55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2060	AnyDesk.exe
1252	AnyDesk.exe
2884	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2884	AnyDesk.exe
2884	AnyDesk.exe
2884	AnyDesk.exe
2884	AnyDesk.exe
2884	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2884	AnyDesk.exe
2884	AnyDesk.exe
2884	AnyDesk.exe
2884	AnyDesk.exe
2884	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2060	1252	AnyDesk.exe	28
PID 1252 wrote to memory of 2060	1252	AnyDesk.exe	28
PID 1252 wrote to memory of 2060	1252	AnyDesk.exe	28
PID 1252 wrote to memory of 2060	1252	AnyDesk.exe	28
PID 1252 wrote to memory of 2884	1252	AnyDesk.exe	29
PID 1252 wrote to memory of 2884	1252	AnyDesk.exe	29
PID 1252 wrote to memory of 2884	1252	AnyDesk.exe	29
PID 1252 wrote to memory of 2884	1252	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
6575ed409e89261313b55303030c79f3

SHA1
a1d2205680b83d0d689162464ab8e206335aa65b

SHA256
ad95b41c397eabdebbdd6162357b8f83283981c876615c942921959f79ebc4fe

SHA512
f33dbdccd622e7e1d0c99ecb1fd2d854e9233226282d7e39d192f9d037a9564ca1df3104fc4fe995130b4b2571b07d35eb852a0579e5d8c443dde9aa85f39db0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
11KB

MD5
d32d5830fb234e0ed64cea21b536046d

SHA1
7ca65e0f07693a8c19d8236d89ad289b4ff03119

SHA256
8efceacd2b502f6f1e21751c70a9d65bbb363c86cd98b6ad670ef8c095fd4632

SHA512
b6a5ca56824d47b550f7754a70fb7981a7433bad0b29fb82e60e268ed5fb2b49ba0bea418cbc9b66525eb9d0df495339a411458770514bd5f1782ec4fad59bb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
45918bae3a0078a7fbc28c3c0b238e14

SHA1
b7d65f501ab1b9b20a2146d08f998b3162f2364b

SHA256
275ded6bda251b572370a00aecec0ea125b7a5a984be7f0afcf94d6df8485f58

SHA512
d560975994d1d1ad6ef0937b7f4a4551eb38a59de173f7a93907137f5cdf35d778bd6613ae3b29913d566ccfc8fa21c537c938bbc39295e6a139b567febf420c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
12768cb65aa0c7189552c4cbf5f47d6a

SHA1
f4b447a45dec5fa4c09cbc4a437ec86e1443cd1c

SHA256
01966f9cbd12c0cf55a3ea4e326786e025ed44d64fb9aad3a3528081040c5a0d

SHA512
ef32f61a53863b31a1a316f954dcba44b537450de76f01f097484ed8e62f8ceb7d7076c39cfe4b69cc50130217592748cc66ff496a2d02b4e2c133adb9b48afd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
712bdae79500baee188640607d8838a0

SHA1
bcecc5fb362e328f0c8abdaba58444e5c1a173d3

SHA256
b7bf7c21f34410d1605a4df3c609427c60fb10a2200527d82f9570d6c911e14a

SHA512
0b7d55007bccd2e371f2fbe886c685b4841ae70815252ed29d467aac250570493a5c367e9515dd359cb91883439500c9322876bb7e78b71bba059e6e01f2eefd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
545e59aaac56c5c3c6bc8fcc30df7f01

SHA1
8b72a470b37f45ab37ed9fec8c7cd13b6bfc5893

SHA256
347f468526526746390495d1cef667507439033c39e09ec414ab6734a546b9c4

SHA512
40131fc0392fcffe7c05fd98f950bd327f65be2ba4f6c8ad090b8583a5f78082ff8fba4037d37d8d07f4a15144d3e04cf0f8a1d3a9fc20c40a15ff11d9722507

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5078a18a75b4c4417cf216d7341c01c7

SHA1
5a152b68d00edf2656df2c4961344171bde37edd

SHA256
51ee4c79beb923195adff689b55738638286a8eacd0a58805321626de14c45e3

SHA512
56ad3f6ab2864417bf4cec41fb6c1ce14eeb6896a3f66bfef91de2eaeb7b1ddb0efce9078aaa12d9399d2fc0530e713e8e38c54015dd67d664e2dbbb5135c9b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2f01aae06fc2eece166c0fb0c3e5c94c

SHA1
721f9150050191ea5c30476317ee9abbe67232ac

SHA256
628967785d285e248467a4ca439a286e5253288bbfaae8e611e70124a431c3ee

SHA512
2c638286af433f8c0f9635e1dcb7f62c3e896e344ac4acbbafb8b3c813bec2ef96aa0fa28ce001e8d7b23892189d3512046accc7e4f7085be0e6fe3497f4dfcd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
89fcbba3e311aec87c1202b05a31f005

SHA1
299f66b617eedf96bd1d24fa10c9c99ab9d18dc5

SHA256
0efc3270a872648ed65cc565a6ed7b59c5eb5005d21de9badcaaf2649c14b713

SHA512
277a9464bd6a0b6632558db1005392adc694f8a86ee1f4ad0dc541815a67cf56d72172158a61af137536e1d981df0da430e9aad9a57b99b5de2a68fd631b7cd8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4a147ed6ff47482a10373c105069897c

SHA1
cef23e254d81f5abe1f6a7db0d06c617ce5da678

SHA256
3d55c45b3c169a28b3aebbb8171fc81c47b8a793c282a5a8b0f056b4865d785e

SHA512
d5f52f19369660fb59df187bf489701fabfa7e754685b87e9019f648d3e393c869dded4943f8bf32a47295f369f39394a57987d758251fb3b339f7d4c25ed48c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
65117baefefc5c37f4099ab25833f50f

SHA1
375a7e35c82fec9e8d0881ebaad855a4bca21a87

SHA256
b87071fd55211683af86f00b3faadd59a1eda78b0526d0c9cb9ed6ae9bcad0c3

SHA512
ab4a0e5550b5e12e7430f73cbf6cb0804f42bcdea286240dc51be0e9d34969b79ba821f7bc142d7b0daedb8aaa1d148433eafeaeacfeafd3bbfedc16370ed259

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
82c2dd409c78a3a1350cda5a0c240b2c

SHA1
10262312fddca48bf75a94beaa930875d20deeb2

SHA256
7a3a8da1c911f223334b80942232462c9bbc5c5af22f487c1ca7195f7cc3bcb5

SHA512
fba245bc45f19ce5286e3ac0f8990be37461a6fbdca448e338f1f4a9b6a4649ea95c67336c7b77e0c43cef05ba9f34f2c2afc48ee19a002df70f52859a0f8861

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b639fa5da519f2d3dae7213205fef5bf

SHA1
b73bf289306ec3bcf1a0e3f02940be8439635b50

SHA256
d2a7f484c9b28657a7fa88fd24ec4f49818c6d408fd6b0d43a27f98b83c9be9b

SHA512
1110fda425b1c77520f4237e95a50db6b20b1ab2fda403ea191a5b9711ce6c2e41cd38ef08c2aa9ba10c744278d7edaeba4cba46963c868f6c44938221c0f62e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
31f728702eb9642a7e893dd227bb3085

SHA1
4715d9ec1bab3ccfb8a4648530813414a027e8b2

SHA256
414cbbbf2692f20d6bdcf309d4d2b723647c061a1744e0a60c1c164a1dc36a53

SHA512
3dd2fa542edf9908f269a9c7bb5a9ed876f687489c5065a359c398d08cee5d10149c3eba421797073a0a8999f4645e73043ba52ea5b9e8dc5eb2a091dd89d3e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
00866941c00e0025f568ba47151ed49c

SHA1
1f8521a305a3ddc06e07874bc38a8b7da55e1075

SHA256
5de3c7ba4cc92050ace7cae4caad2c9bc42ea405260c9f16812afd266367b2bc

SHA512
5b2b5a3410d05d17e59400ab8a064fc07a404227d21155000c6530868b4deaf162673b119e0562f63431bcb6c7176c655356f9c2bd1c7369cd54d0cdd4276dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf76e8aa.TMP

Filesize
3KB

MD5
5db7c0547ddf877d2d1cb7736cd61f49

SHA1
9de60e0f5220ba18dc61d676c540d9df8060ecb3

SHA256
504af0ef50949919ebc092f61b31aa2e1cc413cdad42a0c4e55dfacc9c1f0e2b

SHA512
e67c964ef336acd1f3af80cae0b116651709d52827894a236cb0a2c7dd0e24be58fb37956b456d5bd5ac7f2851f56a06f03e1ea3882ffe33b348b614e4fa5f05

Download Submit
memory/1252-0-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/1252-17-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1252-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1252-261-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/1252-2-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2060-18-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2060-266-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2884-19-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download
memory/2884-271-0x0000000000FB0000-0x00000000026E7000-memory.dmp

Filesize
23.2MB

Download