55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
112s
max time network
108s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
22-02-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3536	AnyDesk.exe
3536	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4592	AnyDesk.exe
4592	AnyDesk.exe
4592	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4592	AnyDesk.exe
4592	AnyDesk.exe
4592	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3536	4364	AnyDesk.exe	76
PID 4364 wrote to memory of 3536	4364	AnyDesk.exe	76
PID 4364 wrote to memory of 3536	4364	AnyDesk.exe	76
PID 4364 wrote to memory of 4592	4364	AnyDesk.exe	75
PID 4364 wrote to memory of 4592	4364	AnyDesk.exe	75
PID 4364 wrote to memory of 4592	4364	AnyDesk.exe	75

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b2e5a64f8f205b2ee590cd5ac8b6e196

SHA1
680c1aac32d452a6c1f17e75bf21ce9d08372c3b

SHA256
f7ad4205b40eb8be5d0aab39717b78763de8a04d69deae7ee880458cc84067dd

SHA512
c88be5449600b3d901021eba8aca54393bb7b55a9d6b2db18f01be065baa0705375bc868f81bd31b3060b57cf8822a379fd04748f0cb2e43dd715c4088026997

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
057ba0653841717f648247bb4ad9ce7b

SHA1
1833f195a1a5f2e8670cf1fc726444c18e4b34fb

SHA256
c6cf76a866ba7258f4072ad586f58e0929aa6d5d9413c2002b5da96f66abdb45

SHA512
ec422f463c4077fa05dfa95d7640c9e90d7ec5ebfca6b4548f31c9e48d235c52e9f7f76da665c1b58559654ad6b07af6f295c5aa22a39f8a2de9e0ee27305792

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f370f1507cef8c5b0b8de5099f15bbc6

SHA1
78ebc076cfde847e4e4ed5092af23b37653cc283

SHA256
2d7cfd0d85132e1db6b5161856c0492da622cfb8aaa4b47aa3b612757bfa39e8

SHA512
ebcc33c730c4373d0e58eb0552dbe61ec1b75c4e08cded351c4df010575fd905cbd2a863f864bcd79367065e469b58465da392b0335e58676be6bf0d19dd36c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
8925751c05bd80078718f121cea2cd1a

SHA1
18e793b39601c292deaa48579e96b667740c08f1

SHA256
8950c34726c20640de15ab3ee8877eacdb57512527bbe4722d8484d004a90ddf

SHA512
9767dc32b3de1634ac52ef7486e1d598bce42d913f8e1f31042146abfdf54c642bffc30a8d62e500487b213a97ac46fc7d65d261fe3b3e83422ca5ee88756032

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
edc748d536379bc423c6e651f9444abf

SHA1
d2a22d075955006ba5656085798239cb0c004e3d

SHA256
92473c769104b568aaa6906687e8f43f0b6f50109423fb056475759eb9a01e18

SHA512
23067b18daf003b1ec45384eb2edf4fbfc09c6b83fd7ebfbb85f1ee24030c2470998146eb1828b423a0abcaccd257bd699b50dfa6d44789bb459d7d0f99f5898

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dfb66a222316cd8f5721c36d1ce34278

SHA1
26014c6ef184b720e14466110f3db43c9ac4cb87

SHA256
b69620a0d50e551549a531de4b8254a5f7ce18a42fc336c488a53a8478828930

SHA512
da4bd7a1506a2f4ce361164964db0d36b507250f6f286cdc85f2f0bfe74ca727a522be5e7c7a111d76ced3a9240dee8e0fb14e586b5a63347afdef39115be368

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ce67dc976c896ee646615177459eeca5

SHA1
594dc99530c3033aedfb23ff11e28b67857f9ab1

SHA256
bd1b73796e8f1917d98ab059a0b233e412532f31e558fabbd39ebf3e1696d5ee

SHA512
881cb52f7db8b41014228d977d280649c97580f24d0fde4462c8bb9e0510ef4d767806ad5888480d15c635d54292cc4530448ab7e4973590201e8969c3228f45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
206aecb052dd0df605abf6f60d522f8e

SHA1
5dbcebbe068ef50e470c03ce262944b2a25c1084

SHA256
6ee92a7e234b2273bb6ff6a57b1440cf6f6a654fe164116b7a2223d7b235ebf0

SHA512
2722518c78287270c12f287147fc736e34a46408d0f957cb9482ffa9dd6c47346ac943d254c3c4ec411f35c6f57c292081f33e27388289bd705c061da49aa77a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b789c806f9d42aa17d1c5414ea5697d7

SHA1
14f9d2b1ab666fb6e20fd53c1f00bbb8c1032735

SHA256
920233d8391a64bf63c86e8c60c294aa00d8aba1b67c78c4f98ddaab93533924

SHA512
f8af066da1b029af0c19659b5e38e2a6900d9ff64c801b4c076da69ee55197bda279bec722a5ee06b9cea43c38a24ae915457b0f0368ece2ca20a1707098647b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
feb49a16e857afa885fbda4684d447b6

SHA1
38167dd6d45a839e17edecedbdc4f2b61f46684f

SHA256
6c67f6c542a7f072d71001259affd9477134f4515175f1ec563dc9508129496a

SHA512
29de7a605e838a9543310385ef6f251a8e847ca2219f2bf1c39c8f94f33c6bee53d9d6faa88062fd16e3ef79ea8f6402bda623660a9c987208cd78aef4eaed65

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
61a38409bd7f029aed1209b919b490a1

SHA1
9e5a5cbf7ab22f47394a5635354c79cf55da79f2

SHA256
7edcc5134f3c99bea6ed15d3e82200c85217d21a2a7f4fb67ffff447f3412469

SHA512
f480ee6888d9b5444b3d2643a052b71e01b72b825938aa082cfa5c6852929f66c882d84a36e1ec870f2639b8c0d8d4135e533b7cb859cf383d3fb5a808bd9306

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a141e77c5caa2393a0b7bb5edc267571

SHA1
d2dc23716624f8aaa25f5cbaa46e076cf3b88328

SHA256
3093affbb7ab63259a5576fcc67602d89e65ccd9d78ae2ad9966f34fb2402788

SHA512
822b9506c020c3be0883cc9b9ef3009236f849375644ffd60a0ffcc9ca01c9a371f8372adb6aaea73442f1214eb4697abf1a710be7f772a74ff9c9ac90e21247

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6539e36b07c8380f7f656994bcf5e804

SHA1
856671aa6ee1c5ebaaa71ac9f1197902d44ae177

SHA256
9beab7979f5d905f69da2594eadfda1c93154aca4356739680c1313755261971

SHA512
c9bca53776b213d93bebc0ebf010595a742630ba0bf38f15304a66e17a249caae9aef4f46ecb76398d448045ba060b1daa7f261e05b1f0df87e11afb98679432

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf1fd10b584e22a46a830c433caba939

SHA1
7b3c7a40d2b716bf23a50d0aca62b19cc8fd10a6

SHA256
5e9e74edac164f4df628309c4a092165a6caff33d4b180e745788c5aee4fe77c

SHA512
9dbb658d95b2ef5214a2ece4c295031307db03daf90021a3c0bff5f8d2ee5c9ce1e38737db1351700f829d2a731768a0a3cd2058374ea6ecd12ffe2710301674

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b138ede3443e1483b5fadb25515cca7e

SHA1
ab330ed413750c0cec0827dfc23b623b1cec0ca0

SHA256
9fa13516fddb068cfad5a82b3be27565fbbb5b1fc12cd515a991ca2605b2bf2e

SHA512
63ef4d06819b4f708a4396c23b7676c9e8ac2440e64ff5a80bf7c41e80e210e01dfa52a4aa229cd3bc048b34f53a46e4109ac78790be5e0073dd3c77b0ada40f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2567859294f71d5c7a8e58a76d2befa2

SHA1
ada35b8e37191354cf69cd49863bf16932bfc60c

SHA256
59d94ef3945061332d3601600b79423fc32cd770dc9a36b141a90ae49a457379

SHA512
e2efec92624a6523d3a9259e964792df23aabdc1caa29d2070bfdcbce0ac5723000742eda71b69b5c3cac6de7d2774d139f3ca8976d431654a9b1613254f5f83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0ec35b3588687e81e1982101994f08ed

SHA1
59a6b68d50d58d932df2acfa36ca1b5f7f411bc8

SHA256
d09102094e9981f7c2d14fc0cdb87e9c9c4987a4b54b05623e76a673a467a94e

SHA512
a89610b66cd0095f21d2e277045bc20eb3292e41fa91403ca8fd9e5639b168173dc52b90d8ad9d1453fde743b35d77e40453483515468d8b383ddf4cb79623a6

Download Submit
memory/3536-30-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3536-12-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/3536-255-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/3536-244-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/3536-123-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4364-4-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/4364-122-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4364-33-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/4364-0-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4364-27-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4364-86-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/4364-254-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4364-1-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4364-89-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/4364-200-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/4592-31-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/4592-13-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4592-11-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4592-124-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download
memory/4592-256-0x0000000001180000-0x00000000028B7000-memory.dmp

Filesize
23.2MB

Download