55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
21s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1296	AnyDesk.exe
1296	AnyDesk.exe
1296	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1296	AnyDesk.exe
1296	AnyDesk.exe
1296	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2548	2868	AnyDesk.exe	28
PID 2868 wrote to memory of 2548	2868	AnyDesk.exe	28
PID 2868 wrote to memory of 2548	2868	AnyDesk.exe	28
PID 2868 wrote to memory of 2548	2868	AnyDesk.exe	28
PID 2868 wrote to memory of 1296	2868	AnyDesk.exe	29
PID 2868 wrote to memory of 1296	2868	AnyDesk.exe	29
PID 2868 wrote to memory of 1296	2868	AnyDesk.exe	29
PID 2868 wrote to memory of 1296	2868	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
a1918615e8d2c86dbce1a1df2e65d799

SHA1
a80131063e6501041e7fb9a78c5f854460384423

SHA256
ac79c2ba62e000b19d9b6fd4e200eda21ff8e8550be49b769bdbd44e13967e42

SHA512
9183410898b3a6962dd10cfe25b24e4bfca063c421279c1d7cf6715002aeb6b93011b45dacea44144d67c90420339ff8264a8a45c7b9ad601be083bf4395aec9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
839bcc56418830062a641f16f43e322f

SHA1
f264e533cc61c17fa514f9d225ca4707d9084206

SHA256
303e2ebccdef163b30ea9966a7a1ba6ec20a7adbfe675c37f5eb7cc84e964bd3

SHA512
ca1c9c2f46b390571558c86267c64618a04993716ec2bc260859c4bce6e5e08eb5e28a72861e5afc30c60ac77d273b07476517603f3082823f23900e62b924ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
976eeda5d0fe8b74ca625a55ead99f02

SHA1
0c1b6fd98018c247f71bcae106013640984c8ff2

SHA256
16bf34a68d8c5a380f70bb73a041ac3aa738b959bf647329373cb4bc78a9fc8e

SHA512
57e8cd9a1590fdb80c4b4d6e71d67cafd60b623e0432c4d9cc77a4ec33ac1faced08fc48eeb171257a3cae38617391917821b063ee4a58c05cf1e7512435f311

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cdd80c169e8a0f7fae81fc1c7fff082b

SHA1
565573e0b9d4896ff61e81a73c5f467489a0d58a

SHA256
f76a482fa67a8d59e184ff5562bd97d978c852e6776523c69374ff661695db58

SHA512
4d17401e588dff95ad655ec207c058f09b0323710f8f6af0daa721c790bb3a3a3f94a74bef349cecfa2ea3f845c23c37bdc0bff0089ce1accaae80ce6e2dec47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
16b54d8c7f149af4d677290e89c32955

SHA1
701eef0fbb196a752c7979af23664670b5c95f69

SHA256
a6ed104699db61b32ce6df79dfd538b775b1dd749a4787897ce91208531f3433

SHA512
504142fa5a69efab0f8f6cdf2ed53b888252da57a458606b6e884c77c9923fd4757c787261be26c6be4e6135acaece8dc8378f5b46c8b95fa8487a2396765747

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
b72f1fafd1a179771e6b5c88f721dd95

SHA1
26a58d1d094bce4babb67b8c2c03bb62d33e28b2

SHA256
be71a32f89d856ce6984020a98e1a0f89f448f69c457adb0d027aa8033e5ef6a

SHA512
b6274e4177217d015a9e2ef2d87fee3469b06345c2be06e220d65cbadd79aa5daa99d58c82a0414b3bfe180ff018f09b45cc843f084611864009cd459741e27d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8cecb0270429c52eec003d1e32f6e835

SHA1
a369d238d5952ba9a75a46252e66f3d79309820f

SHA256
5cdbf679fad1c83641748db92b08da5a4de7ffe4b694c2e90da45b8b0b8a12fe

SHA512
afe23f8b14d37164fbe224655bebdfdecdc54b4fd608191d65f3beb33ca26b44903818b0d99b7610fefae5c735dc9d2d38404cfe7ebe68a16c1809469a975935

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c410e361c0fdf2920f8af472e11a957e

SHA1
336e277108955b213a74564ac7d502240910c64a

SHA256
eab2bf5d668125bf0463ccf8d586f93853dd75db6fc349a84800760d60c7c4d9

SHA512
702c8b6b4737902a2703a51004c2b5acb32f28bfe39cd537166bfb673479a5b9b9e9a0eeb81935c3262688c7274267a01d576bf8e46d3cb86f4bd88a8bab1692

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8f3a442515ac248dcbe70e35b0e45a7a

SHA1
681f699d2698ba75c7e70ea9522a93ee60920281

SHA256
a771e2b4fd390a2a827aebaea1588d92b7f20b98cb102fc50900b0faffd7fe44

SHA512
35ffeac3f61f1d264e14ec56c43daa26c7708dcd1dc7f2c96b12134bfaed16cf5028dac3b677567ab28180aa007988c6ec6cb08fd37ad1708192d9bfcae91d12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e437422e0974846cf3592577ae2edf74

SHA1
ed25fda4e869aa1c4cd423b4aab2e01fe0146864

SHA256
c79f1060d1bfcf1daf632e8af0e92385cefa1bfc83f079b453be02716e4739a3

SHA512
113225cdfcf93544800c756828fdb2804595009036ae9afd47f8d19e7b2076d0bdcfdf25a85b8172c62d3e50b5e202edd3cdac3cd7c334f3dab08859a2430e97

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f2fa30e00c254efae40e621392ffb830

SHA1
8250ba4d9bd6badacbd5b99f6e0206c9b7e38932

SHA256
387ff391fd503d66a6b2f32eca9077888525c078f2f0d3e92d10fc0e26e0047c

SHA512
a07c3e01fe5de5b8e5838cbded1866b197cb4ea8a4fe80985fa63ad3a4c50251b640958f188a923475e7bc1e8b6d9c95828235f4c09d5019f82de0fd75fefa61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6f4fce71ea96ea2698e70de2ca89d5e3

SHA1
8fb14e4bfc920d6dccf0a6c771dfdfcb87f841da

SHA256
94c5319f6da4ae82223bc2845a78af7ff56350d192c75d0ab49c6ed77fb288d7

SHA512
5683028e80d2b98c829238c4851ba6416c2fa467c7249a6979ef3304071437be00951b08dbf2ad66e9c459dba6aaf4201fd916dbc24358c9dfcd57d529d6c8f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4eae622b1ca38180a3189a436ef9a186

SHA1
f40968427925c0efec0d3da95d96a3e116265cde

SHA256
5550e9cfbf8fba75ca0a0a6ed199061dedcd802ed945e88d74565b11568a7b83

SHA512
64f86a503feba3645669fc6fb904fc645d07dd9f4a1c4ba8e4ee4fb70d5e9b363169b1cc33291bfa891fe8ba76affea3be21d36578ad00f7ae7db35cdac6f29e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0ff3f5143a03d03d36f4ed3ded5984cc

SHA1
2872a5f2176696ab8796437d6942659664dd4da6

SHA256
ce7917518b80ec09f1674f44cafd05f785747ebc3f3097400af035b059f9b6be

SHA512
eb1d0c5aeed1be6ae0b9c8d4b99626be5241bc88198d1cc9906e0a2bc4a10dba13b30678ed111de5ba892ea7f343782eb3a1e0e1e6e237e133c49266ff31b5d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6d1b173cf54562bc6e5b161dbdc4ddf6

SHA1
52393efc7ddf7956a68e6b99615ec0b36324b0ae

SHA256
e0d0d418748e6273305f43f56d9440581f4058f51ed4d445cbf0c9a96f689878

SHA512
28bf0e8c200074c27530ad80603387076f7fc0e6021959f7b7d383ff4aef9abac62c8404608dbc2c01acc61fb926d921ed3ab5ccfbbce30d2d44b9b00fde5e4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a1bd299bdeba68d3cc591f511c5a0c75

SHA1
64995df219a08f3747f731b413b2456e5ed4b10f

SHA256
a2cd318d18e5e1c71fc234ce5231b62caebf9e459329e45e93f216ed555463db

SHA512
4fef48167a8fa78c749e77fc6f2201bf494b6663ad6d86b303a341b9e7d2e323ea8785d38dbd5ae2e56ea7ee943e1960c2577fdde91ac676ed4483c091f527ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e0b85216ba21993ad58f3bdccfde911b

SHA1
fc15efd2725c7dcad0607fa323f4042ac8e06450

SHA256
4be8e4a421794f945553473d4ac9f8fa9d320a35605eb26fea72aef3d2e3fde3

SHA512
9e7639f4723c6c694ccbff02036c2c80cf62c422bdbcbbbfabeaf96bfddc6f58bdc9cb8445e781aefbb43bfc7e493d3c05ac4f403cc80ae4548053c1090ad7f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ea6bf661e92b794ae66d5b5b5101ef59

SHA1
d435bcff320b17e5d7d4fcecee7a0aaebb8fd318

SHA256
3fcbab8eb0d90dd5605fefc5a38d93b3bc7e6c0fcf74f20d6df9da3ce5280851

SHA512
11c526fcc41ee38ebce780ed9f7709c12e857c56869c5b0947453c85194fa34e62b329b3a648c2c2e8ecc69560a247995d70365164e7785d4386297fc3bf4b70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
91fb48504095958427911788a963c7b3

SHA1
f791b71cee15f0c88849e9922610f75b74b423f6

SHA256
d5b2b4cea4e43a403a83a8e965e522f3f3c47e459a76e67b17267356a10b21a1

SHA512
e5343541586f87e5e0220667bcaa166f364a55e5293346f41c7b4d76cc1b5f91bce008ef057a7db11873e2abe9febc1a97bd0ad0e5b9ce35ed96f2fcc38f62f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
651fc994dd2a4ff47f310db740b2af86

SHA1
091cab13298ff5a2617bb29d6bbdb88d1be21611

SHA256
37321a056a870ac23dcd60d58092806237be65cb778ba66154b0348a0664db02

SHA512
eb144e7176af845ae356f3dbd5d8836caa9217b15f699e5966000ec0235925dd3413df65c12bc873044f00f5c6b22ff4f481d8a22a535339b2e14d0db762e36d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
32a4baa4c80be41cae8854b75eebc943

SHA1
8665bacb211aa80dd00e7712ce59773554e3e794

SHA256
0dab8924cb9fd264d6905fcccdc51f57904cedb898b662bc25b25396ef4e0093

SHA512
51efe986745492a954a3768dfe30ea7ac87ced2f7b36fd611075cc0def9d4876ed065a437aab049dbb53d87d3a407a1542c1be14aef8081ec8e5d5e60d4e7f6b

Download Submit
memory/1296-11-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/1296-33-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1296-275-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2548-21-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2548-12-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2548-13-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2548-274-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-1-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-4-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2868-107-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2868-106-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2868-39-0x0000000003B10000-0x0000000003B11000-memory.dmp

Filesize
4KB

Download
memory/2868-263-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2868-0-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-273-0x0000000000AB0000-0x00000000021E7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-34-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download