55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1632	AnyDesk.exe
1632	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4556	AnyDesk.exe
4556	AnyDesk.exe
4556	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4556	AnyDesk.exe
4556	AnyDesk.exe
4556	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 1632	3176	AnyDesk.exe	91
PID 3176 wrote to memory of 1632	3176	AnyDesk.exe	91
PID 3176 wrote to memory of 1632	3176	AnyDesk.exe	91
PID 3176 wrote to memory of 4556	3176	AnyDesk.exe	92
PID 3176 wrote to memory of 4556	3176	AnyDesk.exe	92
PID 3176 wrote to memory of 4556	3176	AnyDesk.exe	92

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
a1f40d6c7331c0e3c61a90afe1d04d6a

SHA1
8ba9cd594477826ea7c4a75b1afaeae4675833d4

SHA256
a9fb2fd18fc2d57f5f3e6154c3a2a5afb300d180c30d63704607ec76a4d33be5

SHA512
b0cac9ccf48eac9715fd370c820c1b27b0ede162235eb71d30b8db2fe243c468818c1ae1e5ff09283c69528e58f8dca86f852664d8706c5d4d7b0f4e4be1097d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
e388d294dc020a84b5e4d63741b48fb6

SHA1
2c011ce92340b9bcd75a9af878564d570b47a750

SHA256
881115bfa90c55644454445b253d7e9a879a5afd42d10f106715aa54abc22734

SHA512
e5bac3b67ae5811dca6db30b92b8bda8c62491ff80952f0774cad76118f13066d7905633dcfcf8965fbd212574c5e00a65b059a6df33b8dec5e9f9dd6e8340f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e2d8c23ddd4b2fe10a1d65d211b890ad

SHA1
5afeffda8714b96c226c771799463a895bf7fa1f

SHA256
39f28377d1c71187db9a7a02323502fc2bb121bb6d4b2045f433b806d52b1f1d

SHA512
7f2743486f273dd4d5ca37a62278144cff679546504b45c38f2696747a3b96a9adc91168d8e50303cf179a8cad1a954d5fd81c138352b198bbc9176941ebb35e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ace456c3af368dd437082d4c6ef982db

SHA1
1ab0d805b26fd69393c4ebc0f8065c25d5019b7f

SHA256
94ca84b40c00c25f9431acd6aca0a0eb82a25cb33ac13ba6430fb004eabab165

SHA512
e0e3be9db686cdbf24105a18215f5cdb67c97e99950f8a52da7b26fa16cf54121434498739e781588066e0c9b8ebdd7a9ceb960b8c7cbb5d6da52bafbef0ef74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
5f1cd9e42cec8865131c445e0337a6a4

SHA1
c0168c00060232f860c44fa18f5493dcf9ecb701

SHA256
528c86f4f900de28d28535956cd1af2f812b822fb2c1fcb303d524299284c5d0

SHA512
c4a75b4b0eb86577774e76bddfaa79ee7d4d37102989336f152e06d9189fd0606ffc3cd36a6462caf27c8f3fa953f6153e624b4d40ef8f23230ebc2622fd54bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
9dd8ead3a27b856252826b9fa3d06c38

SHA1
2ad2f5b5491fb678b549bf4b2879da5685e2e33e

SHA256
3a7dacc29377c9dca29d1815ff139f3d798f545414e2f51d9516ed15bd3037d7

SHA512
de1b30bcc3ca5b39f28f6f011a45f247756f0b834cbb1ae7d0c551e4efc8262892b2ad3a8a881f6cd6b17cc20a5e45e9e1812da9b6becb8a9196508ee3227018

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
af4b9847115b71e637be00b2fddaec80

SHA1
7bf8388fc32ba5ecf759a7cc14e51f984f928a13

SHA256
f2532e0da0e0588b3e355353df3ffc32485921e778025d66918ac3fd4389b70e

SHA512
378e483d8464cb6016340af82fd8473703278ed8454ee11c7cb5244157304d84c8fdeb22df39cb29ba2ffcc49c2bbb83a2a3927b2c3fd4a373278d6ebe465765

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
b89c1a6bdceeaffc086374f42dea14bf

SHA1
0c304e570776b3b9f7d68dcf54e62373097e74f4

SHA256
b76fb99bcf1bced9781b16721f4daa701174e2780502dca2ae46c07bb6b9c93c

SHA512
2e6b0059787eae0cb369bdacb92e8f313a80282a50f6f69267eeda3b74c594bf18425a715333f383dbfb678f2849db6a9ce84fed920ec829ac0bb4e1e2296edd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
af1a315a8264bcb3c1b9adcd5a40a10d

SHA1
c70429d9d0b5d87dad5d0923d83b2349912d8f34

SHA256
daf9234b40210bf771b639fb5b3bdb9718663b17ddde139b107bb51e78bdfb65

SHA512
64f3d0839e3d5861363990d4b0d300b80837df4fd4c208c1a3073fdaff3cea9e605a6573e9ed2a71135f5c47a7a9acd6776d3ba101a95f20826fb87c8c8579cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ec6d9a72d589457283f7f112041440fc

SHA1
e1d1c2d247ab196d14f7b33c042b5c44979ec64d

SHA256
c1ce1a08e0ef5f963a4ac491481657fa2a07291a6e67957131dcfe1f5236b84f

SHA512
e15498a1993972c083abd35fbf01f041ce1a06b20c9fa78839c0b29ded5463b37b9fffc4136d300bb8f04de4f191c9fa0454afd0487115ddd60d9b5a0dd650fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5931219062098e7541cdbe18052ed1f5

SHA1
b18b7c554a9603503101d5b553d45e879243cb0a

SHA256
3cc3ed6906533e0da31af1e0a4b51b3fa5bd2360ac26b6f4c09f48cac1efc96f

SHA512
6c0e1379890219c75faf2e15ce6fdeb93f866b01ade6bc00bdccdae38f0ff30ec9e1bb827fd57f3b6916c8f446be815ae94c9045b334f8771780a3b0919a767b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c573d47f49d32bcd88def9279cc95b0f

SHA1
c615af68fbf4d02bc2acdcd9bcb899069a492f67

SHA256
6116ae9b8469d33442f8f70fb1476d36378e8349dea954e350612fa869ccbf71

SHA512
190b9badb5cbcdab878cc9efd2297850df4d85b51f99b6cc6a6d7e411e735ee75017121f95028c6c42e758f860695acc3f1d6acedd245e748c0a1d661dea2219

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3c9ffd5cf5c278cdc647918d9689919b

SHA1
65fbede2aae21ec5bb5dfdc65b1495027de48853

SHA256
ec0e2f79b8de900064c39c5ba73d779ccd08a568745feca07bcbbbed03c6f22a

SHA512
447d172520a7c888826f1160e24deccf9b42566e5c5dc85629e4877781de997ab3222fdb0a6b4db8a2f3ede15ee085bfc7b7fb33c54fc2622d10ee70243a890f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8a59442fa8e89cf170b5bc9460f27d16

SHA1
05349eca91baf9b5ed46565c8a227349c7316d6e

SHA256
ffeed7abd15ca83b342fd58af1423197580570994f907d94d71b4e0da6c6b804

SHA512
a42bb6dc8d3fb65413619b525e7070d38b8d89db8b491238554d3cfdd21e169829ec9aebbd6cb2bd4dc4c0e8c910b41b105515167027d3363d53c103cfa79412

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5e458721964ab730232ac6f4e5cb7584

SHA1
5619916592109d116e038319269cfdf9d0cbbf6b

SHA256
634adf4f8de21bed641b630dde76e58eebb5fc05a34684ed1751841398f3b6c2

SHA512
15fadf1e34cd4a88196f3ce01e687c0e079e9ad4322ae3d6651b83ba76a432bf9f1cde74a6a7dd5743d9426b4a273fe7d8fa8452da5d6bfa5fcf0ffceb1f3ddc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
87fe00e4ebbd35ab77c9e612cd843407

SHA1
2976649e132aeba1b63d68f404f9e5227cd49b19

SHA256
2642c4fd31e755cbe0d89d55d06200982ede7f84e09ee3561a677fdc438e0763

SHA512
627513cb6158eaa61fbe950b100b11527ae8a05b4e9efbb91479cbf8f5ac3125d19a33f2b4dbcaab41768cb2116f61e387f4215f45a3c49af9f5fab493bb327e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0b82acc181e2d79d405751632584eb9c

SHA1
99e95d2b5cd30ee6b6741b6eec9e79979179505d

SHA256
c296fa2511533feef32400e785a42dae66ee2a6e40d7227135f3d1afa7f180d1

SHA512
ec371b41b9b3f68450e1ac84f0b35917152ab99e3b04d75f53431336bde78b4d437a0bad56fc6d5d1ef06d8719ec5871993d671552754bdf41600b3f299fb481

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
31800bc9e1b00e2238439c0dac727f53

SHA1
ab8581a4b3b32cb23fa4e7dbeba4f2cdd8212f87

SHA256
b33c0e3515adb7a55c1ef41182d6f3c17fc89725d60c184d4fcefe41a2d3660e

SHA512
e89a2d91c7b20287ea9d4b51c3ce4d5d86b6659cf445ee8aca7ac6954fe006fdca2755421cd12160751bc70cbd8e9538d90536cc20de1dc0097d1f9b2eb763dd

Download Submit
memory/1632-12-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/1632-245-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/1632-29-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/3176-3-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/3176-88-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/3176-22-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3176-1-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/3176-20-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3176-108-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/3176-107-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/3176-247-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/3176-0-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/3176-234-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/4556-13-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/4556-32-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4556-246-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download
memory/4556-11-0x00000000009C0000-0x00000000020F7000-memory.dmp

Filesize
23.2MB

Download