55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
102s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4808	AnyDesk.exe
4808	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1004	AnyDesk.exe
1004	AnyDesk.exe
1004	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1004	AnyDesk.exe
1004	AnyDesk.exe
1004	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 4808	3640	AnyDesk.exe	86
PID 3640 wrote to memory of 4808	3640	AnyDesk.exe	86
PID 3640 wrote to memory of 4808	3640	AnyDesk.exe	86
PID 3640 wrote to memory of 1004	3640	AnyDesk.exe	87
PID 3640 wrote to memory of 1004	3640	AnyDesk.exe	87
PID 3640 wrote to memory of 1004	3640	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
a4b06f5a5566ba611488c8d652bb1866

SHA1
28b712bc45a163cad1f711a380298d58bd07fd92

SHA256
d2c5aff464759c1f7480641260321f16cf1c4b1776bb9b600c4d2e3a964a660d

SHA512
9cb1efbf247aafa1bfe55943933e8f046f15ce72d2e3c697068b3388984d6f59fd3e55a89f7357bbef5f3386e25103716eb5b828bd4554eaf66b3cabb2b883fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
22d854f9a68b7b46c517ba6bbb57d326

SHA1
5ce32c6536bd7d3d0013bcc29652d526b92fe0db

SHA256
a13e948a1176f890af8ae32c168ba006cbd4ebf16f0afe452d7197679fc5aeb9

SHA512
1ccffa469ae56f7dbe96be867183efa847e8da7014d5dee79ae0314a5e6b4c3db0c779bbae0b81b4a4663dee6cf2579582594000c3fcc42c8f21ebde023a10ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8f8eb5d69458e46f6d5f47ddef3853d4

SHA1
5b5d9cf04f34540d671b6c237badfa4cffb86fe5

SHA256
57f86f340152f5ca3f4deb0abc130111eb0d22cf0a7f2c9503b9a64d282323e2

SHA512
11c834fccc8db92025e7e3e62c1032d539544151387629df1399207fb020709c3989f8dcd845bed662e4977f9eae5fb3d0b5340def285a304591bd885bca69a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
235230ad3a77b9c9e56b16cd65981e07

SHA1
df0c98c3e6a0217af0a25627fd7b3fa922df8571

SHA256
ea9c496b93172e68ea8e442dfec9ffd889e5483f03a48aca6dc630a9a296bcbc

SHA512
ae8b63fad97754dd8aef6f69dd3ea8f6d94ea057018332452469b3aaaa3f4024074eb89cfa7a4adb137e891d8803a551b253ed2cc8768e517e49a35e056c5a6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
90ae88f327ac7a213a8333bca6f4d14a

SHA1
09abbe4380bb1f2eb7779ba15590e505952359e9

SHA256
f5f3609907ac89c38435ee53a2a4e1c335ea8e47f23f593668be1c115346099f

SHA512
b478492845dd28f100a11acbfe0bdbe43a8097c2255fc3632a99ca9c960e949fc373db58cfa522fdd3772f0f39c7cb05b47b06a715adb88c129354a69059e967

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b066145e4b87495f30cf577a5dc15572

SHA1
d0818c73eca41bffa5c9ae37679ba1ae02a8e9e4

SHA256
98abc2326453874435c78dc42b4225ce34ab8db88bd916f51ee866aae0e78638

SHA512
a85f2fb65d18529ddb17818e821895b8d5bf51b759f079d7cd439ea5c32be1cddab137b38f74e9781e3017432e366c716b5d4a37b1a2a15d692cd0efce91f7e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a99df81d48d76accb897f44dbf0a17af

SHA1
d9bfea70f7dbd41e43f2db2272487773de7b7b3e

SHA256
6c637e8965707069e9d03d1721122e8a42f3ae8927b12634dd6b5bdcab01ff4b

SHA512
7b3282e2d5401ed86f11f19ee312d06a02b50798101852a38f116d7c4af2ad35606cd8f776088d8671d96f5ff59f8d1676523238c51dcd8d50f4ff0c5066b1b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
264399717ae1b05c653ec3a098c7b024

SHA1
3c4c26a3fb6b438b3ed431d790af862f4d9c9127

SHA256
52e7fdcce82e8ad1b31fdad5bfefc7d11b8cd25a817d1a2de8ffd01ab3ddbfa3

SHA512
ba87639f6a206cbc8513f5a5996aa4a6ab9acddc60c1acba5df87d74dabdf89942617dfe435535a4b1809bddb1907b36c4a3f9af14855fed0558532d477ca21b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e03e6e7bd56bedc7ef40b938c1a711b2

SHA1
33af9e4d6cbdeb9a3bbaad78b364b95bc17b9750

SHA256
7c67e8e1f296040e8cdda2e6814451813364660c768501c39f5ad8d517a12ad9

SHA512
06966f212bef096feb45533e22d6794ba1b3cd1bc7b9b4b0b7a78ce1f48f3378e1e1c9247a6d4ff96393aa61813b46a2807207d3f4be07192c9900b8b5cefcfd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a5d5c8df35f22f197c6029c50b157ba

SHA1
68f377a5752651a6bb4ee22070be05938d49b80b

SHA256
afb06888331d5db48a6da7c3aeac13edee8ab1f6ab52c1fd1bc87723dfbef965

SHA512
a99ab014ff7cd5a111e3c60798b6a5a73b44a2f11ce15cd569d5b345f088a2ab1141a204ba6e2046fb49431764be593a0d5fb5573ca0ffb26dfdddd96a941385

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4b2686dab79fdd81ff1a2efc66825897

SHA1
d61e520ead7911f4b3a8dadaead97fb6209e2cea

SHA256
73affae073bd94e49d9264755b6719fafb6b1487b13a2547cd7ab29f4ce285b9

SHA512
0c6073b501ea2467763dae66c00a112495fdf208ef8582873f662881269f555a552b335b5b982741eef5e64e7ddc1acc55ad760b018ff991d2cd4076bd9a008e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c8b5cb6bbc6d0a51e99803a1dc47a203

SHA1
dbf43a13da80d5d2c8d024062a0b0d820e6471e9

SHA256
8321533c0887f4e0d1db7bff0def0923dca0b8f14b94eec9f84a738bd8c8afbc

SHA512
934d38a1c66446249f1e985afc8c058534ccfe915a30ec40091210b8817aaf6e5b3f7505efc541a8a25a5f7ceb8ec84dd33717a2fa40e9d3e583b9cbc8207001

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
be4b50dcd9560509c793c6aacf4d7756

SHA1
1196d0ff25ad71eada2c145539f0a6eaa99d2030

SHA256
023c835e77190026319e7e1ff0992f670f33b5277ea13483d28ecb060fa6b536

SHA512
c533f57256fdfbb8a66ac1e196502c1914cc519f791712eade012df2405b9fb9c9975936e2b87db1fa5aa53185a569ee739673823e4dd27c08aad4cfff4d2e3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7e9e0bf07c3eb8c27de673e4d76daf57

SHA1
5fd5218586cc161be09d0326d0acaa4c4b258598

SHA256
c8fcce347bf0038b12a24e8f676023241210117093eb480373b210619aae2a0d

SHA512
27095ba276c4a001e78b24e8c90eeebfb0441b2e196eb87e5394d6ecdfe144215e054ce73fd85007a7e5e1f07bea823bbaeaaa5e0389ebc26654011b6371dfaf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8003ffdddd464a0d3404aa7b82c9692b

SHA1
38b6f7e6f2e046120b2049c0471e1a9de6309334

SHA256
9b1504319d352001031f2b548e0d3e5ad98be3ab911ceccc205febe5e793641c

SHA512
1ba4f698a74a213a93dc74c5d88e6a00fbf666cae0b51206c16ab33cf3af81038570f37d25f7b71d90c3288824914fc8273d7a29a13a9ac11be2163a99223377

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
81453a0fe7fbeed52eaf8f4728755af9

SHA1
e361865f2db22382c541a67c2688aa4a053d573f

SHA256
866b00e1b7d461980b00868bdb60d59e7b2b117a1ca3f7fc7489d4882b6ff597

SHA512
6f96511323cdad0e0467a66ce34753e630976b99b0060dde63aae67e3f0d065b3e77c8166241c2ad729c82fe9e3af70a24c653a155d55efe8db809fadea02497

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bea5efd04d9252865f9b7120e7770444

SHA1
a6c96c12c7f68d90da27cb1ebcb58497eb763966

SHA256
b58214c9718f248e9283e9073d12cb4a8acb85749f655eacc360cbbecb33e4de

SHA512
4efc65bc60cbadce2f4fad0fb5d7bbdd815741e153b2b4b5f40130fb9c7ad1298538c217a886db2b3d00a196c3c8205f771e419fbde394e7660e3f2d85ec4adc

Download Submit
memory/1004-20-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download
memory/1004-259-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download
memory/1004-30-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3640-17-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/3640-18-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/3640-0-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download
memory/3640-3-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/3640-200-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/3640-90-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3640-1-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download
memory/3640-256-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download
memory/3640-85-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/4808-21-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-33-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4808-258-0x0000000000680000-0x0000000001DB7000-memory.dmp

Filesize
23.2MB

Download