55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
16s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4708	AnyDesk.exe
4708	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4012	AnyDesk.exe
4012	AnyDesk.exe
4012	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4012	AnyDesk.exe
4012	AnyDesk.exe
4012	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4708	2104	AnyDesk.exe	89
PID 2104 wrote to memory of 4708	2104	AnyDesk.exe	89
PID 2104 wrote to memory of 4708	2104	AnyDesk.exe	89
PID 2104 wrote to memory of 4012	2104	AnyDesk.exe	90
PID 2104 wrote to memory of 4012	2104	AnyDesk.exe	90
PID 2104 wrote to memory of 4012	2104	AnyDesk.exe	90

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
54852f7a8f166d24bbd9f8a96e5c7c2d

SHA1
f110dbb4154bdb0125ea8881bb21b799375a17f6

SHA256
8918ee10f1b5b045acbf765371d999e81b77dec2fe0479c90d9eb47bcd1519ed

SHA512
a89b85ba4f3ba94baf78dd1cfbfbd28d67d7d89e4c37572ac6b38c4e4b832ff41af19ad53eb92aa2298aa9854f0527c5c62316e774cd3f938869245049e2108b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
d29922b7bb3de1ecd9b32ae5e749d9d0

SHA1
f4bf2ba0a2980d9b23ecf3e010f2b1426bfe0e59

SHA256
c701836ac1d94c9bbaea2700956fcb904cb17002038302b3ac5041449d44fb02

SHA512
500b2e8aa0f57493b9edeab9e62c2bbdd2cedac4a895949eb9529ecc34a1c22a98cce3f5d2059c9d17c07ee79414d3ac2979b4b90a2252b581c71758c9580409

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b71bfce7fbafd9d8ea9b17630074e73b

SHA1
187cc315623123278b366150522bf82208d25bc9

SHA256
12dea5a63c18569f90d23f2af0ab3f6dfa8379c82c6b7d46b6007e12ac2f6004

SHA512
649ef715ae9039bba0f36677eba49005c65ef4de2bcc057882fbed162f5f2a75f6e844bb12887d0d595a6a60665df5fddf4204a3629e7c69e420fbd41acdbd51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0949c0a4955750f539e2353861249b8f

SHA1
f1deb6810739bc88509e0e116e84e853293f5a3c

SHA256
0eb176518471610127c3dd9d3b4c0e6c3c630a0075dd22eccaee6c14ada2d281

SHA512
f734b901005523dafeee138f64f4eb8c597a7482c0d7b5539d87f671f131bea711f9b1e47677600ae48a61dc40c329cdb5d4ffc171a37e80cbf6b300f927dfbc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
ad7b03e2beb91086b6791626de84f68a

SHA1
047df72a17cc8825e306aa8ed0886005088f7e28

SHA256
31d031b156b1786e78faf83ca356dc858b539b22eaf4a00f933c8cdb7a3ebe59

SHA512
4057e8c8f04e9f71c725e2069f92f64f66058e6bfca281a4695e139972d79a524f581c78a5ada9bb724f1afd2762a7b9193ca485060c970a45671cae22ba23f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
0857d21bfc3ba98b83ef5bb5179f70fc

SHA1
d0d1ed31af6f798c4835945fab900d775df5be31

SHA256
88aa86f0035822b2e0941f9c4be34b91e04c6b18e2b6c7fb6a709d9757686ec9

SHA512
63ff5c2b8fbed092b8d29b2b9579b64655207318015f1438962b71fcd14c28a54b707f02e6bd7b736e13dfaab5bb85e9461abe4eb3f76995db9ca8d05966e629

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
33997f314188010ac7ec47db0682ba7c

SHA1
c2f3b38608de5f5a234f88e914da5d15ef2af2dc

SHA256
5508ad19bc7fe1616c864999684cf0ae3c7cb919cfa261c969e0e341eac47f64

SHA512
66cf4eafde97734e5b4af3ccdb7b1a9fa42ec0df0cc604cc3962e375a758795726235ed2e20c3a6e2009321119777e1bbff4f5876bd9186980ecf860feec07da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
6f3bbbd93ac42fcc23cbd2a74674157a

SHA1
dcdb6bf36a0e75810c07e68e24f62c942e93f947

SHA256
ee7d58399576d2efb3fe4655ecdc8dd03a355998b1df161f1502280464a29f09

SHA512
7192919b38bbb2721b54bcf2fa5fc428989b0fc7fb2f31a8eeef7a82b9ecc89b940c0f9e5ccc479c53e156b8d3b45bfbd2f9634a3419c28b5a2ff7c79e614845

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4479f111eb317c96ef8004153b311b14

SHA1
a7162404ba73ef9ce5f3d105a50d0b34c281d805

SHA256
c720cd3945cc0257bc77a32a2744f2fcdefd3841c03dbb0d1e8da0a27882430a

SHA512
5ce9fa5f176730935cbec0da805b2962cd2ab8bfd3778f29ff84bc841b311e4d89e1b5b882a348a6bd370d27e17d5af60495c3006e1afcb213fb2229b2888dfd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
bd1660b431d4e2178ecb38fe0f08dc5a

SHA1
229a6c5b16a4a01477bfc66c6f506310a46da59c

SHA256
1162e710cf7b6f128acbae0cf8cf1f12e9567f32193ada8c46c50af5a8274f8e

SHA512
ab5098b679da764756b00ef191a5afe7f5ec3400f04b47523bd5bbe12d3f29b08f255f45293fdb09ed0de70b4207ebe7700f9722818bdcb31fc7b225688b68cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
96e8920946bc5db96a4465e3bc10a2cd

SHA1
389f0e2faa719b68f8d7991eea8e01946c6634c4

SHA256
d8c3ddb66cc71ffac22a3bdabe0a00b89e745edaf128838b3c40539944d9ad56

SHA512
250fe4add6167d1aadb13737614cd5f021c553a20afae822b886ff4f600db27c62261ae8d436c7d1c43e15261aae1ff9c19b2b51601cace0652c1692c7329e75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b9559b6cb3f4100055fb4658f1ae4e59

SHA1
8cf05ce04fe5346405575c7325e37256ff6e549f

SHA256
356830cc5051eb18e3d43af42220510c8636a723641dbdc5e715cbf072d0a032

SHA512
953d29ee9c3f581185167d4ca04282940b4cca49e1e3687fec7e8c28a002bc02ca873ce7d1c7a4bf01f4cb3493eb492c630fbe30a52f7944d878f329bffd0f8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
adb84708998fc7c9cb18db8ba71c0e23

SHA1
5d997a60d4f6134609b263dc695d5a11847ba24d

SHA256
513434056369aaa31899670c05655e93ccad523293b9279c4779f87d3e838dde

SHA512
0a4cf2ea016c4b6f3d18d6792aeae672302ba5b6288150ab16d27c79bb1dc824db4bb181aa28e9741f121dea61f86c45734a0266e689d3463ac0134e271b5cd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fb5a5038e73bc86d1dc3dd631b6ded4d

SHA1
3b08274ff3724ce39970a8d4c53934d83d6adadf

SHA256
04d561565110f64abe2feb284c3495a594f165337787030a9f5f961cc14b622c

SHA512
a15193c151ef834d33ed6e718b1ccc41064fcd732df7759ec7935d0308559eb04ee81da8c29cefb4a4fb6bf84cea87204d49865f487ab229305b50294c7be2b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c1130b5acb59deb6bca4df4fdb662a0d

SHA1
60f53561bcfa310415705dc1f7e419f9dd3438cc

SHA256
717f5ecad4f9fd9f57fd0b7dc599999ef6dc2de5260e67c2e204b4442e257413

SHA512
b4440a82d02e5bee64546f91d82c38f6f9dfc85a530f9513cdc38d508b0438648373014af3912c5f61206b1a91abf93325070cdc2ebc38abdd11d26c0508dbb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
052ab1e5925f428c41a40c0b95f1d80f

SHA1
d5aa3f86901de7a9d2f1153aed47a8db3ec3e46d

SHA256
58578750a51a889b8d10793a0150a3e503e17c53d1434bf2b23ee3ca6bc0ee9d

SHA512
adafe7be53c6013ca66a88a4b52c70f6605aa2b7d35c900c0e3134bd69ba60a66e9d615df972d5ad676211c23c81a6f679fc51d7cc69a6b1784390a09b1a59ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
33a96a2261371cf10593a026bb6dcc7f

SHA1
30089164d127ffad441f74e1983b5ee31ab84497

SHA256
0b4106cef56baa284ab495889d02e85a868d5f2ffd9655b87737a44dc1140936

SHA512
61ea359014cdb3a4ad6480c69a9950d94de4d427bbc8e669e419c6520b669b100f90bd23143a3139df91cdee03ae144dd4d17cc337e05db46f24c45f6644758b

Download Submit
memory/2104-4-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2104-23-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/2104-0-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2104-1-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2104-30-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2104-86-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2104-101-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/2104-21-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/4012-12-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/4012-27-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/4012-220-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/4708-11-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/4708-19-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/4708-33-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/4708-219-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download