55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1793s
max time network
1795s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3836	AnyDesk.exe
3836	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3008	AnyDesk.exe
3008	AnyDesk.exe
3008	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3008	AnyDesk.exe
3008	AnyDesk.exe
3008	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3836	4260	AnyDesk.exe	87
PID 4260 wrote to memory of 3836	4260	AnyDesk.exe	87
PID 4260 wrote to memory of 3836	4260	AnyDesk.exe	87
PID 4260 wrote to memory of 3008	4260	AnyDesk.exe	88
PID 4260 wrote to memory of 3008	4260	AnyDesk.exe	88
PID 4260 wrote to memory of 3008	4260	AnyDesk.exe	88

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7d15c5b4ee8f616a8301e0d5585b2610

SHA1
4d8624ab347c913da7f896f96acd6abf1f6a17ae

SHA256
3e8077515dc4b2e192e0d1ed40bc96b5a467d07cf89ce1cff8c2c45b990ccb2f

SHA512
2b3e7c61d1838621dd8e8f76e5be62806e03ed793f684b02539b484f89c16cc8c1662d899bf3f4af1ae36736c70cee87c64bc2680bb6f22c95c6dc4ad1bb81b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
6b11f1a1596f930d9409eedaaa272d2c

SHA1
c75d86db229147352359ab7cfc94557bac503643

SHA256
e3736306e14c6b70cc9a1566b5dcff3be2f5629f3fe10fa48cd53c39e0fac517

SHA512
cb7b2b4c8f3ac74d77d7fca4939202ac5121de9fbb6689736ad7cf2cf462d9f535a34dc23475c99464b49c74d016bb73ec1c3f30a1ab4f780dd9628465a70596

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a1886f5d157c3e6d0223a76628ac0b8a

SHA1
295cb18e7c5886129bfb22f0637b4b10a00f91e5

SHA256
182ed9853bddcd2c30fa66139196e4c5f111aa5aa3ae0d8bb622331dfdacf09b

SHA512
1eeb8a3b2b31ab96ade4407dc6206d343b97e73d8c865ff9f802a0f8f84d4ac8133f21fb984d5149e30846610ad638c4492e3f6c9d1ba3f7db99d0a83233b0b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a7807d073aad2fe7afc92eaddef9774a

SHA1
3c5b279660fcb3de05b579693cecb7780a82bb4c

SHA256
6712cad57948b3b8891f33e0665f4672cec6df162e3b34134b29f5d4c384c08b

SHA512
b8aa07775f49d04f208858ed1190e5033d84f84b9e5ae6a7cf17aa325505b8018c55a135cbfd42215f03e77b2a255cd92cdd66dd688f36e5a3c5730a2e19bdb4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
5e48ae6925755dd5d93ae3fc863da4ab

SHA1
5e6aad412c60a794a08f3aba781bb27f862565ba

SHA256
1f279f68d1e1ab96368233dc5aa886ec38934e06971c7ba996d33e91b35fb752

SHA512
68123acf58a27506b2002a884984599b97735b97f24c919befada5a4f8bbed35a0ab80dd0bc2f796119cfe68635092ab6eff34cdee162ed3d014084df42325da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
1e9f283c9e04af18848cb3f50931a533

SHA1
0ae2804e1d9fc18df326324fdf1623474086ec43

SHA256
87896cdcd93fe1e97e14d536d3c252f69a5b5d615c486dbe275c6db652d9cc7b

SHA512
6b5e797865da597c50f319ac0ce45740cdd78b46ac8c673db2a0e7f4ec3115a2242803509be541acf2a32fd4a0a53a8080382c8e901a950a0b69bf1b302784b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7116a84dc155867868fe645f38c9e897

SHA1
bd7f092041ae91972ec6aca324f12e376d24a383

SHA256
51b356ac247ee259485b09b4385aa5ef88118abd3b40609c443a63fa2148d3f8

SHA512
ce307a55b64c4623b9f41364bd4cac98135b870c4d47a29ed431e1ea80d2ae017b84f3f8f4c018eb831ad4c7bb71f5121118c3ea68a577bb5b8a8c8fde0ca6ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7a554983d18d8abf68b264ca05fee8ba

SHA1
c4ff08fcbc1147cc824ac0089c0321ea59e12437

SHA256
43936e16bf6cc54593188abc1f0a7250e6fc3c00e791a055437e1fed37eae064

SHA512
11389d2a8df712b9cfba8d81252f12aca29a6768a9f9c231ead04e43c63989e35444c8daca1afaa0799704e1132a1f4a5e4502985b3ddf2e03564df80159d679

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6273b20ea4993a279fcc6d541ee87fb3

SHA1
ef02a20088165a31ed6f46d3d51bf552bcc8ae1f

SHA256
eb27ab4b8daf48b10dd9824b495521b2797561964115a854f2496077c0bbcb03

SHA512
7b432d10aecffa1d081d371d7db296dcec3c756d1face4d969730fac06f7d68f520e3bb3c98990328d776acce7f28a36a2dc57ef18f28e34e3708093f9300db1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f4c4ed998c4c7a26fc7d1718acd7d7b5

SHA1
28a7f3055ac6abd8e169b94928f044b7226ed4f3

SHA256
df8d5090114d665ffc3bb1396b73e178b2d2ee9717de345e528b0cd09dded9ba

SHA512
ba0485ddf3226bd0741ba4f4d252e76663880e3c26b41a9df73cab186c7be6628b1a51a54ae28ea64c1a431149b35a4e6331fee19ad3b38061c939f4769555e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
af6d9ef628ac0b431b2df3d66a40e453

SHA1
5871a023bc7dccafe7e6480e76dd9af3eca8cdb8

SHA256
cdfa99114793fda1742449dbe0c9612fa79209051e02a7cdfc62f49b8a353b08

SHA512
0bafc219f046ec7f0fc2be405d55c52561680b870416d1e36b3cf093720cd6053360a54033f78cbb64df03d6d4f579aaaeed45cf860337189ed4222c98755602

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
1ec068a24cc2dffe6ad22c0c29c539f1

SHA1
2b4d5426ab23f20f045064a6580d68b3ed9f3425

SHA256
0c935cd9022b4b64cc4ce7fb559108f21617f1eeaa923f52665b374d3db39b7a

SHA512
e77da9a79a6b08efb00c7e60a2d76c39c8f71ce066de709245e9d415bec4f41ba75cb9baeb189b73a2729578de57839d8f62362df2b7319a245e45c7b9bf8682

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c9d530f7392cebd523f581d8f46eca5e

SHA1
fdbd9fe81287b8695a286fadf5c698a9c5d1e21d

SHA256
dd7df171a143eae94c1fd5a0e50b20eb69d73ecfd1700b7d1ed393e39cc4f083

SHA512
a68e71674f8eca806104c649d45955e35abd24e2898e29ef309b97bbe80a4f29c56c5020d482d9daf302830299da20dd778604f0325b7b9f13cb8fa4a073d451

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6323459e12cb22dfd109a9a7b6dc66dd

SHA1
727e1a3173073603b319217a73205301e5064bf7

SHA256
581a9066123843e9a3843717c9ffe16707b3ccdbbdb30467ac0aab65c57a1043

SHA512
c43fa78dc19a7836386e43fbbe9a66f60049cb69a3021931436f8a9c0e763b736163da915b19b7b4329aff42d1ffa62dd9de934dc9d39ff9a001224b30e7845e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
06b04591eb8f6a8f29f267879808f307

SHA1
e090f59b7d56717bc5877308d5897711cd79eeac

SHA256
bdf8dae6246f47ab0907e84088a3be18e3de4c3094ec6a57a4f36a2e4c4b5ba8

SHA512
04780b96bed20d0b52ec28679094c1d0d56a69481ef43088c672e29d3214fdd990f8a3188a56371f4c1f428009159edcf56436e5fa3620b0ff7a7a04095b95b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
95b878f389f7252f8c464f5465b6f156

SHA1
2b14e8303bae79e25655af089caf63f166c18800

SHA256
6c2e5d8f764d045d9c84d03dd2f174a599d75f0a731b864ca6fd3a75af9250b9

SHA512
e03bcf10a2de71d4785ce0343239f074536f6099a724ce458c8d0a7f9ba13213db9af60f8f02d577dcbcfe3413c5bf5c90c7c3d22cbfdc9aadf21660b12a7be4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2de5de4e4cec4cce535f4b679ee34e84

SHA1
192ed8363684c5c6840b97ba3bc75e65e20c4e63

SHA256
5511d6a898e7754cb1a973b00aa52667b522c1fe3ac242eab2efa58a545ca0f6

SHA512
97be7b60f0498984d317adc50682ab0eaf64896a0cac0b10938c9c34dc29dee84870673bba7b18f6ca210183de338f83147b7257baff210a676d1e8343f45cdf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f34b4669fb0599ba70f612f8181770f3

SHA1
8294762b070b2579b41d60f0eef087e488d0b00e

SHA256
a043db2bf2507da1c9a5d3b30b3f8b1ff5592a7252be3889d787862017dbb9c1

SHA512
dfffa415d17bdab10c1f5b29c45ef000d1764cfccbb0019d1801603207a7b50d00cbd4f1fdd4ac577a4ff0edfba871dffdafd78e800e98f9a839c5aa9a4ec5e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10231084af1a71c22c8c04ffff63492d

SHA1
13f4808a75d7c53a309c2b7007004f3296823d64

SHA256
8554f5fb2b557c87134b67f2ca9f8656a96a043a7f755173b94e9beb4e7215a9

SHA512
c567c323613710a5ac83cf9e8f4baa65f488ed56da79059c5d2250d0886f59af5d38ef0cf425cd97018d6e69c2358bbc16efbf765512bdf6191c3c2fd3af230e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cb493227fe12d941b04f12b2e7504f35

SHA1
0a134f5d29fc636cb37218610d860be875838255

SHA256
4fb0141a850b9b373e35b3fd6553c0eb0656f97b9e927e89b1617e4f0ee9ec06

SHA512
e35e85f5473c9d243797d955df6b139ec47fe3053edf0853d64e86fcd151fc904943408eb1227999dbd6418e7c7c971608344c98fa907ef470d521710889f333

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
748cd1d06a16d04ecbaf8fa9de479337

SHA1
5f759a145de3100b2a495a6a403d2497af26ff00

SHA256
2020e862c91fbecab791feeae891dea2431a368941684aba3799fad417155f5e

SHA512
c28d73242bb0370c33d101386c329fb593c9e6a37990511a9d5feaea330fd19bacda8a8ab5893dd3d1e01c3ece9442973aaa10383894ab8f8a02f6121b53e808

Download Submit
memory/3008-33-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3008-20-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/3008-252-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/3836-29-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/3836-251-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/3836-19-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/3836-21-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/4260-89-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/4260-1-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/4260-4-0x0000000003F30000-0x0000000003F31000-memory.dmp

Filesize
4KB

Download
memory/4260-17-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/4260-239-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/4260-0-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/4260-250-0x0000000000790000-0x0000000001EC7000-memory.dmp

Filesize
23.2MB

Download
memory/4260-84-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/4260-18-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download