55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	AnyDesk.exe
3740	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3764	AnyDesk.exe
3764	AnyDesk.exe
3764	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3764	AnyDesk.exe
3764	AnyDesk.exe
3764	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3740	2500	AnyDesk.exe	94
PID 2500 wrote to memory of 3740	2500	AnyDesk.exe	94
PID 2500 wrote to memory of 3740	2500	AnyDesk.exe	94
PID 2500 wrote to memory of 3764	2500	AnyDesk.exe	95
PID 2500 wrote to memory of 3764	2500	AnyDesk.exe	95
PID 2500 wrote to memory of 3764	2500	AnyDesk.exe	95

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b956180d97cde88f3823099dceb0c577

SHA1
b018e4e9b7e5d26429ea6e8c77aa2e6b74514c16

SHA256
23d5693e5b7925b08e7b7ac92053538cee8b6b7474ef1e7a317924de314081a5

SHA512
d303c90bfdf6a43061c094f0030620997ec572ecc9aebe1c57e6c04adbb670d4e74c0e26ae9ddbf09fb0bf1f78b0461212b63dcad73fbf684f221222184f9f61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
8484f5341e2958a52ba7dcd1292cc1c5

SHA1
e1c1eaa2832fec00a467cdb1a19d173108d1e3d6

SHA256
dce65ff02836aa4214b63ae07cb9da020de2e95356d4573565a44ce789e93957

SHA512
481cd0f41f339145bd5ce61a6d1adce42b9c1f52a244166635b731c13341e39c12120943d31c51adc9b4988e77235f908c5ef9d101df8be310431c68d98490e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e24eedec67dd2ac4fc73975c2316dfe4

SHA1
ab521d44d4bbb071dac8f3316ef29e3293985741

SHA256
8773bb8067422ee05d7a41f2bd141db7c53a49e2395ee38dcc8cfa8367d91df9

SHA512
4d59c9741b9c2ff159e2a1bd3441755134fca08646f99fe6105075c29d8e21817814a946224fd842e318d414512f521f5203fc19ce9501312de188759d35b936

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f18e4d7d96cd8424c4dabbd899e1aed9

SHA1
b4d599e9a4d9c457a3bd29aa4f4ea1711fafe9de

SHA256
a49e28d8a77bf70bfe5e106d3165b8c7776e15adda456f157a2dbf1b54f5b050

SHA512
dcabee7c15e9c987cebb12735d9a7d45c8f271e7740053d3371c9e8f3006257f6289e0fed5a8e8c29b622144826c4cc5e5aa5174132aeb79134951d70145197e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
17ce47aa01bd94809fc118f5eae6c5dc

SHA1
6f17ad913eab4735f115720401c3f405de943f13

SHA256
aa46d2212ef213ebe2a7ebd7383c627416f4ee686469effc95681752919b1570

SHA512
2645d424e1f8f4dc9436c221004517e9b187551b899b951d877268c4734744f97a38c64e9e516cae4ff329a836e51824b4c4fbdb23f04db04073fe2b3052fb03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
fba193b1e942078cadb84c56676c9862

SHA1
14d704d786c3745c8da2ed51882bbbee579c8311

SHA256
569d788cef38010c86c1abf990fedb0e039a9437b3fb63c1afd4959ed1d2231a

SHA512
b7166a66de42b8a6676768bd22b40671c89a1f34d5e78ad370ca2f7d0ccb613451efb0fd8d95c603f6f23ab5c8cc1b0a03f3fbe06fafc72db640bd83a3c5ef73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e3695d2467092b16b3f88644e1d28c62

SHA1
d7f36c0911d708994b131b9488057d6e38512565

SHA256
ec14e79e1ba3e6ec4c67d7ecd01f45cb6b26768b48082f901171feb984ed719f

SHA512
d2b3d298808799395a0dc30d14a982206d27087fc5839a8d19be098f7e5bec2470d73ad83dcfb81907b22b83864af7e80d8da3700eb6e62108318ea8d96424fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ef5d20212af6b2c115c7cf967d11abb2

SHA1
89593b4bbfe9bc9dd06f77357f456b4268f9d10c

SHA256
73619bb4ef1f17ccb41e5304efbbd5aafb6c64ac3a4ac67eb11e0266fb20a1ed

SHA512
d6486cabbaa1a4921157df0615b90d223016f7d320d9489a8ff75d979abcfd15ffb827119432dd9fa3864ac5980d3e4b97ed1aa24359b42c7804c39561929f61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9c2c64edeb366e1ca2673a34ec2d658c

SHA1
543018d67e970741d6b7316c1fb94fc4cbf137d1

SHA256
f6df3d01da7a3ebae2b990247ea954d5a18bc3e0ca439b49e0f1255c4d78ef8f

SHA512
20d923512035c87cf97cd332538fa8d6858f475c18d6924a18228b25fd5db9e019756cb584f3a52a2371fc7f1de015048a08ae971b71bc7c26bf89d61d79a200

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
941ebd30c66368bd2af024777ef966ed

SHA1
98cc9cd9a0bddd009a998227471f3747f77296a3

SHA256
3bfb30547ab7f0df5e01ce7e8974b5767b2f84b6ae2ea0b79f379fc3539a79d5

SHA512
517481288c756752ddcfbc47b53cf50282383fee1a5184d818b76da11fbdc33eb1bc95d2fc89baaa566e11a0e96b92479e37adc874e168ef869453bdd4f0fa9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8635b1622360d30b52e4a0645ee831f7

SHA1
0993d0d2634ff271da6cdb3e042a26f0d4b5f30b

SHA256
317264622cac721fc8aa9d4f3c5560e78b6b46cea391d9205ed6e8d36fc9957f

SHA512
db8d16e8f8e0ae414b7e3186bbc61d4815f12baca5537e7430562fbcd41f864be3810d28d89f5da099bb70f9430996e2717979f1d68da0e22c6464ee5f0c3ba1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
824fb455a0c9312cff4c882b01dfdaf4

SHA1
07a84d3ec46485ce7b97fa1cc8fc7de9f46f53a6

SHA256
00732a891943bf0edad476695dc0b05a21d46afe159f6b01e953dacfc39349f6

SHA512
480ba274d5aee136dca79ff8e94f7ffc685b7e48735163ae465cf3a5934c29a8ed1dd9dd9a8b0495469e2b6b30167f10f427661b0aaba735be78bc1262b8a125

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
88eefffddb6750ca34e8d9c8f75fe3fe

SHA1
28ed67bc1874c52311df84514ae33e8bc51ba8fb

SHA256
5210bc20854cddad6d0904576874f17b4a8f1d7ab8e9a10e7ca952e1d0e22106

SHA512
5ee944074ac240606087802530d3c8f4d10286403f945e6f8d411a69c8718f05801ffcb218891ad51da5e61f523346f93f5b4a224efb1ffc78b0d0751c932db8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c47839ae7d214bd6d624af7e7b306429

SHA1
f68aad74a5267414153294fcb9d0ceb6b5ac03c2

SHA256
3b1a5ecce0f608f0b3185f20e2811454a5cc8f8b001202895f61fc97dea8b2dd

SHA512
a37301913fd1b9e158632fe007e816be080973a34ff8acbae3e680a1c576d5b62fd07b4096b82c116624eac9c2b4774f222f9a751f257177879b4c0e8a21f846

Download Submit
memory/2500-3-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2500-84-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/2500-1-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download
memory/2500-81-0x0000000008340000-0x0000000008341000-memory.dmp

Filesize
4KB

Download
memory/2500-28-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/2500-239-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download
memory/2500-0-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download
memory/2500-22-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/2500-228-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/3740-33-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/3740-20-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download
memory/3740-242-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download
memory/3764-11-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download
memory/3764-29-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/3764-241-0x00000000008C0000-0x0000000001FF7000-memory.dmp

Filesize
23.2MB

Download