55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1792s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24-02-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	AnyDesk.exe
5044	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2596	AnyDesk.exe
2596	AnyDesk.exe
2596	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2596	AnyDesk.exe
2596	AnyDesk.exe
2596	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 5044	2236	AnyDesk.exe	79
PID 2236 wrote to memory of 5044	2236	AnyDesk.exe	79
PID 2236 wrote to memory of 5044	2236	AnyDesk.exe	79
PID 2236 wrote to memory of 2596	2236	AnyDesk.exe	78
PID 2236 wrote to memory of 2596	2236	AnyDesk.exe	78
PID 2236 wrote to memory of 2596	2236	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
fd08b682d16f853c97b4c7542b7c2d4e

SHA1
834e53ae71c31eaa37ee00784e9744f9b592f1fb

SHA256
d15a4ac2e80d00f2d3428b8ed98c811faff899ef72b33d7751c5aa78a84e2025

SHA512
fc6125e2cc1ff5a21014e5cbf7412a6378ffd76ae58fc92c27b0bcf7fe8d65300b87ca61e1560aeb60c15659ce1bb9c813452dcc9601f3d626cac116be271265

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a788bbfe845565a9aad6c40bb6e668c8

SHA1
bf9eea2021e488e89e7be79f5b563a89b767caaf

SHA256
f9e1f0597ec640fb8cbf9e61f9da934c62cc96e7be82d7fbf8968bd254bb9da3

SHA512
d64a2b969a605a04ff6e1543b6d7ffabe1b8ad96b17689797d8ac237f1d465e8029002595d82d2bf54ecdd6d77fbc33d6224bf074472cb6e3c695c23f7305372

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
28fc8b257fa9f541d3fdfafd4968effe

SHA1
0655549ff4801fdf1be1d3f038f63e6457a98590

SHA256
8bd86b5e607d9a2a6ee1e2fd73a58a0b04e7de02326c172dcc18547217021939

SHA512
ad63ca8120b84223ef640f9b423cbdae0ef218cf00db23db7ac1b15bf58856426da5e2537a6cd21b7720942838863b734cf3fa77e57ab64f1625224268216616

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
1e0eba9f21ac48dc617b41c1376b4423

SHA1
10efa266aff479860182a5616a89e04ba76ddc5f

SHA256
7795ddbbf4492230015cd33d13de9e824e0f0daebc114488f54b116daedc5585

SHA512
3d233a0573eeb51a3d0e240678a03e10b4a3e880fe4fa05c76f14f71bacebda5d59c17a6b7bb9d1819c7f37bafee388fca5dd69cb3733cffb325ee51f5a12e16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
901800d6b3d94bfa6de1aa91786f4e6a

SHA1
1a79765edd240cfd49486269df3df05914f7930e

SHA256
4916e918f64a5fea6e561396b6a27568b957b8e40feeb673e16e905ae23b3a3a

SHA512
f92b77e827adf687697cc2a589861e1710448158e35598c69c27ff47776a9d7faf88a5cca6f937e7d6e6446ce2f090e4510c9364e8290be52901da74c8b86bf5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
21864b5c5e77f7310b5d492661efea27

SHA1
095fd994659247a5a6caaf8852690a6b03bdb595

SHA256
3f0717b551d4aa59d1e4a1bc80d0bb1eafc141624a22b5211cb928b3422dcad7

SHA512
815784a83884649070be88911b1db8aa0420d0ae01ba55d61f897fd6092c066153c9d69e8e04580dee95e30c310a8e51f73a3e684ca088dc927426590ed110fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6ded5a1324a26a3aeb0553042a7f4c42

SHA1
780642521962d2ed6a397d12f1641ab9b4d65d26

SHA256
ad37935ccb6cce63403883d9abf74494af2681039be120f8b0f05b17ba5b5a92

SHA512
8b56ca782e14793bad08a61a26e04ed4286d48bdb34e293b81d6a094ff7528fd98aefac29fa37ed1688cabdadb5c0ad8ea677f8cd9f72bedb6a982aed3952218

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e022670bde7e4fd3d4eb8560b0f8c3b2

SHA1
87e244c926b4662b9065d71fafb8333e135329e2

SHA256
f852f8780dd69313e675783a019f49991799a8f53283419c89a0f7ebae25ef8e

SHA512
61896e109211ddd31f2ca2b1d36f6c450cb319f15f1c0842728c9d27e3dca16bfe2b962135d285f60da517d2260b7a92fcf23abfc13aa651f1784a8596e07bdd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
03690718aec6eb37d1ee67c11ddc8d16

SHA1
122d57697b7149635b9d92a32ec186ed2cceafd9

SHA256
3629f90e069739393b19864daba4aed097a0c8ef8b210c920d4c901e1a09c430

SHA512
8dfd4a87b1c4b181c6e8d2ff1f0b4a777ceb96a2399f99cd21fe14daff65d15981e4403e516fdf97bf5900f221c50fdcf70614d450d4708530d225afe8baac09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9d81509671f8dc7a41ba732100955333

SHA1
a961ada1edc95dde62a0db8f60c86ca12030c1c1

SHA256
1f12b2438eca6009dd42c63cf547bb7ea1484cfb11d3c5a95516bf9c0034c72d

SHA512
569c7776b47f1c28ae439e740cd1ce2d45fc7137ed3b0f954c3243437c1ce3b42b5e8b5e703be4cbfad30508f94229798c86997c4f3f14fed048b146ad31df74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7bc7a1ba46ff588c473d1ef470e1e7e1

SHA1
d3e8c8d4fefbc77b66de21022220dce07c418aa9

SHA256
cb83d50b96cde4bfca726210f2df6912d559c8284a1a602542dbecec84290ff2

SHA512
de1b36cf1261325998b719787847154cf147327acc68876619c4d4843f890012e5e7325824656b31add0cca2f2a414076f3631d10ad95a2f5b3897128598e79e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7ea7ce54b5318a5e3f0c1b26323ff2b0

SHA1
4b84ece99ee88331dafbecab45a48ff371cf84ad

SHA256
2b980e04617475db0ead0423976e2f682db1007fbb53b4b7f4c24d890b5dda5a

SHA512
e81616b6b49ea612e412333420f63dd37d0d9b13f6af0cad4842ce68a70b843a0553f4f1912ed54bfb957f889972a4d2a0173dbeb8a7cb707f8f99030581ec40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
09449ef2fb5baa00b957ba02ab63c96b

SHA1
7055fe40b770836a217eb5188b87c9541f7e7af9

SHA256
785dd963fddeff4417d720b36851e42703a69cda2ecb5235c52796bb9dd3707b

SHA512
756c09aa71d5cfaa89a97c0cdab0d2e7f726ab7348b3206e85242bd43ce2a5818d07006ab45de1108ab16fe13f6c3b1e7ea72d0ef6aefb7f2a8189a8ddc28949

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
86a2125e7525cdd5e5e0c45bbb9e090f

SHA1
f991042dc27510c430c4207b345c8cd86a989c3c

SHA256
d294f96d1c76cf607a569057163e88816ccb6c02dd9f3791de2f72fb6cdfec42

SHA512
79fef3cdaeeb0c2b099c5b9c8d97dc6d9f13d74fff9957f2e96c7707a7b59fb8758ec3e911f4522649c47a1571869731268ba45b5c54af20c29c82c3e2389d8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
92d8bb74835d3ce348075939785c9a01

SHA1
44668af0b229d43db0ede565ddb1b497f3c20880

SHA256
5195078bb29d6a53bff609f7d9bd1135c2f9b1de2a943d2dc2b727fd09c4abb0

SHA512
3830fa391d805c34880d789cfb658bc2e9010a6046e0e7af3eb52360b1df54aca564d320fe2cbc8ac95c4a1092e69b34d486fd9db9df90bf22881275f365c916

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
88e75212092745cb6de1b0462c87fada

SHA1
ea2ed5182b8a02316c7889089ed1d55b843472d4

SHA256
9918500ac9941d662072b2c2dbe5a7f1a98cf593336c70e70fd243a74e80c280

SHA512
7c3320df55876c903af16e966de6b0d8e35f73d1c841d1836bfd3c50158bc6d5b401b09b28c82db19653fb546d9f0f6e325d27f0410cfbf4766e4118f499349c

Download Submit
memory/2236-84-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/2236-393-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/2236-394-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/2236-22-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/2236-230-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2236-20-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2236-4-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2236-81-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/2236-220-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/2596-11-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2596-233-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2596-32-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/5044-18-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/5044-232-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/5044-31-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download