55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1794s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5116	AnyDesk.exe
5116	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4656	AnyDesk.exe
4656	AnyDesk.exe
4656	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4656	AnyDesk.exe
4656	AnyDesk.exe
4656	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 5116	440	AnyDesk.exe	92
PID 440 wrote to memory of 5116	440	AnyDesk.exe	92
PID 440 wrote to memory of 5116	440	AnyDesk.exe	92
PID 440 wrote to memory of 4656	440	AnyDesk.exe	93
PID 440 wrote to memory of 4656	440	AnyDesk.exe	93
PID 440 wrote to memory of 4656	440	AnyDesk.exe	93

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
30311d021f3cc4675f422d6e20297e8a

SHA1
08cc802f9efedb7d656669c484ba4446579876ca

SHA256
3b4b0b8a9f9de3242bc96f7fb889a1222afefd6a672e5b45b0d8105930b32e67

SHA512
40749dbd4fdca7c49186c037318c0f2a850d8b08311cf6a476844ffc2fba37065d56c1a826d46c812abcc9df023d5d48a2b99bde0d94375e36b171c6ecf22327

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6b7a5fc513676ef3c3f5068f61500a48

SHA1
9e7ffb4ab7e715a72f5bf55e06c29a4939198c35

SHA256
63d37483c17140d9ef4fe5e504db920c4b94c0fcb294e9c898d554ec110624a8

SHA512
5004a0431622f9f524d88bffde3cfeb0d9509afe0ca343dc8c9bfc5213ad675c85eb24fea36c8be91c9904448d4938772219d8a097d27324109d0ad77bc4fa07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8753247bcabfe4ab50527ed650e75675

SHA1
ded06ccacf12783326ae02a4a9910591a6837063

SHA256
53c6f1086caaafe292c96a71be19573935664afb0e0e40147cce4f58d36ff7c3

SHA512
d4b29a5e6dd7990873af0f9f84d23d6790eb60d9e6604235d2855950965dde097e25ccc386e74c74606b8dda3aa89c246af727aa53e2f57c28d2af929fa6bb86

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
cdfffcf73ec1721681dd20dbe7f140ee

SHA1
864f3dc946f25dd9c9a654636c1808e867ea4a62

SHA256
4a015bce2241f50b99d3152ddc3ad00ae41f4ac6f3d488030108ae7cd544e871

SHA512
912f40bc97872c46e59eed641e72634f6172e7e20ef72eea2da5bce13cad4618c0dba578709f8c9a4c79a017feaff4e1ed9609099ceae4f9d4e57860f98f2ad2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
983d6a135922a5be3e010aaa2b8dde19

SHA1
43aaa2ce868341c6579aa8586416cf0fba177e94

SHA256
661b18a0716d886607582db88f84f99a6e9d576e02ec20788b6e59c0570abc16

SHA512
bfe9f5e03b0d6f85a5290fb13b254cf6d8a7d8cffedef18573b81b4f6d6e7295ea1f5b650db916c9173e4ae39ec148879ae8f91bc9cf21b57e49abfd753935f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
549514272af8d36b3e2657c762d3dfed

SHA1
fe1b7eae8a1e0d3ef8276bb7716d795f4fa2213b

SHA256
4f53a522a34d312d4f900f527485fce1d74a6bb5ed9fdeebff0d8f5605095319

SHA512
815874c728c2e1240ea8dda73c9336fd0e8ba0cedb3a7a914f6928226e6082c45d73bf7e5fdd6ae950b2655af2b10d1a9f1cb0f74eaf5c2f3f7151fa525d962d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
679d7b7d6449db2256bc94de543f3d93

SHA1
0d34ae78f39ff2ee55ad971b0f07f2b489271210

SHA256
4417885ecb3331d36e6d52333484782a2c0c06e303e8761576d34505b50385d4

SHA512
0160140bb9c688bd3841a27e6ac7cc272b0e0bbbfcc4fb75654708d79f6e54cfc333986a55726b92a70c8f0b85ec6000a9eb99b4758f8ee6e0ebc3050bcb084a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cdbb0da5cd899700194492d51fc7d6f0

SHA1
a34aa8edd919ff55c9683717d7612cff83c2eb8b

SHA256
a04280b91949776c0f8126a016eec57f06949ce6f13fdef518ab3bcefcb703a7

SHA512
f23a97f6865dc3bf76ad5c78a3b410a66d1d6be0a0cd988e9dc188c21908694f6f180c2d9b30ee044d26d4bd479738b1e937fc01bebe3c66f779dd5e5918f4d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
850af2834e290061d9b7d01cb69acb1e

SHA1
2e1f0ce0784cad363658ade0054d606d75babd6e

SHA256
de44214d15946370ac5aa1eb01223e7a9b430e3f2b6fe886eefa7f6b57c4c1af

SHA512
e7151531e3cf7cfb3d880b2fc8182d055ca8e633d62297431e2834916ab67cdc4c94a42d75a65bde0f244dfb9f41c6fed537b2004c447b2ee9976073d0fac405

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4482ea64d4aedad4a40b3d8308b4a0e9

SHA1
1f67ab10b9b3fb6af247c078ba6917ccc9f57a75

SHA256
b2a6a9723dc1c2f1db7a011731c47696caca97e728058130df9e41fdbd883b5b

SHA512
7e6028280caf08a9d1a51dfc189705002dfcea6f99d0ad7de78973d48cf25fc7f94536d56d70bdac5a41de4a10ae9da802d3176e827b84a74adb0ef415c560c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3d06119834773cb474ba8930248acc06

SHA1
c96e88bfb12a24c93947043f827c105ae9aa3d58

SHA256
6a10f56ba0b39a94d27f87a4ba370bacc6b56dd887abe6237d8eea7d50b602a8

SHA512
49eb9acb15d2d73fbe9617e4afb4ff0fa6948f84ceb5843bc6a309ac480febcedf0ef4296fa82f5edb7b51592da9428e1327a61dc24e23f386e7067206c036b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2a7ae1b3029cece035fc545e47702849

SHA1
3da1fa32db9b0b6a6ddf956564ff6f190fdf8c02

SHA256
8c8f877918ee3990e9e86227eb624a63ba87c3f40390b734f686e440254f7c13

SHA512
6cc1ec2d937aba3b2afd78b9a124219fbf1f90c02dc4e8d2e3aca04066adba3de09e27f4e6dcba18cb2096f32bc579e2cd4d386efcf88acaeb0a7c569d991564

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ffb082ba92e89322011b688e6801cf62

SHA1
6b57ef6b067c3be30e4e478dc276c3d7b66ce34f

SHA256
cef4eaeb8aeca865388d28f8c0f92a97c1441a404b98b8fcc8702cc5c048607b

SHA512
6cd1a11395896cd03f99de9b627a6f6d4d00014ee75f695a99576125068aed5238dcf2a651751b3ccb96aef2dccb564a282231eb77b3fa6c5b5c69bd9cc7bcba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5827226aa0356b02beb5fb5dbffe5170

SHA1
bdc88cf99b8258507b4c1b1958d3d60ce90b9d3c

SHA256
ec99faff1c22a4a851edf0978b1c80ea185766d2c2098aba9ba1bf3242d433fb

SHA512
2cec070825486893a4bcf1f567e685048d8f19ef9065369bc9f2d4a472c04c07a045e687954c9610630d155b3e3b5c4395c95d26662d610632e5858052ac6084

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b2faae17050cef76b04426fbae7cac4e

SHA1
f66fb07baf459e877c6fc4f59d4251a0691cc792

SHA256
0420356012d7144d64314889db1f9582c7956bf9a6f29121f7fb3fe3e61fc41f

SHA512
1f72f57a8d076e1ef2c83a8701316107ee46a1a6a1b309e679b30a6b207b72609600f48905531f2d9995009a46b349b70e80f6a38505ec2924c8db6e1c3f3733

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fa1f6fa5302e2228f337aee5205b1384

SHA1
c450a1c5079f018c5cde02c304d4d44aab97c688

SHA256
91d130983136bfb76fcf820c58d7fea3e6664213ffb2486643304be53f433579

SHA512
9a6ea7c09d759c31c1a86a7a4f135d26128276bafc8534861f172b7ed0fe9e3eec044993e63b875e8e75615802efdd3d04299cd22ac233049ff350fb4801dfe6

Download Submit
memory/440-88-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/440-3-0x0000000003A70000-0x0000000003A71000-memory.dmp

Filesize
4KB

Download
memory/440-1-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/440-32-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/440-237-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/440-0-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/440-27-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/440-93-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/440-226-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/4656-14-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/4656-12-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/4656-30-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4656-239-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/5116-11-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download
memory/5116-31-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/5116-238-0x00000000002C0000-0x00000000019F7000-memory.dmp

Filesize
23.2MB

Download