347d40f8eb71b4e88561e8b0a61119d40c5b6d36ea5afd1159cd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9749d6125a4abc71901481bfa3339cc3

SHA1
9a94212c1585ca18ef75c72a3b416cb4cfd540bb

SHA256
b9a5df7966bc7b42af3a5f2672f2870ff5b410916cffea7f330c75a88624d486

SHA512
7623a172c3f56603fc790cdefd168e4ad719560dfcbac2b2de90662fb2a08013bebc651eccf546fe544e67b037aee6ee48db2ee9c8762dae304c94a77572cf8e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2dd235faffdbb01d84481beefeacae83

SHA1
5753458b57c2afee417bcea86f1c6cc52697de50

SHA256
b93ba23b9b33c383ddfb466c464835e36cc7e28c3e34454ca19edef2c6614f02

SHA512
c5d3e6650286e447242ff2fe76be601741b0446356490cfed36491b669b76ecf8c4ae8b50a6491b33f2e53b365afe518d2b15b2f3cb950e5c4b1930b6dfa0c12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
02d5d88bb652bb708461e4a3be7a4b8d

SHA1
dd61010bd2967e531cefdf91b0d2b9b516faa2a4

SHA256
ea3813fa102ad549ba1010561d1f5e9adab766edebe2615944b31f0af2437c66

SHA512
1127b373c4ca45963dcdb427dfe8500622d339f2e53831fff1ce840cb28f1bb1954fada53730bc47f930a33074dd8f1a63119d7bac348ffd5a54effd294ecaa5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f0132da864297850d25ea2ea3f68057f

SHA1
6b9aa4e6f9deafca2161b52ce258454be2b4d7e3

SHA256
e839b60f676d8219513ba61404053c5643367e262ec75e68c6d634085df4885a

SHA512
8de1af885b631dfb3650c593c72fe8bbfde819b2ec0443dd9c504a41e6a4aa9908d5e57341cfc3cfa506d5b0d59fd0fd8eacd75da6812637665115a487d8aef2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eb601a6964036ac860ffcfb95e7d8822

SHA1
3360b5d41722266596e45b7111e32366f7fe90f6

SHA256
3ed2e3c223fc063283f488acb371f0a7536ac991328ba44a7b4f8bc4bb9147f9

SHA512
45a7ae3d76406fd9151d7073d58dbcc823cca0ab522fdd42a0657c6c5a2abdf01801c2a22cbc3b446a971a75a078f5d0558eef29a8fa967882b225b80f2c07c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7d176bdc5d65b50ddce89a1b5bcf7dc6

SHA1
1991672f2eae63e980a8493e14b15b41b2a834ff

SHA256
21e597d2f4d261dab0bd40303ec23dee6b1a3ab10b42c76c9c057c6cd859047c

SHA512
378d29a650f4f27667c995c542d39c603729d5f636665f40cdf67e4635b37f8ba5156772b8247b3bfae0d0b05fa69a83df606c748ac3e0baad00a16f42f7f7f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0e9cd371f7e924506ba3d9998a1a66ec

SHA1
8f7c545109a491e693eaf9599f02379052ae6a6c

SHA256
78399932e151b3fdc98fc981981869a78c5dfb74b0b9f82a4faf62e2c19c1dbc

SHA512
1739074f751550ca91a6319e228a64b37a467481021118a6f9ebfc0be1d0323c6eb129eec31c494156cd17e615be513fcb1c93e7c3856fbd4c2980271315b8be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
65815d260d18aa9ea8afad8891625906

SHA1
76c3f4f915061fb3d36340711526fa9b92023f3e

SHA256
3e8737d1fc44399021ba03ed67d66465f3471fc085e2d154087058eafabe4946

SHA512
e8b86911878ccb352dd4ffe24a65b6a214be21e010a375490b6727a9f35f095751f6b01ed16ef1755a60695d8990a5d2a0257b54414344bafa32d8fcc55f44f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
884ddc41f73bbc15621df017ae2cc407

SHA1
05671f14971fb5888b6eec19898ff7411139f71f

SHA256
9b69a09aff9ef9ed27869b274e2c5133722c665111bc697cdab033688c65a79b

SHA512
61f214ce4ecb083aa0c92f3939faf0b3dfcec1d06bb10641c867c223222ed041a101ffa303448677464742e1ed5d9908e0f049a6c6154e01b8c1fb26ca6c6f39

Download Submit
memory/2492-100-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2492-0-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2492-239-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2492-99-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2492-21-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/2492-4-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2492-238-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/2492-55-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2492-23-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2876-236-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2876-19-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2876-29-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2992-36-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2992-18-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2992-237-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/2992-242-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download