55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1797s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
12-03-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	AnyDesk.exe
1048	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4904	AnyDesk.exe
4904	AnyDesk.exe
4904	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4904	AnyDesk.exe
4904	AnyDesk.exe
4904	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1048	1156	AnyDesk.exe	74
PID 1156 wrote to memory of 1048	1156	AnyDesk.exe	74
PID 1156 wrote to memory of 1048	1156	AnyDesk.exe	74
PID 1156 wrote to memory of 4904	1156	AnyDesk.exe	75
PID 1156 wrote to memory of 4904	1156	AnyDesk.exe	75
PID 1156 wrote to memory of 4904	1156	AnyDesk.exe	75

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
a47d8f113c566e38370da2a92be4e8e0

SHA1
fe56ac69e72b3b7ed5d0dd74debcdce3d4aad511

SHA256
1f797bdec557c581ca05ca0c489c41627694d8a00f4e48405313982a356509df

SHA512
25f6f2a8b3eacf207515a5140afdac5191ce26d4f48e124e6f313971f38a3b0706c4216ebb4454aaf52e509db3d4d0d4e21d62842bdf2407c9d0ef7767adf8cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
1e165cda9040cd52dd7f20e1f2215756

SHA1
8e5d18bc4ddf3355924fc0ff70122c53cbffce5e

SHA256
96e393fc2e2cdac19cafdfc586772856ec1f35f17ac76c641c6be83f831d3444

SHA512
3ef4e233bc36f14236d9a32f1c8ba6d876fb593962c0e5c9c4254ec1bce2817bd68c60f001b49bd7bc6b1d9c44574d19128f1e51f6150babc458b4a26ac12c81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3c08967547cbd4698fd591d541526750

SHA1
44918305f60ee7f17423d085845b6e9e1bd8370b

SHA256
dd8b4a758f9a0add7fb1edda0dc6905d70aae72cb6ec7faa1487767596e9d825

SHA512
add29a5e072c425acc1d61c2aa8f88fd2cad61083c7f9c0d275ec3cc9f9cc5ee8d1b385612ff305097c3c33f9e71ebc8209115ed8e87251c7ef360d83f16b5c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6629ca6c3f41db7cb71a37de84237f8d

SHA1
47f4fbffc9c54d1454a340a96ccad3e6148d3732

SHA256
0821ed9d8ae1c9e9e95d049bbca1b2b3ab067e64af27b445b29585441b175bf7

SHA512
5d586227c1fe1a340e7ee37d8e0deb7eea6022e170a8984fa4644ee18aae8ae13ab3f40a207ce4bd2494f0104c5a91f94b8c5327cb70428ac0dd4f556654579b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
a0ea9f6e2ce22e0f522cbabf4dde52f2

SHA1
7b7e891dd23c10b49a05f7724507202e35b8a8d9

SHA256
64d17371f5687bb901f447846227b5a5fcd22f6c348c945f8e38c72620db2706

SHA512
b6fb99cee1e2c63c3160d265a42a635c907b840e2525d671ee53c761209e72609e66c96f650e793126b3d342e0483c3728178a3134c134c97b398fbbd4055f75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
732B

MD5
0dc54563cbe4c806a912350194fd640e

SHA1
78e9f549c0d0f98cf38aaf199c2d38183ff60f10

SHA256
010dc7a5fced58bed2be877306dc3df7fb3d75faf92cfd1ab47cd1b8d9984198

SHA512
644ab8f0c752d698550d0f6b77b33185f886e46a2669356a774b7047f7f68d29dca08a6ba62f9d8b1f47e15de0a646da0af27287b7f0efff00826bce75b9ec24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
e873f6906a304c8829bc1c71625c10ce

SHA1
1110a41dd280e20b5ce3770c02f9a85a819c9538

SHA256
96ab15ab8325acfe6480959fa7cc932df30221f501215578bf9d814959364cde

SHA512
2cf92debb24aad31a0b125b5ed4753a08ac71784e14ff2fa3a2863abacb86f30857bf5e9ba3e4eef4c8b9475470e13c49464044f1f71ae0d3cd5a2dbab9e5ff2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e4f3c8d574f09e483af4336656616a26

SHA1
de3275bb0253b76926c4a4002cc64b016ae3d4d5

SHA256
92747f9b8a90f70c3cb5ccf4f33108a780ada29b8fc4c6f102b5d5e77f9afc0f

SHA512
b298ed7c0c607c885d4b51a3a3a567a900f97bbf1b167b3bd71031933060bef52dd11f8637e8d5ee548c73695e8639f1f5fad1d5a6cbc263497c2b0bdf2cf024

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
223cdc800f8898b652de710ad112f742

SHA1
a6c744a65430adf616a1e6a24d93e3ce62179f85

SHA256
5f3ab6da32eba01e859c70e6ced04987ddbdb3ea2a66474e5fe52091a7538fbc

SHA512
c0748971b5695a30f9b861ddd4ec92534e4360d5a309efe885813b03324e9adb951557c8ecaa1d9b5225aa5a115916af9135a0539ae642ddc276ed2d36a6cc19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e2c7c92748dd2462c61b4bb464c27e25

SHA1
1bd0cf1c2562a2ce4b869e61fe916353c7383ea2

SHA256
8a6dcc074f56b28a7eb6f7b3751f2086d8975eb93da712edeff3262a6c595de6

SHA512
8b69af2a7dfdea37fc9040ff9e5482f89c38f2b906b0f27f18f915fb61eafe8169bfd426d947276933ee67620f3c1fe2b32fd9e9fa628ca3fc77cfac83cbaa0b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3ea44b6f573d29bc0c3972812b8ba84b

SHA1
418da0150f08532794355702de6e71f6d4454b9e

SHA256
365df36a5fb69e9fc151b1e753c3f950166531174462242348c951a8542db743

SHA512
39921e332e86bbbf94bbbf3871078905ef8d54e22862d5cef091fad525435c0ad309ccc59af68f43f17444f6e16a12dcb66a24c53d8ebe5ee9cbf432b0b91c1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
878ec86d0faecb239f11d0f56a9ea213

SHA1
c029df88810de0853bf158a5676e2fcaf1864644

SHA256
012c1ca889b30c975f112674a50be13d9fa1984492769c0e609018c89d34dc4c

SHA512
095c0ae967fe709a88dc41f334e2931f199aa631a73677a0b40b2ed7ffe4109c17a37e76266f5f18ea2bb07bf337dca6cf67f4d7f253be8547daa3843c53e3e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a986f813e9ce56821a5ec6ea757f34e2

SHA1
63cb41a3e4819c7805c0602900a1cf27acb5fbb9

SHA256
a649d7f04207f715a12308d5136c6ebea6c768f19640e8cde414e4301bb5f1aa

SHA512
68172a8f1517829afba6c6991d56bbc668e9526ab89d0f9aec36be50bc1450da8a17f5e93354deece63436b38947b0dff821cb4fbc4ccda2af3413f88960916c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c0e101a7c793daf045b6f94ab3fb4f99

SHA1
5f004f916c3c479a6fbd76ad1236e4b2220c6f3d

SHA256
0432b9936fb7317e42383ad5d6006501a0ac58bac4fe36034456d8ea5d6489e6

SHA512
32f1847ac93b215b72ffe42534281941d5f9244fbd9bdefab5f4d0ec82587d67a025a16bc5a05a18b4e5c30824ec06a95186831e8e73408d7d3d9a01f7bdf556

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
74539d5327d0724191d92e5164adb4ad

SHA1
fa02dc486345858205f41ff722665934f2d469b2

SHA256
a383650e78338a7b72f2019707d2c15d666ef6d486993595a628b077aefb0de5

SHA512
e0255d3fe78d07be63d6b147541c7dd62b73d03c498ed74605e726fa3bef14f8c3855cc40c06e30bfafd14255983e8345132e4aa04a00737582738afe2f56b56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3f6a682584d88785d00457482adf6b1e

SHA1
bc314b3143d1add85bddd719645adbf04b1db4c3

SHA256
5ddc4296fab1f5133f6f62b54eb138746573f9c37f99f78e419191e2dba89001

SHA512
6be747177362ef95e4bb9bbd7bcae51894a1e4e9f5f9c621104d96402becdfacfcc77a0a95e646ba7945c6c55b5a875eb31b65eddebeffddbb6f4ed75e1044a7

Download Submit
memory/1048-20-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/1048-33-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/1048-244-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/1156-104-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/1156-103-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/1156-243-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/1156-18-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/1156-17-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/1156-0-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/1156-4-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/1156-1-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/1156-82-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/1156-232-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/4904-21-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/4904-19-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download
memory/4904-29-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4904-245-0x0000000000F00000-0x0000000002637000-memory.dmp

Filesize
23.2MB

Download