55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1795s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4508	AnyDesk.exe
4508	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4756	AnyDesk.exe
4756	AnyDesk.exe
4756	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4756	AnyDesk.exe
4756	AnyDesk.exe
4756	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4508	1628	AnyDesk.exe	90
PID 1628 wrote to memory of 4508	1628	AnyDesk.exe	90
PID 1628 wrote to memory of 4508	1628	AnyDesk.exe	90
PID 1628 wrote to memory of 4756	1628	AnyDesk.exe	91
PID 1628 wrote to memory of 4756	1628	AnyDesk.exe	91
PID 1628 wrote to memory of 4756	1628	AnyDesk.exe	91

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
34f6939fb8baa129ab38e30a591e073d

SHA1
4ef14c1d32f83ade6037935d5d5e7f518d6da5a2

SHA256
b4aff31d4e19650271c3d6b538a82444dea33f529eed4191c45405757c651262

SHA512
39f2610d4e31a072e471365cd56add684cd886ca2ed6fbc811b004785946b5729d7e48af6f1f9db77c30aba3e231f6672266249d7bd029be12495ae8aa47a98a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
98cb43ae2ab981f5113144066f2969ae

SHA1
42a73dd7f8c291a0e73c626ea1e1188d55bd95da

SHA256
3ca58ca86c8f32f7b862ba40b96c8119532cfadf0e69804c9ef3a5e4d695c621

SHA512
bc471a1fc09535492867ab9cdea12cc33d2567f6ba5c2cc297fb48112b389f3fb7edfd4c092e338284097c9aa4912c71eeb05118cff8d269be5157c39453dc14

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2b9947ef40b54ebb95a6bf3c11b1667b

SHA1
c0739d83e8cf5d79736f230c9dff6c46d58540b4

SHA256
58b05ffcb69c55ee14bdc4a0db7f1b219102c3e9f1a468619d9ac37d6155e85d

SHA512
391690d6441dc0b918a8efc35bcc6b5a028fd338f3e2ea63a9b6c565de4f9ad82978feb7e9d4c78f1d8eadbb60135cdfdb42f43ae073b20c2347cc30827c4692

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bc4d034b3c4f656ab5a14e956b3bc9d3

SHA1
af6d4c39960101964fbf3eb014e993229cfd33c6

SHA256
5d3bea19b6ef4c378798618921d2001791645c7f86ae3f50d200ef78cfa454e2

SHA512
1794b08a2b590948aa359eaaf9a3bd591b84c0f0cd938132298b1789e8a621506357db7b9ec3337cfd97cfaaedbd616a3962a7867e42482bc61ef6e5888420ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
b7dcb206506929a192fef69e0ba4559b

SHA1
3bcd4875c06193ed25fc4729756f283ce9af4864

SHA256
0135c40ffcfc8755e602c8cd1ccbf7cde8988be8974076f8f3d8de0675bda81f

SHA512
55f7dc1d03053db8cda32ec66e70cf53689c519560d50b88dce0965280be4833d2a6ea595757ad7f16fe48895124d05392f4a22caa99f9501e1ce20dc9848885

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
efaee8d300c4d8b7180f5cd991da27ad

SHA1
008d602f79d62035cc3705d0964b20479acbd03f

SHA256
6c9163f295955dd088b87759b91359a5c271b60e44094685595fd21061b4abc8

SHA512
4acc88bc76f28452151b43302cd05922446cf99429296a4df4dcb90db2502f2659f3a77f11681eed514711dd1d8fca92b0dbe6b0f1f3483bfd9c5c1b1b83683b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
dbf35607bda86dec6f72389380c29b27

SHA1
5be29cf7258119ddf4299e5bb515c23df48af275

SHA256
2cdcd6d79b191e4d554daecad0b4d6ce6a4b364decb1e2195c1966580bcb03c1

SHA512
5eee6b0ddeb747fe0b8dda66922ec53f9a10d74630aa11513b36f47710ac1a74570ace9e4a7f67f76cb32a73e1bea6f17bda67dd2d1da73d2c29481674a6605f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e24b021ed08d795072ca0823656065fd

SHA1
ba18aa9800d3c802ba540b0423ca6c92fec22def

SHA256
99fc75bcfebf3e78d265549887b31246e2ab92b73fc23f511d1753604979f1b0

SHA512
f5c46f62c177ea76269fe73a68d9a0fa1fab653012eb42b3d40868fe19cebc783124427d09f1ac3d20113966bec65d5abe4bf7888c86a77dbabb67ea6887e5d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6c8267dd48583ae1395bafc880b9339d

SHA1
eaf9821928af40a54e5be01a1cb14d3f01d9677d

SHA256
91a9ee5895deaec45495a1019fa6bf3a0c2619afa653863e49e8a44502142653

SHA512
d9ee7387e182ed14cda5a827ad9e385c1e758dbc0aea8386227942d754a3c5e5286baa0d9ded66dc59aa07a0268a8bc01f2fca4e5d766be45ea8788ed3629500

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b86a4229c4b46df9dd4fb4feb9cf1f03

SHA1
7ab2cae83a0984d5b065e5e90e497da58b8a8ca3

SHA256
bec15db1da9e943b93336b713f489ca34ed9668b9d5b1c5760f34610906914fc

SHA512
638acd1e699eb839df70a837de9e02f7196020677328b24a64379111874b30bc132c1ac8634c217d9ba011a052dbd5e57b5881cb53bdd72f23cf2b2f68562f3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c7d3582baceb9fe0058ba8223e4a1a94

SHA1
89c921341388aba74c68b052f15ad37c292c6309

SHA256
9a7386ea83d5854ab5887a2ee60c43298a41accfb96aed27c70820f1f8733280

SHA512
cbebd2745decc08d9a5b6962c4111373f2bb09f8ea0aaae5b8db242821edf3e929c92fa400d332f400471d7d427073f2843d0b4df4727ec3102a5d23924e3b30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d805aa196aea774ecd3e0a8cc2363e49

SHA1
3594b7da34392033ead8561b3838c3c517783cea

SHA256
737c936f07f04dd3c3b6050093c68b04f99a83eb026bc480549fcf2581b98dfd

SHA512
af0dcc6f5d367ed8e93a10a4dcbf12adee0438391b298d19d5e3f73f4b192f2507edd9db3af1546e59b0424c779da16536564e65ee57f3e8cb43a4b6e35b27e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4345011e46d1dd9120e0d62d2ec8e3dc

SHA1
a704937adcaa2ac0cff740372b7ca0032fffcf66

SHA256
d422d0630f3bad55bfc624bb66b2e7d1bf674198dcd99e60e79c627c7d2fc571

SHA512
63b83d47dd186c0876caca16111104debd1c7df852c99c8a33b8c6d7866ab6dbd889f8be12efb20502c07eaa0f6a944cf30e959ce87fb5153eb34a8c92fe9d3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
85e82b829f646e3571762e7a511d94e0

SHA1
37586dd42b781b6017d5591f8a1605cdb8b0ce6c

SHA256
4669ec228bfb38da39426101e4782acf24fba507dbfbda0758c7b57a7f0ce184

SHA512
5d2f2aafa21004f52feb5009da4fbaf6546af903df9260a4c850b35660dfaef2faafaeed230c33baf7a0ed36b630a4f86f2a56118be84673c46262b180ef5397

Download Submit
memory/1628-81-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1628-18-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/1628-232-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/1628-3-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1628-17-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/1628-0-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/1628-88-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/1628-221-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/1628-1-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/1628-231-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/4508-233-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/4508-28-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/4508-21-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/4756-30-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/4756-20-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download
memory/4756-234-0x00000000005C0000-0x0000000001CF7000-memory.dmp

Filesize
23.2MB

Download