55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1372	AnyDesk.exe
1372	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 1372	4696	AnyDesk.exe	91
PID 4696 wrote to memory of 1372	4696	AnyDesk.exe	91
PID 4696 wrote to memory of 1372	4696	AnyDesk.exe	91
PID 4696 wrote to memory of 1412	4696	AnyDesk.exe	92
PID 4696 wrote to memory of 1412	4696	AnyDesk.exe	92
PID 4696 wrote to memory of 1412	4696	AnyDesk.exe	92

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
050c312945dc3b1d31b16a7e0b75a778

SHA1
57f15bd6a189686cdff1aff7d05010ca5f63032d

SHA256
df4863c8d34f82aef8f84a8362123dbc63f5b371fe58288e6ccbee0b068fb83a

SHA512
526f926b431b5c8b5c541d50baf70ee24a5cc52196cfb9ab2f1682cde306c50c96d82526616cdd1156a15f5b15387c2f8117a6addf6e28716efd9fbbcf6344ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
e9b12e448500b61ca7b68dd4660d527a

SHA1
4afc23296298367c44737474c25c712af25f072a

SHA256
f43c58d6ffd5139b8e33621fbf7e004d594774fd9a70b157d028f56f1252f982

SHA512
5a0e6d2b0e2b4ebb4ece8b564f73a6c8425800501fd5bacedf0f55088e8fd5e36505890ce9829e1e3413271c7145ebf9ef0631d28413e7210d1ca882b5af5f71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
257b2b82889dc6a4c854bb7c5e58a9b5

SHA1
0fcf86cc30bc685d8351f490142209f445eae3e0

SHA256
a47a6f1ec7e435b7b4eecb51fdd488514b52c271937d2bef3f7d9c803c72063b

SHA512
bf97211622f56eace5049b80bb98215a1e56dfd6a0f9a3b31cf53c77814f7aa87451f17e2b23560119dd4045bd68ab571807520c8b85d25e48c02ef6e21a1078

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
83984eccaea800c5da71df5aa0603a2d

SHA1
08fa87d463489f11cc5d3e094601c48ede8c655e

SHA256
8696d40a8dbc2d597c02016de50053b1e9dac9c4f3cc53531115004271967319

SHA512
93cfd40665d5d3b5130010146bdd617aa41ae012fc1da25ef23d1cc497089579e46486d5f61d469a3b24bfdfa1738f371ff7bbbf7ebc57ed7e8d1de2f2d034f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
fbaced9d1a51d497767ef97143a527e9

SHA1
7e96db65c6177ce2fc21d70d3d698f8aabadbd5c

SHA256
4f9f959582d82abcc7d36b37a47c52d05817de72bf752e3829c225001071c733

SHA512
94631db1c4b72b79a198ce1041582bde6917b024a45b5b738e55873135031400e3110f742dec65cf4c4b8b910f2a3066daa00597cf28ae705f2263876b21deaf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
28bda4afd133941eea4e0f79b5bdbce6

SHA1
3b4a9d1e0094c905c34e5010ce8d7f19fa8c2b44

SHA256
64592778bc65abd91af1ce0c805bf8557e4875d4c23a9e6b074e4258384b78f5

SHA512
044f853eefdd1f724af5e7b27f345d77a008bcf5cd9ce9e888a25ade03b1cb72a44873d33e14889d578dc2c89536a1f1a50406fcbe76764ba512287b64e1a6c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
819d9c8d6dc0f2712564ebcab3065174

SHA1
17b21f62c459fba80ff9819b712a8f9019e7ef1a

SHA256
9695147105d88ebe7ad0da4eda8fcc1c6f947fb0698a6a038af6fcdc0a320ed5

SHA512
948035752af8ea2e712782fc847a2aa3cbcfcf4ff7255005374b303bd30072f4be37e5804300d2ff621341db880f3addc73e8249f4cab371ca1db21e6a3143f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dd5ebbd0132ff772c855999ad402ccd0

SHA1
7860f7edb4d3745a31db0e2fa65ca5af26b6a208

SHA256
cbf2cae8b666921dcec6b90f166c28429e0a9bc38f422e9d012db3f710082979

SHA512
a80f6818e34a733e58271f7f90d81f8c9f8f89e19289f5fa2d25268829aa526ac7f4292eb7d9829753850c4fa8f72b3f5084ead2dabb70bbc3506d29090e6fb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d3c5ea7d264b816fcb5f2abe9eb46301

SHA1
d467ffcc2d06616099f78a5b64334cfaed6df83a

SHA256
4d8c2518a6c9921fa6b2e06945f16445fd043b37c03ecd13c967ba8f00c563b2

SHA512
4f4522783f96ef8a413521e8437499c3fa5c811f4e22b1afef606c7846a63a895764d658640b621767baf7fb9ad29863f9c9509e0c6a9e0af14987194e5f7ca4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c792daf49ef142c71dc2e4627b2c7c86

SHA1
3df6fe1da96762a3431ef74b47cb2120000c730f

SHA256
d28e26d992f6ca663589090c752b6c2c2fa79df9b6b51ea989fa177b9ee55564

SHA512
2cbe6317a3c31c7724cef5f5839d9e94b68656f8b165039601c6fdaf827f88e6ce9f787791e4fa85509e9ab8bef8cd761baefe014322492231e8adf07dae678a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9b80b896f0dbb414f69d51654c4caca4

SHA1
98c36c633eed86602497d36149220086567d320e

SHA256
019cd47cfcbc77f0a5ef27a5331442185a12cbfc40015d602e156455d7123c89

SHA512
29a904607512b7b9286b666d4c3989ad3cac8eabee98bf55d20ce3439b93ee206d5460b9984f37f602e1cb23ad0a2d031dc96569268caaba1b6a260bce679d60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
01d7ac36095ec85069bc142285860af9

SHA1
ac8708c80593fed4e7373cc1700f2e49171d54cb

SHA256
781be9d47a40c5968ecad1f0cbaa9c5b227fd46c9d7255bc1d1892570836d47f

SHA512
275e2d5e7f0706d99b9a8d8c294f4af8b18317ef5e8b7eaacf2aed4424554579584ab34ad4fda25184a930054715346621821bdb529b5a0b48bfa37a10dc0ae0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
e86c978aecf9d52a8c3b3092edcc8774

SHA1
42d719a7bb8aa259fb8e879825eb4895dc6fb708

SHA256
7b4bcf8965e982385e6199a210397ac7bed3881d5d045b9624c86587ce415f9b

SHA512
2cdb2add2ff09d26e7ed45a19f6596380346cf5a16e6fe3541e9cb637346b7837c32af3315fae286cbcfaa1781b0dc31df095edebae9cd33560355c994d5b98d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2ad8a2e45e6c06bcf22fe5ee7e523e83

SHA1
65b69b63f774c4cddb6092efce48d78c3356490e

SHA256
3cf64809eefdc9847b8a37dbed80805f1b7a3b1808086dacb59ff92c15c0cd3f

SHA512
439ec4d53435a45572e724948bd756f3a53f941c7820b086526c94dd6877e8638cfe8e22ea9a0bc3b0a42fd1a26fec204da42ffc26e5e3683753043a8b5df0d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d74a5ee9174880d3428d00447a534317

SHA1
cb8908b4ef52f3fae719965f8dbb7654c2011850

SHA256
fc3ca2866c7b1e7198870eff5f27b226a08f4058abe9aa058c47597092353996

SHA512
4186301d6a90135e249353de7bd69f6283cca85d80318505d3101947a37ef30c5da800bfe49881ce20979bc1a753ca7837fd0862f528d57cd8e173608ecbec82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0231db763c57d77313807d59411c629d

SHA1
64227ce1766b3caf31cbe76f5f710e80f095a1a8

SHA256
39f8fa7033c4e36fd81c5f8d815dd5f184090d0a6440ba0f79712b4d44ec6715

SHA512
c8192daffe2887f7e5f3f7db74262cec5cf7d4f337ea9ccdae5e7e62a4b768465ab8311e07f36e08a4bc74614f464110dd0c8e7c05c8a5d788a7ebb4cb41bcb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4586bb94b9dc56fabaf964c2eacf855f

SHA1
debd396dd51943202d3839403f7e6569f57e5660

SHA256
806abe621847344fcf9e4c4f8d05995bcfc9ef7b8b240f6d274cce7d83ce053e

SHA512
5893e0fc60c6b85cf2d95160af63c359e49a49ea5031faa82de8466c0872d7b91f18e5825f199f870e3ec1ec1b9280b4e1d1e2dd411505a4808193bac21c7b54

Download Submit
memory/1372-33-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1372-20-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1372-241-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1372-255-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1412-27-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1412-18-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1412-242-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/4696-106-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/4696-85-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/4696-84-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/4696-0-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/4696-25-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/4696-21-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/4696-243-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

Filesize
4KB

Download
memory/4696-3-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/4696-254-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/4696-1-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download