55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0bef268f96eda01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0bef268f96eda01	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000505df068f96eda01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000505df068f96eda01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0bef268f96eda01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0bef268f96eda01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0bef268f96eda01	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2788	AnyDesk.exe
2788	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	AnyDesk.exe
Token: 33	2348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2348	AUDIODG.EXE
Token: 33	2348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2348	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2584	AnyDesk.exe
2584	AnyDesk.exe
2584	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2584	AnyDesk.exe
2584	AnyDesk.exe
2584	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2788	2628	AnyDesk.exe	28
PID 2628 wrote to memory of 2788	2628	AnyDesk.exe	28
PID 2628 wrote to memory of 2788	2628	AnyDesk.exe	28
PID 2628 wrote to memory of 2788	2628	AnyDesk.exe	28
PID 2628 wrote to memory of 2584	2628	AnyDesk.exe	29
PID 2628 wrote to memory of 2584	2628	AnyDesk.exe	29
PID 2628 wrote to memory of 2584	2628	AnyDesk.exe	29
PID 2628 wrote to memory of 2584	2628	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Modifies data under HKEY_USERS
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
87de66057aa186a5e108e4222e547655

SHA1
0cf8505210e3482997e806b9c31181fa1fb9eb74

SHA256
30c8181e84c85ecf4464d80397ae836a1d7025be82d9939d13cb774f11954cb4

SHA512
84cf3aa9589e4dac2cc2bc986f7d994cdcb055f3c4676445acafd7f42da8ed80f6f33dec3425f7894daafa6f3f5c9df0cdf368ae43082c541e6e382d7e2bf254

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
16d0039578a09f5ec7b3b3b8db617626

SHA1
412f7db3b33809878899cd65bf90b2d6233b0cbd

SHA256
da605ef7e115e9f87d8b5ceca20d599e01c03ca93471fa41d4c71defc77e4cbe

SHA512
fcbf48a7d2891ca61d0d5bd1bcb0b0bb8b4a828c829e85161a1554af8937a581cec9e7a075918b1ab899114beb8011eddaab5e468b459fc92546795b86bf8fc4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
40KB

MD5
23169efb49790f9dab5836e864d78223

SHA1
a809e8ad55bc8c8fa9b9964b48f902fa300dce02

SHA256
369890bbe6bcc386280ddfafdded40b537c170ad5f2ce501c0bdf99e7852e0c4

SHA512
a3d535ea4177b984084ccc7152addf16680f3c7fe6ba1ccbb463a76077daa6892505e8715a954c68c9438d3cbdd249db5cfd2e4f83e86020f16eedf22a267993

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a7a750c443d6ff53443a1975232f2086

SHA1
a151036279c8b5dd1cafe559d392971baaed03c0

SHA256
0eb5d08d6cd02da244fd33052843b90e835ed1b6fd9bc21f52e6fa309a78282e

SHA512
a4b4d890c2fc156bd62dd77ed85ef9b2c2af4a0a43239b1aced4fd3b196edf7ba700987c912ac6850a4a998eb431639c29e868b8ceda731c1522572bc9794a33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
05e44f3218fe40e1c997b5ea32e23611

SHA1
98857bb827a1d4ffec86f640d5b0300fd8bbc130

SHA256
548ff5bba3e9898d31be798ef1c1f791ec0eb1a700af6c8e24315367b7502d13

SHA512
6d8f539944f48d82374bb7d32d484cfc51479cf80ba2f01f24065f1d6dec1cbcf23faa3cb57ffa6713824f0cb01b2ab00bbd50189484239cb50e748b30d4b6ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
1571796b90d63c859e79812d1ccc4313

SHA1
e66a2c17d768bbddeb93b9c657d20ea809964cc3

SHA256
8a36f8d91c88d10e2b2eb278492ba69182ad7183242654cce641214b1875f1c1

SHA512
369c547e2c1b65e758ebdfe6940fa8a3bb79ce3179f42070b1cdd2d8916f89edfeaed69f66f5c033c5789c1f26d5eedce16df67a2f9ad9eb4294c65fc338899d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
818e566d3de924f8c6ea42d221d5f0bf

SHA1
0f8b8292b1342fafdac58d92610f4390b401aac7

SHA256
5519783544ccbd9225b0c5f7e9a179bbaf287d756c14fbe39fe93c9496b09b55

SHA512
3fdb5ce514746df8fe2fba98fed7ab620176aca55de641815af574a45f0f7764c335a4cd465fad621f4d3759ac71d4bc4ddc3a3f1cf1a3bf3e38492614e73f2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ec29da049d99be74b778c1f7f6cbf47

SHA1
cea2dcc07650665cdf1f1b3612e390cdae08f75c

SHA256
0cd59b75e959d862a035b6d0d30c62a85c93b0978ed836ed1a74bb861ea13782

SHA512
7d68835c00255d55175a861edfa9a0f8fe395d5369a213cae06d62300a61e1b8b1df8091124a368819e71b1c97459c1642d287e7c6aea430f279ecb749958c9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b4ac31330cd2ecaa7b5a1e398f54bf43

SHA1
c8cad1cb9960a7c216444da6df5e0c95cbcf7b96

SHA256
7a1a4c04c2edaecc600691eb5329a704fa9665b0eba4c230257ab34604a4a04c

SHA512
6aa52582c8d4ba6ec0351a7b26ddc1ac88b652a9146154896c6dc5083b93823073f59308e01a304eaf0dd2b72f7874a670396caba10a2c555bdfceb4b5eeb8b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fcecd84c61b2c59c069342a404802963

SHA1
1c04aedd12c954c4fd540c7ba475ab473947a895

SHA256
9c1d56aefcf958e1bdb88498963b8380c1843f22bb472d50f7b2b612cf2151c9

SHA512
0e7c795ebc1254aa2d04be486ef11d617c169405279f33b0ccf1ce21fe10288a7fdd0055a53987cc9090367b49ef541856d1a82495412c9f05337afc7779eca6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
468f75c4013e174876808726147c8dcc

SHA1
914dabb59a4238e2c9dd12e585f5f26dfe978b61

SHA256
d5b3878d197b1425bf3802d08b85bd243f06d8f3fb19b61e674d41c89de66ae6

SHA512
1cb802fac979f9a1f1063a921d2cc41f4af0df434d67223464ee885134873306e41375a6866e92619958da495e2a2f3abec2d264341b7ba625f6e1c7603a4ae3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d63e7583a0d22a7715eadf9413da7f31

SHA1
9fc164c82ef1b405aea4f6d5b5b944c89724ec12

SHA256
85836974b100c113500d22a55e28d8e07e36dc12f4966d7e3d03825d6643e546

SHA512
10f2ff96e569bdf94237e61aaa127abff73ac172b17aa3465fd5643bb0098d7468f1a022cb49e2da0ee7b7bd40264eb0ddd202fd60c373d1c0f1cd7a09d5f4bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ab90b79df607010b9ee62df49d919773

SHA1
120b2501a9029231ccf89e805b3991579a82569e

SHA256
36bba161725ad015f9755feb4953a1d510be9b0da23665cafbd2efb7a4289716

SHA512
d95868af6e8acb5bf8c706ec83b6edd7f51dd54c584b148e4c3d7c8fce737d95d7001b52d4ce7bf0a7475a922e01714746641e3da4c5fa9d45a212a7113bb1da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
45519e5c15c34417694796d815778490

SHA1
d0558f5bbbcd8d1698cd5bf35849ea4826bc5d2e

SHA256
4ffcfc093727686a9b4359f537e79375b936dc6c45bb50c96b071a625ea60f39

SHA512
e90f7607ef1bd3937d6e936326f2e8f5d4122dc42034bfe1b604343e0b899d3e3236345e13c4fa637b28d65d4c125f79da550818fa0e8414b684b1d14291040e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2d3a3274672d5ced5c655ec3d6189c48

SHA1
7af6dc469d63e3014a8515e130d6ff8d35ce65bd

SHA256
6fdf853475c374e71e49d129865e340d298c6d90c0add31483ee7ea4b10dd40f

SHA512
9f0319d23da3f1e98af73d200441cc719c517a5cb06a20230a5d84cdaef2ebdc155dcc6baca5479aeab5618056383a280f039d29799d333cb4565f055dfbc314

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
081237488150fb7bfb19ee6cfd9ecb34

SHA1
fbdacf8538f34d28999de4615c39f1ead1e752b2

SHA256
9272c6878529a7fcc37a43e443875d293758d6c2c5ae865fe1b7ddc4e57e2cc9

SHA512
d10ae950461be96720d69df32cfb7061f3db0b419aed4dd848d6bbb6dbc569b49f86153708035566ae51c7b1e1b14a27e53902e10ef9f08252a63f24102abc4c

Download Submit
memory/2584-120-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2584-96-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2584-60-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2584-313-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2584-19-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-68-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-23-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2628-0-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-144-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-4-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2628-310-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-98-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-97-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2628-22-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2628-1-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-299-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2628-30-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2628-119-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2788-27-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2788-298-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-39-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-95-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-163-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-312-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-12-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-331-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-385-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-340-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-154-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-117-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-347-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-373-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/2868-362-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/2868-363-0x0000000004080000-0x0000000004081000-memory.dmp

Filesize
4KB

Download
memory/2868-364-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/2868-365-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2868-366-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2868-367-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/2868-368-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2868-369-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/2868-370-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/2868-371-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/2868-372-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/2868-360-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2868-374-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2868-375-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2868-376-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/2868-377-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2868-378-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2868-379-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2868-380-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2868-381-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2868-382-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2868-383-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2868-384-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/2868-339-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download
memory/2868-387-0x0000000001270000-0x00000000029A7000-memory.dmp

Filesize
23.2MB

Download