55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1559s
max time network
1564s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2640	AnyDesk.exe
2744	AnyDesk.exe
2648	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2648	AnyDesk.exe
2648	AnyDesk.exe
2648	AnyDesk.exe
2648	AnyDesk.exe
2648	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2648	AnyDesk.exe
2648	AnyDesk.exe
2648	AnyDesk.exe
2648	AnyDesk.exe
2648	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2640	2744	AnyDesk.exe	28
PID 2744 wrote to memory of 2640	2744	AnyDesk.exe	28
PID 2744 wrote to memory of 2640	2744	AnyDesk.exe	28
PID 2744 wrote to memory of 2640	2744	AnyDesk.exe	28
PID 2744 wrote to memory of 2648	2744	AnyDesk.exe	29
PID 2744 wrote to memory of 2648	2744	AnyDesk.exe	29
PID 2744 wrote to memory of 2648	2744	AnyDesk.exe	29
PID 2744 wrote to memory of 2648	2744	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
82d098ee354a3ac6bfd9009d44027076

SHA1
800b338b2fe9061f72a594ee748bd997e1fecf4e

SHA256
9be318444ba01099fb3678d11db7aa7f2fe003d6726500baa554cb6cf68f3f41

SHA512
163ebfc9dbc7ca58208a3b65d62e727d5cc0e50ccd4922dbe79dc95d4500a309eb8f6f0c711aa754a0df2267384a14e7374ecffb51b6e3da4112f9963b47be75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
517ceed5e9c4729b5292560488fb718d

SHA1
7617e7446024d0fc67636dc913828385e91c2a54

SHA256
6520a2133088392c2cca5795dfe1a5d1edfaad9f8757061910cc2ab8feded728

SHA512
dd42919240273fba63e8017f40a656767fbf17708d925e12b4e332d7cc26354df5b6985ba1dc09eb2204ceb74712a924dc8bf4f6cbf0c3410ab9c31e5fac1998

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8db0563c949dc0a609b7c8774af840f8

SHA1
e07028611b5d3f92f49a9a3b5260536f768a784e

SHA256
c67e78270b17c0c3a44522c2ea4e602ff80e90b8a73f32a9e2455860f62572ab

SHA512
6651dc75c38bbe4f9e932f83ad33969234bc69be7d63affa769f86dc315a254073f1b1be61b7e23b59bb3d0ff24fdaa98a6749a3e7820e003a113f06d9c3f5c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c6f0f96a07409c902e61c780ab91e493

SHA1
574764048c0e807694915cb8b933fd5789fdbf52

SHA256
f4c2ebda4b7671127bdb24e7daac813aff70f5d3c551acaea15573710bc75362

SHA512
47cac996b60527ea76ac84c0a00c82d42942d2b590df9b66623c1f94f0461fbd91c18ac302154656404002a106563b989801c908ab78724cc0c6ccc101ddca25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
5d1c02ed64b5f4395ca7baf7005c1785

SHA1
e0618c51e9041db4785844b151169053720ff094

SHA256
b1d6135f98f077b08af1676732e20a338310e264fb88a0fb8b1ff11192e0403e

SHA512
86674346b209ff4dbd2295ff1dad5a6b810e7fcbefce523e093209d3765562bbcfad6bd8ca75898bc73856534a046f6e6e838c3dc5e154917e8efd38d9daf492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
68f431aa90320865a4ad58f19b04bbeb

SHA1
8cc2c22a6b1b77eeacad70b1752ea986449f3140

SHA256
b666476fa0cbdac9660053cdfdf902074f9ad2ddf458276138d8c08628af36ca

SHA512
aa29017539a5833cf1d34a48c18030d4c8a67dbf50cc804a55b9020e9fe543b077653d0fab35736af413192dbbda5f3bda98e4d7c8009bb889098c1ef9b03488

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
bd74fced86b8c742f72bba58b107b27a

SHA1
8c41191e201e47f136e496bd5bc22ac6c88a5e43

SHA256
026eb188031b6d047e3f834154a22484f8e34ae4489b984e1034b5dc3acdad86

SHA512
523c218dc5e93e459cb9c0a80cf5913ec480db1def927317348521696fe1886ae1e418c4399c0dce7c3f6f4478389cb705a23faf78afa996212d73d1b1b45d53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1d02fe08ff0bb7bd231da4f37a86f92c

SHA1
03a384fe4ea0473662fb0a5ba33106f628d8c1e5

SHA256
40e36eda88c538c07d1524aaa22d6ca395d4d010582b2fd39568e52125a265a6

SHA512
9881b8affdb157eabe996eb767f28d6bfcdc8c9bcfaa088c534f02f487274ef82edf304b60fb2aad076313c35d017edc05013a80c5c55dd00a3d17a1cc089da2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c2a3582ee408854c206a37d342658626

SHA1
230dda038d019a49c3cefa1d26e66de6e5bbe01a

SHA256
0b44b7554afb1d49e0fc9bdee8b882320f66e21c0a0a00f939922f4c6387db41

SHA512
a42a32cceef0b4dd8cfce8ed7fd7d22bdaa5e993a2795af76764048c19790023b8e30a998913fe4ef2244de66af120097164d9b1c3dc3ca997469ff401a0dd33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
dc57c38d30481026faf9c956cbba751f

SHA1
bdf559125e68464953fb9efa1cf96aa9f8b987aa

SHA256
19fbfb2f817b3485fa0694aa25e3c98435d55c7a7ada6aa8179ae9c870c02810

SHA512
27b73c944e443797d3ddf38c2a7ae91269440a9fa51c10797ab0c277bd947402767ec8a09eaa41e16303d7163bf619e0d1f009beff534a01c8562dc659d745cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ae5b656f6c01cd988705d80ff2906eae

SHA1
8697555c842c19cb702c97b3bd36c4e605bb3d68

SHA256
f2c5fb7314139dda1b8946a30f4debe28d2493ecd340d7743aa0e2fc211fc6da

SHA512
4f3cfabbc7eda9a35c6455955256923bc37d8dec1c2bce3f2b8af2605bb0476d99aa4f6a0e4f97fbee9e5cd241b306c6d617f5d74ef18958b9764e64743384f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
49c2dfafc9a1e46b9752ce49046bd9aa

SHA1
0e0ea6addc764b25235b80f95468d2ad48693b8c

SHA256
a974d6931dabc91f3579a3f1d076187adcf3b485cbed2a9dcf8547d48468a70f

SHA512
1816a9f24969006663695ec0d129b0b239fc030b910a528ee92a56d827403401ef7dd4f0e7e5187baa97a9cb8ba7b236a987493ca0f58771958a438a1170ee69

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7e302bb06932f126a1d8aed9536a88f5

SHA1
8c9ccd72ad9511b37c8f20f0aeb53e484247acd4

SHA256
3884334e679d97e50b1f9e89972790872743caf21a2d2ae4fd7a4354ea84474e

SHA512
1b14059cb7879912584192a8be09f42a4d01448fb5a157c6286eed0e5f44f2b7a7d72d0af5a24cf58a449167d045932455861b4b21651d055b783f3c7c290ea1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
35b2d1472f8343150e5712e880a63daa

SHA1
e21927564bb976ac3d7538255558891a76e9c440

SHA256
eb83766f3da1370938e5c0c37a157344f0a51db468496c4c0c972e04c911cb91

SHA512
c9f528c93114add1d6f583b9a82c8f877cb66f6ef78e109a1951e07aacd70dacadd2edc8ef98cd200b9916e76bad83bdfff384fc0d585308da9393a7c660c30f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
798ebb134021c5b1e7b745f49ceb7afa

SHA1
50f0e3f1aead03d13928fefd71d16a95d2bd7a6a

SHA256
172bfef01c981393aac73317ee2c8be3f81d6e8a7414b1d07bddefac838b0f47

SHA512
71040481c59468ca322a5d124302fcc8aed9bdaab027a64e1dc10328885e916f04bad56395159c722a3361bd6262ba5c2d46d7260514ac74a5b272e2c0c4bb40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
421abf8bbf1d4123d46def52f5ac73d5

SHA1
8c8b3d2d23e00e2a2353c156ef1cf9d5595fedcb

SHA256
d257d60263267e85f69735201313ac02f5f596d40fb1673e57a97260dea284a9

SHA512
2c01afbbb6e4b4f93522d6bb11ff025d27355a9f61574ff58a1e93f8017f1136902809877e410f63d07019f16c030ba5a720c274975d2dedf5fc6692f3d146bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
8ff6f199fc1853906f787144ee59d63a

SHA1
3609359a480af6bda4f84e8db0d67468aca38697

SHA256
936e7665bd764331753d7c86bb3bae5079f02f237a499ed121b689965dc295da

SHA512
0d24390de2f2379a28b8739f52331d7fdf8ede28e33d9e83fcc9bc6fc17d54ae12d0527260be0c6ba1b5f66bc9fbdc4ffd88ad65d1be9ee471d630a1e4257be0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf774b81.TMP

Filesize
3KB

MD5
8a78317a43448927f493f82f735f6275

SHA1
c929dc2f659323a6db294338094893ec788c3950

SHA256
f6d6dda031bece7f2ca130ac0caf087b19d97a97daa7b26b255a2b7c91c90ad9

SHA512
9aa0275d6552a134ff4ac8c4d55328c027dd1f62b3b7cb42e3699d7056798fba6139999d7c0da670772ec860000528f5faa3b709d361687c19d6fb7fc107af9c

Download Submit
memory/2640-19-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-312-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-275-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-127-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-31-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-264-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-27-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2640-307-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2640-100-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2648-176-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2648-317-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2648-101-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2648-11-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2648-265-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2648-267-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2648-58-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-1-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-0-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-268-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2744-274-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-266-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/2744-263-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2744-262-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-4-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2744-306-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-102-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2744-97-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download
memory/2744-20-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2744-29-0x0000000000D50000-0x0000000002487000-memory.dmp

Filesize
23.2MB

Download