55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	AnyDesk.exe
4536	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4160	AnyDesk.exe
4160	AnyDesk.exe
4160	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4160	AnyDesk.exe
4160	AnyDesk.exe
4160	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 4536	2824	AnyDesk.exe	91
PID 2824 wrote to memory of 4536	2824	AnyDesk.exe	91
PID 2824 wrote to memory of 4536	2824	AnyDesk.exe	91
PID 2824 wrote to memory of 4160	2824	AnyDesk.exe	92
PID 2824 wrote to memory of 4160	2824	AnyDesk.exe	92
PID 2824 wrote to memory of 4160	2824	AnyDesk.exe	92

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
e66ef2991655a6408df33edebc4ae833

SHA1
f59340f53cd9b2804d69a6f5a8933e9d7540714b

SHA256
7d76bc56d54718b313ac5272df083654cc10c030874c78e1d8f2558b1b7a5fef

SHA512
75f6555efd0878e60cc8961bd0e5c24dc600eb5eaa033202b29a85782b20514eb72bb2e2d74462eba80a749ae8ce25ec1aa91638012bce21ce4b3972eb39270a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7e0f04f5c9f69e9032f731014d9c3bcf

SHA1
6abfbc0e0dc148fb3852486c18d5dcae3c711b19

SHA256
644120876594b0ae6ffe7e4409bac494b56fe9875902ed1dc99b38b60481df63

SHA512
14102e7878c9e5d024e3f46787e82fab646afc9fead56fbad57e828a866b97080503510238b035d77cbb561893901040d34a93ff58c2a1adaa7bd272ce2112a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3d07999fe6eb87bedc8b205b9a9ee6c7

SHA1
64170450eacc78a1f47eadd28deaebb9f49b8fbe

SHA256
a9f66e011b84d54923d99119575cc97f9df3bc6f0f6946c004a11139d6d5e989

SHA512
c5141b36f648b98794e01bfe468595aea80987a0dcb19ffa468d5c92be444a4183590a55ba008845a89cb36c6b3a602ba2bb1d27465b7027b7e81345e344f0c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bd25b12a6ec855b46ddf9d1bcac8d1c0

SHA1
d1ddffc6ee71b919f671f534ecd2e80ac4cfc13a

SHA256
a96425c04ccc05d362ff15899c8ef1b0a70abe87bf8dc1ec20cd5fb865b55fe9

SHA512
743cb46dd46f8fe0b348fd6c9b1ba06a35bfa370c4faf3945f9c6b61a51ce5956a3fc6251b2639ff7dc290448dbfa7e6db993111f3e659e5225a61dfd05cd62f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
9ff937c29183389de0dbf665d9e8e778

SHA1
7fd14c5f04fd08537703e9cda2091b0c68943b4b

SHA256
e2d9fa8430ad391bbc3e83214486dde223f189564b5828cdfe5c8871f15d5081

SHA512
200b74471a2caf7e77dd95768fd6610d5260f37c6bf3c67931bfceabd3dd1cc003a6060d50c899c339ee41d5dd6d074567007daccede4bb9946c7b8294623b2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
c9337c9207061eb483e68232b18ece70

SHA1
b79b291fd76f2a323b5bfb24032f4a16f6de1245

SHA256
72affc5e3a5b62e3b54d37f1621801ec0b01c5ba07bcaa7ffba50bbaa356cddf

SHA512
03d8535a5fdc61dcb74772e94cd278057c4ccc8df8364d1caea925e8f9df3487556435195e0fdecd73ae9f87f7c3ae1e33d74defd1fbd303f5e106fcd942862e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
e66d85cb2a32b6a7b8aacc5a2aa56917

SHA1
fc2385304850332cfc5f7e4217355c11c5ad655f

SHA256
fd95fef02b65e8b91937279d00536464a0aece5980c39ea838dcece2e0d55622

SHA512
d24de248d86923e25e6ff6c499aa688924055e22e9fb62db7b797e2314eac7fdf2c1db3dbee65dd333340720213b6bd0e8d32fd13c28a7985bd420fef2a25c70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
97c0ff4e400cb9cf3ddaaca0c8e75853

SHA1
de5417ea249042f2ca14487ec25496078ee3a8bb

SHA256
b595724dffb244809db4260493635c3eb7dd68908259b175607be32f26e42d3e

SHA512
f31678f22c04e83b7ad32f60f185e16d3917d2ea0ee2e38fc6188908bc85472e3114578a4c039566f689d142c3bdac33dd2a2a99df6753f2cc022acf07583ed0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a2c684ab2d29a56f4479da315cbd7e7a

SHA1
329eaee8cf729160383d4d612c9bdb472683bd91

SHA256
26713289aaa1a1c77fc5a5f1f1a1d766e77a1e51f64e595f5da3ed9455f3a083

SHA512
b90882183d81677ee427373d4aed959db9d437bfa31f6e095aa222173b66964f047fd9eed45eb8a161dd99e9b74665bdde5bdef7b6963ff85a50b71c178edf8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
972dec77a3434eb3de179f91c5b73782

SHA1
20195f8a5bf8de819d9130c47efe619d17c2f824

SHA256
9c069014c2b3929022e44b09275ae41d7a29e917bcef342afe3b94e86a98cd42

SHA512
7d29858332aade37c6ff7e08f225e82cd561ef5a772fb940b4a51b46d0cf207187babccfcc5cf3e4aa56c6d491f18e0adacf9d82f3ba30ef5e49eb0ddaaef4c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3204e4bf84976871d86d7efc16e25a9e

SHA1
7ca1f2c7741241a9f862d2914af37164001aaa46

SHA256
45324d3faf3abddb12cc672633af82f36bd758a6c275512e55b724e27b82e35b

SHA512
0747e99f2430773a33846ed95090e2e3233d15808f9811fac5ba90fbb4e1b5811d1ec891409b9f220fe1e08e3cd915f3b51e81d3f3fc53a657b07c367f11fe25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1b3718c5f4f9ef53f1aae1ddacccb798

SHA1
146140c535b313ec6301584d75b9c39c5c371811

SHA256
61d1860b3f53d380ef434dfc49ac4ceb7cf5abad24a5c05c9908cc7a763e1a1a

SHA512
da0c9b49710d48329f7fae8f160ee645d0b18fd87e3490c3573d23fc1ca28ec1f8fa1274dfd90c540aba72edaa6fc831a2e5afe47a44e46264ea83e387edb5cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cb1f9cca9beba2a088f6c046a48fee33

SHA1
e5b289112baa2a46cd407da99a4bab03d9f8b0ee

SHA256
6968d036d718e46f5289a37ce4a075f13f535df77eda46b472704e8ca247d736

SHA512
9e31d83f22626b8d693d686329e9a0f82601d2be6a693801fb7cdcb64253c61d3136c43615537c04a0359dac190009669eb046733fabc666819ded8fc0e228b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
636e6047fb3347a82b2fa497dd423371

SHA1
a5d3f3a8aa89470076ac622031096d28a89b6bd1

SHA256
40b92b80a04c334b9aaa57ba75a54f0593d18435d06b97a423f15508fddfa11f

SHA512
c5cca6c06d6edd2580b337acf76c9c8acbb1e171af9254eaaf7482235f81c6ba5708250fdba97350a268ef460b1ed6ac7958916f4fc14008c3a41183cb02a91d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
426ff6b40ad1d09c3da22ecddf73910e

SHA1
af94ddc09a3ab82a831b456e8fd0932af673d34c

SHA256
d4944cbec968fa9d595c89c9d2623912644e6bfdff120b3a3071747a86a465a6

SHA512
83f5b7920bc7781815e1a8a576493d758ea4415c7b7f69d1849897b5a2702194623d5be1886f736f8d68d024e610aaeb2c9d2f25e79bf6635604f6d3ee4db41f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9f046b01957a18fc6ce8e09dbf4182d9

SHA1
d67ae5b66cf92d44b4c92ab18726c2e7669a8717

SHA256
ef8f72b5c0c596096840adb8c5c5380bfafe0f03d2e99646c5df082c43f3c3e9

SHA512
5ea91ba5663116c23a1ac82856eb5ddd55e9b28568fb251a6ca608fe72981a057070e7285c292992a964060d40b1c15af87fe3f18d114ba54a991f535f3bbe1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
63c1648a83797b36710be5ea12348042

SHA1
c00a15fc26d592ef639ac5b3f7b2e7fd5859bdb9

SHA256
7387bd6332f5299065d8fa3a60879103a5241e58f7109ec64b070a1d1538378b

SHA512
ec34cb82baec13c012e15e7a7b503a55fbbbd06a8012f030dc5a5957d86c091799fbe25157aab05990c1108bafa93afeffafa470d910b6c004eadd04d33b47d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e55197a3db096586d3a3199b97ffe0b1

SHA1
c89c4b07be8b42b5f6819799302a951f858bc15b

SHA256
b43e32604ba58e56f46ad0a1ef7ac06362c21a74f8d9820e4877359200d3fc82

SHA512
4ae3d73ef7aa85f8fdb214461d90c06a8a83152b915147ec38751ef73973595a0c170c3af354b3f2120076d67b149bb0f14bb38f26df24a61d37a63bdeccbb5d

Download Submit
memory/2824-32-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/2824-220-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/2824-83-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/2824-0-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download
memory/2824-231-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download
memory/2824-1-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download
memory/2824-88-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/2824-4-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2824-27-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/4160-12-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download
memory/4160-31-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4160-233-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download
memory/4536-14-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download
memory/4536-30-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/4536-232-0x0000000000640000-0x0000000001D77000-memory.dmp

Filesize
23.2MB

Download