55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
146s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
12-03-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4524	AnyDesk.exe
4524	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2112	AnyDesk.exe
2112	AnyDesk.exe
2112	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2112	AnyDesk.exe
2112	AnyDesk.exe
2112	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4524	2468	AnyDesk.exe	80
PID 2468 wrote to memory of 4524	2468	AnyDesk.exe	80
PID 2468 wrote to memory of 4524	2468	AnyDesk.exe	80
PID 2468 wrote to memory of 2112	2468	AnyDesk.exe	81
PID 2468 wrote to memory of 2112	2468	AnyDesk.exe	81
PID 2468 wrote to memory of 2112	2468	AnyDesk.exe	81

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
5c1dd7d3a59193f5ec55c885e6a89028

SHA1
331f5c903415bf79f7e2e2025274fc92f01e49e7

SHA256
3aec9c41954b388ed434de6d4e6a5f23885c2eb6acb7223a196cddfaf3ed974a

SHA512
37c16b7d13c066aa4589425cb9bab36af22eea70648c8b58ab909e34d765ffd0a6a1dc3391302250aa69a86335917b3704a2b29559cb7256dae9c72f10afa801

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4ae1cea57940b6a51910b1316c335620

SHA1
13d1ecf50e0277dd1f08d844ce5aaa57ec9a74b7

SHA256
5e3cd1f3d3d2537a40637fd738832d56b7d86c592f9c6d003bc859ae70bf8f65

SHA512
5e57ab5a17256af717d237e8ce67314f758882f3b082af53325266ae495ff3f8fea7db67d45e7c3ddee45f69fc318d54b1cb94e10116dc025510bafe28a6985e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e84d7af57b097f4da7fa9230100771f4

SHA1
8ba52b6838460f798481696baa62a3b656ed0107

SHA256
263a04ec6c95c8bd70ab3150a159721f6ea6097bfb4990cd10b1877326f7bd52

SHA512
0682c9ab6b3e4ac42a1e084eeb6546ebac10b4e56b39aa788c238387e8ac36d65562308a6d9a7de5a975c5581d8b18a1be5fc0ba061c4412c487254cad8b86b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
bdd559faf64606f0b3930e566ab51795

SHA1
bd1decd42d154bfe1c3fc8f726f25dd1a8074775

SHA256
3451b03469b1486690d215994b0da3e4f10183f75668ef1d0726c16371f8cb10

SHA512
7c99d8f1fe604c45d6383944a68c7966c3d06ac08e61b1dc4f2e56baba8de3a7a3140fc4d7be3f2215bdc52c8f37063a7344b147d0b43170d01ac9942e04eb8f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
620b16210a1dac826214453efff18fad

SHA1
6d0fa0963f923c2103621c21888d7d84da8f7dfe

SHA256
2c529b267ea00251651835c38759e5ebbb64ae3bf77a7e37da4f48008cbd82ca

SHA512
adfcbf39819c8b15f926a43011f13c035228bc8cb4c5dbf1438e368b9013dff7517ef9b8c0e8b5eabb295a5201a9dbc6b4e86065c6718c3fd8e8069478938cbb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
30db292dd589f2beb0d550f4fd2fb84d

SHA1
cd9fea7f3b61c660852f6f23b14e00c1043ef1a5

SHA256
17daefb22dba83ee74761d643bc4994b54c6e254a14e46a622fa5054f68fbcac

SHA512
dcd1b17d9ac4cd9389132b90dffe674fc73db173a3dad2b916bf62729b0dfe02077dbce29b8ac18d2a88d9bdf8a54236e3bfa30f002450fb06b3835225598eed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3ce55a3281c9c128e791ac8beea12241

SHA1
68d2e802d9e892d4232e49fc46c68ff6446037a9

SHA256
3b9b6b0554d78db0fe556f91d7a6fed32496151c551d914a83d65eac620c57a1

SHA512
e1836be3164b5f2f4a716f4886d35eccbaabf5a97b33fd25bd9915346d12ccd80ab189c5c43fb4d6f4276708f344195466414fdc0df801c247fb07d7474ab37b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0ab47c64f64f6e30e184196b8794dfb4

SHA1
6c4e743e0f069dcb9b0d02684498b98a2e241711

SHA256
d4471240b5f8a27ce021b643b2dc4056a98d2dbfeea0de9f493a8b8ae51e680d

SHA512
29d8c2c5bca57fa914fc174da7b94b025baefa9d5661a977208a697d237220e8630d2faf361bfd14b42a2f3856f04e2953276c35b0bc381e36525d82a078f8ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4592a936511fb160937845d167847e20

SHA1
c73df9c8a70212505dd50ebfbb521bd9ebc7eaa0

SHA256
3877c1357edf40f571a6b5e9fae0d09652983a0b9f2ef4293fddef9a7d3b1c01

SHA512
69b2738faccd47a40bbac03798f0617cea6c8315c1697c3a99cbc06e6645360791fc502bf6fcd4ad59a5c12a24e6f37d506452ccc3fbe45684d6fbd69380f1a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4d8aa22d8657d743e31e57996ef0a765

SHA1
0d072c8ac88581c7fddbdead4a26fba6e5eab187

SHA256
bf28eae32c97088fc0ade1bfaa24b2e07670ca1ec8c0c6d2e4771d88c220ab2c

SHA512
a7de7224d1de3b6a466bcba5ff692e2cd29fe81194dccff5df7c270de4222aff320f9d0f02a681e5b1defe636ddf69ac01ebfb7035a9b0eff67c10545e34e7bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
75e6d3b6b39a4dba5a77b9970f7fc92d

SHA1
a3bc4bdd901551e8dbe4ab542464386a6b9d94a8

SHA256
aa23ff0abb792860df3069a849cbddfc378fe06c31ff61a2051927edeadad92a

SHA512
71b0c2ae61feaa7c5ec234db20f8729d3b66d46fa179647d8bec63077e62ca06bbe61504d3677a32da7272210346df3742d012394c2ffbefd3e4ebdf5c826a7a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c219e698f789d1319ce53e5015eaae2d

SHA1
3516aef7cb131e572567c062f07355b912ad873c

SHA256
0d10d30553c18c1493b97652032c65657397b3502642db3a3e7a1f2d9a79398e

SHA512
ddad4bf23c7e2b738cc85c99f2cd4e073237f6a21d488101bc96737ea478ce0e21d9f3e7cf025057c0a9653bcea54fd05ba7049f972467da027ede69cb390241

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
984ee42da91d2130d7dd460504e0c557

SHA1
d76800da8f52f56493f33b0a51837e591717161b

SHA256
8bf943a6b9ba3c128c41867b51ca1eb09f1f7a0ede2d6f15e00a37d7a281e5a8

SHA512
74e614d930661f3317a64513c1aa5ad16f71650ae134df41d2dfc0b66b981e0e637c4a5a1e072ed31c67c183957c42c9b61c2849fed1d33ca8bf041c41e81e1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
09e4306f7f4354615ed417bc86df9df4

SHA1
03de31f986865033b50e6a4911de1b90bd2261bc

SHA256
09ad108eec7347a03ff52fd28cd604dd0d4c4ed9d556a8cb13efeaaff71bfb53

SHA512
7f8581bf9f484215eab8d74de73e41def62780a679ea9feeeed721c606019e6da58847cc2db6f966c5df60da95fa04e78b5b21eccf089fd51b038f32c5dd4270

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4bb8b9322b2648c2a7615dd93d3773f7

SHA1
baea01876c0625c9e56372178ad995b1a3a9956c

SHA256
f5ac11927215d25811fdad88a53cc07d236d7bf133a71f61033f623394e53e3b

SHA512
717b59643456dc7fabde4b29e280552d2ebed1fbcc518c2b9cdf877f2e3ee3841303fad0d20ef6f3e1aa0b8a9d48442376dd60ff46a6ad763f8d6bdfbbe46c06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
aeafbcdfb7656e353f8f369c6bbbbfba

SHA1
9cb0a5139c5ba477dcf01db6bf448b2e6e4dd91f

SHA256
28b2dd7d60e8bb010350409a3690ed30f67c4768fda80ecc739b331aea6156ca

SHA512
cb02a848dd35c47bfade401766a905ad966a4f6e6b5dd7eec9e712dbe6752ebf780e824bb538cf6bb0bf8d6458893a0202d2204d52d61376e8cdceb661967220

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e000aff452a6eb7c0e54ce6cfc720068

SHA1
3b8acd06e0ce11f67b3d99780f26f52e594ab541

SHA256
f915abec4761ee020754e70e7cd6d675939933ed1d7831ee648eec45aa7f0fae

SHA512
8f44e003aa888234d6c2fb5e3b194707ce2bf7099d31ba0998eb9285dc2c50d86944db60b6c21dc6899e8071c799a9229d40cdf505f8e4b78a992738a57efa37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f93844d5d58bdc8503d4bbebd2611fff

SHA1
453435ea90cd1669cd68d75ddbfee362f4cd4202

SHA256
2a355d55c9443667dfbd56bbfce5282c79ee4c403b83f20b78a411153e8c751f

SHA512
c9fbacc70b33493cf8c09cbf039beb3ec65dc56bb30ad17915baf882272376db7b9383ff4baf7c1353075e5a72b4d511a7a255a8b73e3c01cbdd3d1d9d8ba9f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
81d975fbd7dfa24d33301847cc0f4587

SHA1
63a73017a1031816990665553220aa014a30844d

SHA256
5f2d9dc949f34c6b200a565ca6713afac6b570b83409ff97c284d1acc8eda638

SHA512
8f1a434cef7ec7104e580dbc13f5563ac9af6d7a375ed918446d37e6ffc067094a86536f00117a5f1ff556b49498be7b6cd456e5e2dc9a583eef0f098021a9a5

Download Submit
memory/2112-34-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2112-31-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2112-202-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2112-12-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2112-315-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2468-84-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/2468-261-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/2468-200-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2468-1-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2468-0-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2468-313-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2468-22-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2468-87-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/2468-23-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/2468-3-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/4524-11-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-20-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-33-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4524-314-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-201-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download