55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
114s
max time network
121s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-02-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	AnyDesk.exe
4544	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4508	AnyDesk.exe
4508	AnyDesk.exe
4508	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4508	AnyDesk.exe
4508	AnyDesk.exe
4508	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 4544	2844	AnyDesk.exe	78
PID 2844 wrote to memory of 4544	2844	AnyDesk.exe	78
PID 2844 wrote to memory of 4544	2844	AnyDesk.exe	78
PID 2844 wrote to memory of 4508	2844	AnyDesk.exe	79
PID 2844 wrote to memory of 4508	2844	AnyDesk.exe	79
PID 2844 wrote to memory of 4508	2844	AnyDesk.exe	79

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
0fa8360386d31db027a4e5b5cf31f277

SHA1
e6578f3f94ac64187a9ab58df6482bc5e0affa3d

SHA256
a4ccbbd4e26c2c6a74b8bb1507464c6904053aecc69bb27adc9ec22b5f85a0d8

SHA512
af0a0e2cd3d487133182f1e74e510e91eec0869ec0754c1c3488b36860ba802d358168ff34d729fbdb10be14c74f4d68b639c72e3901eb17a19cc00dbb35f9aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
7c508257287e624f4f85c0ca78cfc4dc

SHA1
133181505e1b59f44974c8770624134fee80dd02

SHA256
97c89fd429c0f1960c4c21864b192d3835bda0df3137701b053d6d01f4cd5414

SHA512
8e83aa9147c9d1a31f847d241be50f11dbd6b216afc014b0dd20595ff805c320852416c3706c2c470b67913ad835c5ed8e5eb9ac53de40535705d733434fd356

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
912bc2fbbd0126af339e1d20c44f8a41

SHA1
c0a9058d17dd1e99d114f1bde0d5abd813f3adf4

SHA256
a6ef7938322543f2ddbe666406feba4916d4ddc4533453a0c1945840f2221341

SHA512
7a2077cd0f56cfca98d36aaf29a05eb8c68a37bde3920a5dff24441eb40744b6dd8694290ce6e8ba15123f96f4324f5bbc702c0c1f87f8504e0a9227c6ca663d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2e81480526d506b51a154bd96a20f337

SHA1
3eb5b91734cc51330982ece8436d337f316876d8

SHA256
c4466025142b15078aaf9ed63f06cac29abc124f36155c73a16b1a7b2aa309b5

SHA512
a03cdf98c021b6229a0b4db52e83f22fa35c9627550ff8a241fa3a11b7052b1bb01dae4be80b9ff84c8419f64c709d1435e951faad26052924aa4e6fa9ad2088

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
4c1ec64e264721d449e7ca290cdff06c

SHA1
9a7e754ddbb5c7d2cc4a924b36efab18923b7ee0

SHA256
3c7ab5916cfaf50a48409deb8ae64f8854a14835a53a1e54fec818b528557e13

SHA512
c89b04542a6e5faa8211a823c54447b289d99b6eb47f22ab12eeffa81357f58b36faa8aa8accc6591e2e14aeaeaacc9549ed6ee2a9ba1652d3c019b80ca49c6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
41efde659734e9dc2bff6f7ae37175a2

SHA1
06c6dfe3b591bc2c1905874e2ec949e9d4aa56a5

SHA256
d3d8196f2c076e47683e1a559887fab7c8687ec3126a8c391c715c193814d619

SHA512
470923bcacfd75c3c440e21f4a78636560dfb5fff434c1dfdd265ed9b6330417bfaacfb49b6e9778fe5445729c29d6c7fa8e07751e39233c5d8be68cb17ea036

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
7cdb599e60accafde1b791ec40e8a2d8

SHA1
fbb151481ac2362c129001c50e29b64437633e47

SHA256
0ec84763a3e19df626d2470e7f49a5bb01b59bf841b8b860f40a64538eb79eb6

SHA512
a345772a90f821d5ea9eb49ac96d54259ebec6f6440278d3e466f659742d90f85d45ad0f6643d12c2fa4d1ed411bdd2b175c82a28bbc65ffc5d21f135233251f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c0d35a05e6e2f1d09e7bb4a152d6a463

SHA1
0b338faa22008ebadbd8bdb22abff3966c8ed9d2

SHA256
afd0b4c044db68345f5205d98cc4718ab55c1b69ab97e163f12267c9fafc0c47

SHA512
83999c48c8761f409bde9cf7be41f8bc226e7ac1227cb2a4dc169c4abd3d38760263a3699d96c6941ca5662ed2032bee7387b66d477889f50aed8977f334603f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2d559f2b416f87b979558c096a434510

SHA1
ef388e44198eae0287524ea2a517b83ce1830232

SHA256
fab13341dc97a91b1c907f671694c189ec33fa6afcbdc9839d79220aa3c6d77e

SHA512
22d93dd038cfa90d092c81a7bb70b8cfbd87d81655cb1e4b6a2b236643d6c1058200135fe079e78f82f1c12ed5ae1518945fbe01671dbb87885fed6eb2801cb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e809b0e19f5ed5b3a1c3a8abd2d5ad0a

SHA1
898f928f2a77a0ba8d584e9af802e3caedb06990

SHA256
4651c93dc6acc1f5670e5d0c5959143bc2c8da23e72370d15859a81d873a0411

SHA512
9b5119611d8c85ae31a919dc40dbc9ef71a6162215edb8eaa95993541e87e29e882fecea1752f61f20d2f0d6f3c835f2af455c68ff6d742d0f6eaf5a3daae603

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e882bf6e06a8cc9b53e6b4c1300551ea

SHA1
c2583fbee58696f145e642028b95c023e893e380

SHA256
014504ba604b5ccb5bb698608c923823fcaecdf7c1d3d45f5fd2bc94dbcd7473

SHA512
34b3b8d4e1d6fb79b908c37d08182551c167d5240558ed276665fddd2d574df159a46422ef37d0eaa56a7ae71982dd52bc71f87e72872a1fc3675c2906df2c67

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
29cd4186f7aa396b814262144fe3ea7a

SHA1
5845c6670ac9ff15d6727d0e66927025e160f8d1

SHA256
43f93fb9878f63fbb849217e1f2d2b81bd39d1127b4485fceb7529f6a3bdbedf

SHA512
93d6a33078f44dd64ff1e0bdda8e8212d5bb12c0b4161441012a98ca2bedafcb780f65f456d7374c997a6b95d15dbb1c4e9de41a90fe05bb6745286379c345fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d24cfd9cbfe4638ba73a52875f66594a

SHA1
c5a3154c15b8cf697fb2d262a997718f4ac716dd

SHA256
7b3dfd5407185474a05fcc5afa7db8f5e89809d2263335c6d09aacc68a9ed1bd

SHA512
a22f5fe533477e7757ae45fb802e4d160cd50700ff1dd5b88765279e1dcc936b9d23144ebe6e0108353c5aa1d05850b899c377b5f91f83a056bd9ac93edc1b7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
df149b3dfc71afb9a8a61df80492173e

SHA1
79f176f33fab1053c18b8dd437e16f7fe1b4f612

SHA256
ac14cc8f5703dd8c403053f7a970c0c1964e0b4a4e3dc995c5b87388d562b611

SHA512
815ad60c9669418a8fe6d343cecd4fd3ee96c451566a0a59422842df08bee4003d8e129fb2d7d9c343a9b0a50cdb7c7b255abc76596c8d19aad1fea69b1837ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0ab0450981f03857c3af067653c9b07e

SHA1
9a4c0b4532d26ee400eafba684b84ee5274a9185

SHA256
2101581ab42badff4ca6d28173adc631287ec5585d89e176c79fc1ac78fcce3e

SHA512
1b072288129a0594affe2169067a89cc4a42cfed6d7fe938fc59ed97464702b970e5f17215dd918260950bd287de6732e113b5a0925e51777c8b070435d45022

Download Submit
memory/2844-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2844-224-0x0000000007A70000-0x0000000007A71000-memory.dmp

Filesize
4KB

Download
memory/2844-23-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/2844-106-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/2844-22-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/2844-227-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/2844-1-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/2844-0-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/2844-82-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/2844-103-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/4508-30-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/4508-18-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/4508-226-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/4544-11-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/4544-26-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4544-225-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download
memory/4544-20-0x0000000000A50000-0x0000000002187000-memory.dmp

Filesize
23.2MB

Download