55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
112s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3612	AnyDesk.exe
3612	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2996	AnyDesk.exe
2996	AnyDesk.exe
2996	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2996	AnyDesk.exe
2996	AnyDesk.exe
2996	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 3612	2336	AnyDesk.exe	89
PID 2336 wrote to memory of 3612	2336	AnyDesk.exe	89
PID 2336 wrote to memory of 3612	2336	AnyDesk.exe	89
PID 2336 wrote to memory of 2996	2336	AnyDesk.exe	88
PID 2336 wrote to memory of 2996	2336	AnyDesk.exe	88
PID 2336 wrote to memory of 2996	2336	AnyDesk.exe	88

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
646042869c61528193854e69f5070b04

SHA1
3024e1cbad3001119e286c1d4afc3733308dd3b6

SHA256
80d49404425c8c717b3b7b68433768e3bb832d5e6f6e6badb47881b0ed2e5235

SHA512
76ab03e73544bac1dc703fbe5313d7c750445c596f4bf6c4d406ff3432bfb2266d431d4d513add2cfcf7c9b6916b29bb145d4fcf75714321484df8a45910ae5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
f72af1a6d3226ab20a5b6706e1fa7bd4

SHA1
0a8d1d7558e9a1fdd6c3569ccd168b97cb5ff603

SHA256
cb8f8266ab83ff85891ce602e91c082e9a92b51f26795ae013384634ccc52b25

SHA512
ce03f2921f06036e721de36d44470a7ce6d36593a1e182edd83f20907847c836a507b63987d1c4491be3b265e2bf327bd9c0b74563b73a6050ff7b2b74ec5545

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5912c054423e03e3d997cabc8fc0858b

SHA1
8cb7a267f810d6269515ef4f9dd1dd7ffb1cdabc

SHA256
371c3ee4f2994a40d1102276594192bcad694ac555e2c89c15b188b043168cf0

SHA512
edf92fb7820d9538d7d1669efbd311d478e9a12f54352df2ae2902aa386ef9e1c0af22f1328dc37dcd74474e86f512099b1980a1e2ca8e6386f5d96557e969e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f3674ecb9f093c57dd96bf1a096cb8d9

SHA1
c23d24fce96c83acc7f093f090daf22d614859c4

SHA256
e08cc3b13a5a6816d846713aa92acad642c9282c41da73ac580de25263c5d88f

SHA512
eb3c217fac45a5cd2df198c155b912ad2614eee36240d0941ea5734dafe0670b0e47f5d983037d626d1ae064cd8c7c1952116bef4ede5826cc5907e346cf2962

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
47cf809a65395bfe0a5398d5b9a0b2bf

SHA1
ce11dd117f37fdcb505d61a934c4a891fe6bf36c

SHA256
e6c3da772e948767c02b8af8a8bb42c3341e7e84d6c633f222cc173ef83c645a

SHA512
7dbba11b4d49ff9f5c19d7ad8157febab2c80b94d3d60f2fd5ae8a063bcf9abd706e7cd5c34d36a190ebd41760190dbaecac05f6b2682ffdb5417aae5d885e08

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
8aab2a98695ddea6370f137d045b298a

SHA1
cad726017227bd718715da87f9f5d5200df42be6

SHA256
e3c9188d760d75b23ea5de7ae6e8f1ba8f4e0aaa275d3ac6d0f47eaccd6f35e5

SHA512
c632791fcfeb61eb78f37d3d48db186beaf1969e18b4793b8b1a92f0edaaa982915d39c90ef173ac2d9a7c45812b1e62da52b601e5a498c09eea3bb948efe88d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
46645b5002358792d5588bf66626495e

SHA1
5c62665a02c8e4c2de9a377e05669fa247be2823

SHA256
9c6fe990c3368b53c3882493873b1324c10d21235a10b090518f5a0cc9bde124

SHA512
6fdd877851053a9e6781f8da0136aa3a8de275ef986fbc238f049c00d1809148fa97a25268dd6df5e6e4caed396170f2ba2bf1b4b470bbc4283e80f64d5fe2f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7daac8a593943b9a199b4a2cfbd2197

SHA1
32c994489575d579b9845a32de8d07aab1165703

SHA256
261086c575f1a12c02b3c1d59872cc279b8a70e984c9d7520ce9c545cb3ca3cf

SHA512
0eaadefde9ac43df2fdae8157cc07d24ab6b94335e0ae58cf2d0becde5e774affe20ff8df00ffad7fb91a65ed19b24dba710735c06596b2ae0c1f39897066e55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8aacf9732b534216d755e910d02719bd

SHA1
ec483dd5f3f860332a8a1db9f8e88b134546d0d0

SHA256
9f22403eb7182e6104b4db7c63206f34f6348f814e01edac8d691e27c75feddc

SHA512
704bd425da12d0c39556f307fc7f81b2b668feb1378bd2f63f026e917a43e5bd11a9dbc241078c377d183b935d16f2802ac1b88b0553bccaa35e5435fdcff08e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
dbe38ed5dc17f75b23340e1462b31e31

SHA1
b7cfad60d896ea9ac4cc86804d42674411f07054

SHA256
eebfd13c3f7223d03ef5634ca0796bb20efc54d0a81c28eab52ba526916a6cb8

SHA512
442690b2d004b23fdf4e423a68d7e8c6558c246e93d7b87398053a29af73f5de191f8a2968565847317e0b0521bba6b300acdd514df84b9bf1b073bfdf5ebc29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e9949f8e842fdf677ffe18f6f2181bb9

SHA1
61684da8b90dbf7402797569291fb12bd51cdfb4

SHA256
df5e82b0a440ca98f18d3b25f4947a0ad9b5f9e6a69f741edd6283c22715d287

SHA512
e1177f05e3f3245c0723bb2ced7ab77bb3785fd33b9981934327e75c11482e4582743ee8193f636772fd7c77ad12c23ada90d1f9bd7479d7fddebae5a0c7b7b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b8ceb3484778de7a6bef4eeaa948c983

SHA1
4d8e64127133c80678e745550a1de8946155684e

SHA256
f7e2525678a059bc658dc2544de3eda94405d056996d3bd4d9ee1b0e31387f0d

SHA512
e7cdf0cdadd9524fdb108b741f1124ed659750b712934add77ad53e63d0406613482a89200c37de185525aac88e41dcba27638420106553e78c1393d5492fe8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0c4e24816966cb613c4549abeccca332

SHA1
33a633e73a9a944e5c4d930fd24605d33c6cabd8

SHA256
55e7f727004cfd566c04c688bb78af366aad7f31c14b5a222fe3e62316c01d71

SHA512
96061026891a7727e3ff0a16841705aebc476d72de2f491ed27ffb6b5244217ff7b504611cdc0972cd19928d0121b2c492a5185e071e59fe266b29639b2e48df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
58294fde6e7e4db458509b718e38a9fc

SHA1
454b55828b37098c54386dbc500ae2b1ccc038ae

SHA256
5bc377166d6d8d2d8a5a72a34da81b7f1b4b93aadf82d5e1dcbd76583229caf0

SHA512
add6ef0433d5c2dc2f3badaa6c95e08f5da9f4f77182b6098617a06d0ee44dfdee781139c2844f1e14a8f0f7fdd0710a149cb24963a4ed9e95e6528606d8024b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d6b3ab993d53327ee62ff76a7ad66d1c

SHA1
50d28f3b5614322bb4875a72ac9153ad8aaa6a48

SHA256
e7a73f4bfff2b24b966ed6ea4ff19725f9795ca3fffe06476d799d18d1809445

SHA512
f7d5d2d294a96aa579f66b2edfe38b15b50aa66db089588e3cb515f99b44d39735ac084f523dac7d6b05bf97e83326d96999cb790af8a8bf2abee9b6c34bccd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b4b0bc0541b691ceed134329b83f8748

SHA1
d7dfd995720e5b9caa96e2c1f3fff2c5354061e3

SHA256
96be92162a56aa1b34f8ca091ce4c68ed978668e5adfdfa2c67a0f19b5e96739

SHA512
84793938aaa3f72c45a6a526bfae1611641fc2ee9f57a18d28118757c7306b053dc65286dd58e9b5e75e11f45b9674f103f3b3f74e8e8d0cae2780ddf459c2fb

Download Submit
memory/2336-185-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/2336-0-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download
memory/2336-79-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

Filesize
4KB

Download
memory/2336-97-0x0000000007D50000-0x0000000007D51000-memory.dmp

Filesize
4KB

Download
memory/2336-240-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download
memory/2336-24-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download
memory/2336-20-0x00000000065D0000-0x00000000065D1000-memory.dmp

Filesize
4KB

Download
memory/2336-3-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/2996-29-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2996-19-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download
memory/2996-242-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download
memory/3612-11-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download
memory/3612-25-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3612-241-0x0000000000E60000-0x0000000002597000-memory.dmp

Filesize
23.2MB

Download