55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1796s
max time network
1794s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-03-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2536	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2700	AnyDesk.exe
2700	AnyDesk.exe
2700	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2700	AnyDesk.exe
2700	AnyDesk.exe
2700	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2536	2924	AnyDesk.exe	28
PID 2924 wrote to memory of 2536	2924	AnyDesk.exe	28
PID 2924 wrote to memory of 2536	2924	AnyDesk.exe	28
PID 2924 wrote to memory of 2536	2924	AnyDesk.exe	28
PID 2924 wrote to memory of 2700	2924	AnyDesk.exe	29
PID 2924 wrote to memory of 2700	2924	AnyDesk.exe	29
PID 2924 wrote to memory of 2700	2924	AnyDesk.exe	29
PID 2924 wrote to memory of 2700	2924	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
320KB

MD5
dba65c08aaedde2a0dc7d399d0448b06

SHA1
c7ca3f8630cf4cad769a927a3c43d83b012bbf8c

SHA256
5ca5ae1864f21c640c807225157ac04d390c7e917433d4809ca9f478dc6b0074

SHA512
27b9d241f83c926426d39e12402d694908b8be88cdb56f68f9267153cfa754f8bf75f4840c90370b65cdf1c54024116fe974c0c1f7b4a115290718992e878318

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
7714e65f33ac607b6ddd8d1ddd65e3c4

SHA1
22bfb59a12221edf86c2230df394c176497f6572

SHA256
0c3381422fd4f6217c505d68fde0a5acb6794485331aacc0e8591df674012801

SHA512
4812a7e9810ed1372e0600c6991761140466ab7fc19ee6dbc07aafa3f7e896bc7a26b4043d975225cbc712cbb7e9c661e95bb544ebd91417ec5b1cfb02323475

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2b956e0dfba9fc096e3dc57b98e3c23b

SHA1
d99fe50d4fda026bef9453736aac121919b46ed1

SHA256
9fe254552956812c247c0835bcfa5b55f5cba2e4aa54f12e31fea5d9aa6ba0c2

SHA512
eba8f2b23f8ae0c929e2f63802be1a9477774fb9cff6691ec14e80b50fa1a6c5505d99b0384e045e0b02bfa96419997f4261623ca25641024a4a70e67e7831bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
414271dd9eef2fbf904ccc0878e000e0

SHA1
9b62036768f6eca0a30cc55a693ea481ed0ed195

SHA256
8c9854d76ca22cd6e82fca7a028c494dcffb3ea10f750de91d28b4938647b158

SHA512
734d03d01d09f626694f2e8c5504e8c5c48082f3d047c82809aa43e93e01491c5eb0f2523230a06ca470038f46d6bfe72070b2a65aca6564631f9c9eb40442bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
3d243d18dab1a37476b07b8360175d8a

SHA1
fc3aaee831667ca5eecf070f5251ef2d7bcb5d61

SHA256
280902d87a6c0a05963676f0a4631555ffc50e05d7ab2b6cdc2e5fd10aa31301

SHA512
def19b92aa934a5c338291c8650163f1f2862226b7f20ac480f4747d60b9e8fe9acc0dad1e1ac012e5117ff17dfc8cca408cc79306372be43105d11654c1c1c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
3884dc27995db7dcca1365b7019ecd18

SHA1
f44a88e55fba5a617fd60ca0a2a01b23c35013a7

SHA256
2f5976370360e8553b5163c0c6a2f3c6d8584028d0f1c245cf35718f1fcd7fa9

SHA512
c4a03df5a7d42ae6ad64f2befd9895f3ebf3352759f9668a011533a01e7a246074ebff377507a51f1461435991ada922c1793857ec9af44d89bc0c73a088baeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
73437e32ca7bf3fb9c69c2c240a68b7e

SHA1
2303a714ffd67edde3808c2ee0049dfc197b1382

SHA256
63e9761bd725312b1b810d8f0a11fe06b19282f06d97ac4bb7e54c3bec279ced

SHA512
8c48438cfffd8d99702e7df71f5d644f1a2df7581a64bb2edcebd85e89515fdc81536f3b3f77eba943e3ccbca7731936a577175602e9262aa968d3e960159937

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ed872231f934273e0dbdf297d21c9725

SHA1
80140d4c7a09d84a5f0992d8f3d3287fbeb5a52d

SHA256
f7b529a85770be7a4a04b0d458e0eab0ac911f902ea25297bd1834b359dd62ec

SHA512
7095a6400c28e3182f12688a4225a7376603662f91d2a357ff6c31957d775e62ae2839221f058c878bf39122cbb670cfdf5d24e8b31f519a8b5015bd1341d992

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
599fd46c3d83554b4d694fe178f351fa

SHA1
913ca83b66ba8b49321075c9992f562b47649def

SHA256
b659837f4bf44182a2d499a09f71581d4503b433e96cb0b985f91f9bbfe71bb0

SHA512
14ab957e9d853eb81a88bed2ffbcaaa38afdf930be7624c0dd4b85e6ac70bde7e802f4bfb00617961f781cb16946c70a91ff4befb8a1c3e60aa768aae32f2aed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
47065cc4781d9a66aaf25e3752c8a222

SHA1
f6b6ba297849b02b5d960c6d4013c9a344a92f29

SHA256
bbe9fd7e33039af20445ed33ffef1e96d48dccc8a70812f3682cf28c62db09c1

SHA512
8e16e30466ef76d85b907c6812d8530695345246c9a32f1b6404b5e8cf4cb59fa99fcac78f263c48d8e172d10bb12c203debe3944c4317ffc312128d98338090

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
dab3316b0f72248293fde8327fa45178

SHA1
b4738120e098a77ed221894be86f124a4ca22699

SHA256
287060c862f5510dfcd72619a40cfad01ac0fcb3d79db9d92d4fe63e7c87b1fc

SHA512
768d31c01e4a3470705584aaa77f9c27599f19395f7942935d7f2353d160960e6ad62320e6f1905019323c3310a8934b9867f5cc7e1cd19f54e49ee9656b96f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
5566c77e6890ece3c98ef13df32a3140

SHA1
39b18ca21ba64ff98f6d801c2bb8702fd3f1d452

SHA256
7e7f859740cc8ba69d6473c58048f67ef1a5f1911b60c25a1afef7aa70b70075

SHA512
beba820973b9abf0731fba5e9ff4060130d66b9921d21b257887a491a9ba8a4cad8e754840599a78dee0ed8cf84c4fe6648d7c5a3c8a356571d347fe2c66ec80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
3260489a24e22525ef5063c17cbd3c0d

SHA1
22c966fb24c63344af3aae05fd51ef38bd1a2e26

SHA256
bfc14cd557cb6afe3eb598bb73117cc572010ce2c40d178afbfa69b0bc51f7d2

SHA512
a1c1d11e6640c34b4272c4a47c4978b252e13878d910604e355c1efa38ff39b22e4e7aeda5148b8e337dee4d831a4e82655054a2bae80ef524c6fa18efbcb8ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
357b644892190ae0fa52d099d7384410

SHA1
dcd14d9d90b1a701e99d73734a1a6053a4e55deb

SHA256
6037035027ec00b23eedb9b442be640bc02803df13a65a0a651ecee986225ea1

SHA512
9abf3541a93fd1fa22e6378ed2f5366b0bbd9a7b6aa74271c703827263ba49e6f8e2c94035e369a640c877877aa52d527f2bbda41cb86b3ba3a31f211d3ae992

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
26cdad994073c3d6f5e978284a5c3f83

SHA1
c21d3d4ff5105163b7569dcc3118476080ecab5b

SHA256
0c155ccec3ac4f01bb9cefe0aa49e75f57d701523b504d27b7d9aa82ea27f3bd

SHA512
f840ea9b3dd97a3b400e62ce12188aa36d356fc7eb6f2d510f049d8f06edaea61e512e9f8f9e3a1ce5b71a49fe4584683cf5bfd06a45a730ab82159745033988

Download Submit
memory/2536-33-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2536-59-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2536-107-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2536-63-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2536-11-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2536-234-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2536-112-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2700-28-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2700-39-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2700-235-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2700-113-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2700-12-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2700-110-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2700-86-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2924-31-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2924-176-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2924-105-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2924-21-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/2924-114-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/2924-20-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/2924-4-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2924-218-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2924-106-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2924-236-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download