55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1795s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	AnyDesk.exe
2240	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
536	AnyDesk.exe
536	AnyDesk.exe
536	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
536	AnyDesk.exe
536	AnyDesk.exe
536	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 2240	3524	AnyDesk.exe	90
PID 3524 wrote to memory of 2240	3524	AnyDesk.exe	90
PID 3524 wrote to memory of 2240	3524	AnyDesk.exe	90
PID 3524 wrote to memory of 536	3524	AnyDesk.exe	89
PID 3524 wrote to memory of 536	3524	AnyDesk.exe	89
PID 3524 wrote to memory of 536	3524	AnyDesk.exe	89

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:536
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
8f43200eb549ccccc4d27e9040f227bb

SHA1
e198dc24dc9d4438b76526495432c45e6c063314

SHA256
bd98a56df4ca646ee3941d066e5d1759c4fb29d23ebe46dcdf18555bd024e43b

SHA512
377c541181349943ad4176673765e8dedf90effef8d02465a8fd8c894e2c1b25c69beb7465978a04f196c49d09daca1d4a9d220f1465f73ecd720a5e7bcc36dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
f86d648d6adb24dc6a16d81089eebc8a

SHA1
4d4961905f7bee43332a427745ed549030f4ef64

SHA256
73bb0203bdaa208cec8d0522a45b37773fc613058f8dc2e0beb0b5379d4f4d6e

SHA512
c06c8060ded55447f5b9875199a83f3e1660bf2f15e0b219edd479257f06a63fbd758db57bc8dfb9c26ed8b5ac648fae52f8e969af48cb49edfb57a1c19b259a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
28b4b98c9816b964f72142f35a957f55

SHA1
a8c8b613028a6ac5d050c1e968708c1e88b5e172

SHA256
2684e0866964ca899e1c7c98126cd426689f494f7a19f4d65005bc27dc5ca285

SHA512
16bf2c4f67d9a976c9f64348f75efa30470277b589b61e748583d0ef8d536ec0d231a8298709530eefc0bb69b85b034793f66d2a6c7b8722228c626f4bd0758e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
61a7aae977e2d1128a00cc12b623658c

SHA1
9b5cf54aaca493415372cfebf7b33e9c34eee986

SHA256
71147ebf1052cea9e44d3798c146fe4f03db6f315e23563fa819b65b708d5ead

SHA512
1c61a1a5f74248a641f057a14d14b11f238267c77932df602bd291c8f70b996b4ff005d1a0c041857eb929ea669458b6eaa0899414e2899fe5df485dd63a430f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
8bd813c220526ff552e8ab6a6598e9e9

SHA1
07964a16788d292d418e97317c8372f5ac5ee0aa

SHA256
52b99905b76cc56db956b49c765698a381c401c0b89fa5fe90c31005ffc1fc30

SHA512
af82383d946bd85969c4dfe74f781ad98e0e7c7065704f01a3cac02f1bba1d4d061dc7499694f361908a90f8411734e5790dc1e4f8b6ddc4e2953a3c2b0ac978

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
732B

MD5
c0ae8567af23b2c8ccc0f9695deb0be5

SHA1
df4952bf7c1d6f5354b9353cf9ca2aa24c1edfa7

SHA256
d45b007db1ec339754cc51f76b9f04949e0e00cbda68ac9a05b59a876548bedf

SHA512
648e4752b6d10b338ac5da30ca3e3073201be48927311c04c8aead20be1259fb04e2abcca4955d3a76a67486dc3ec700d3c697895cbe6f1634bae09059b07b15

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
a0cbd77ad2eb003cc31157e0eafe902c

SHA1
dc7076abc3b41e86a4727a7e174ba4030f78e533

SHA256
7506413a33093b21a3bcbb88d6da647be072d10bcb58ed4a9da570e1ad6f062e

SHA512
8b5477ad04973046cc7b70ddfeaafbee26e5a421ce0d130073b2254c77c28581dc48b4c144463d16f22648bfb61dec8762663ebf522688e1133bcf4cb8a1b22e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d2e853c60753c935cecef13ac4ae6ac8

SHA1
1d9414459ef99cda9a806962fe04dfe58e78af38

SHA256
b4ab7d91bb7e24f7485f4e72b63747bf56c952dfff008d1b220841b85185cdcd

SHA512
9fb82449d7a52bd7b3bb8e075135f8d6f72cf05d46f4ebf5503e6d446d7151d80e04f471eda7c6e3a1c84585eaf05d55a61db0bbb9ce3a5b1da62b5da96f0fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d3eeebc79fe57ccb19e70262ca862bef

SHA1
430ccc1dfd16c8529ca93950936dc886c798347e

SHA256
abf4e6cf9576416159afb9d50a7629e1a05020bbd61b527cd4a40a94fa722a28

SHA512
cf221e7032b5c37f6bfd11b06f019bac44ee17c9cde0c35283d6dd56ae7cc8f538f0ce7df2377fc13c4af91376eb7620b25eda0b768a891d4ddf26e4c1f54f79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
12fbb94cd0a367adeb54f30c4bec99ed

SHA1
a9a9ef1733ec6538a02b65ea53910866ef463a07

SHA256
7e5d84c31bc73d4eae48a2baf3adf72105b6952f3944947a9139390501ddb8c0

SHA512
40e02cfe3263945260f14e993ddcb792ffb7f7da02e2b02cd035e5dac7514f777da39e177d56c126068395e89ee43abf2677c47908c3a37df3b6bb79bdf3082d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0d5054849922b9a4849d4d9f6d1cc05e

SHA1
74a2229ebcff0896035c52a31412930ab44df6f0

SHA256
14fdd06264fe231d8f53c1a9263ff46f7566a134511b8baad007c6a96a16720b

SHA512
a9615dbfb114eee3121351d22bdbb8bd4e7fa7b30d0b6412e6b3601d092d3ebf79cc33de39a19f59936a3e4d055669ad62f3596664c55f111a6fedb17106c5de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0584003d4ac754fb1fc93aeb534dc55d

SHA1
0c416c20c4820820679abcb5eba1517473f58ab9

SHA256
a831aa00e90cf11a954411b399e098f7ef7467f094c0c2d85f804ec80777b0fb

SHA512
0923588eced57623bef5f2318b8a112326e1d716e001388fc6c6613183d89d957fe5464aebc5cad4d0c5c8d9128bdfcda87e4d04d394fc3b1219c06ba30ae109

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
25e8acffdcdfa4da3a0b099e58959354

SHA1
3ad3393f22796797713f594dc548cad1bc7ce899

SHA256
136a14057b82fd4c785eeb0951b14f3d85041c16ddcd03499fd2372fa42bcbba

SHA512
9b3eb99ed118943c4c856dc4355c7c5fc0c4f40ac96c7b717a61e1cc318e87ccc26a099141028b0448d153524ed1d536e9b8b52267d76f3109e70af9baec2490

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d0b57ad8d18c6bd32e9f6dd3ac358af8

SHA1
3e106e9bebb3cd839b5407a844cdadfee9f9e94a

SHA256
5c8fae170aebdd61eaa16cb44e92eacc8f09469b7b0cb6f32181579f16a32368

SHA512
4c7e1c01b20a32c9965630f597f3fe321e68f0a2c47c158f3edcd2a65d7559c02735818abe3e0d9c3c7cdb14613a48411008fd71ed4996d67d22c35deca1f2ef

Download Submit
memory/536-33-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/536-199-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/536-23-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/536-11-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2240-12-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2240-198-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/2240-34-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2240-15-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/3524-1-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/3524-29-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3524-3-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/3524-32-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3524-0-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/3524-196-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/3524-197-0x0000000000190000-0x00000000018C7000-memory.dmp

Filesize
23.2MB

Download
memory/3524-93-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/3524-90-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download