55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1809s
max time network
1805s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
376	AnyDesk.exe
376	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
856	AnyDesk.exe
856	AnyDesk.exe
856	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
856	AnyDesk.exe
856	AnyDesk.exe
856	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 376	3312	AnyDesk.exe	91
PID 3312 wrote to memory of 376	3312	AnyDesk.exe	91
PID 3312 wrote to memory of 376	3312	AnyDesk.exe	91
PID 3312 wrote to memory of 856	3312	AnyDesk.exe	92
PID 3312 wrote to memory of 856	3312	AnyDesk.exe	92
PID 3312 wrote to memory of 856	3312	AnyDesk.exe	92

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
28e6e87763829731b005ff6eac4375ef

SHA1
aead7b84111ea2b0307a5e16358cf88e5a990f59

SHA256
9d661f4a7a656faeb4ad36b3c4c64b556a5d26855201514864128808a19abb4d

SHA512
7d8182e0d3c1b4ebd7925c69bd2d1f9132308a3b58b0b093be85f05def57eeab51a77eb8998a71d85013e0616348e50cd3f267b03ccbfeb39f3aea4480ea37e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9a234ecb8d1ea394d6f9ebc84f5b65b3

SHA1
8789488d19815f7e1e8b0d08c60e477f69d074de

SHA256
3351178ff8c47842d027d505df14df2ab3dfde5cf860f44f7ab7a630ccfc0fb7

SHA512
8f844f6086bfab80627dcae473fabfb3201353c8fd8c460f8c21f832a08db99d7033c4ff423aa7e5b3022f0650a5b8fde4ae3a388821c3409f84e79207f3f2ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a4b6c1b05a9aa3225a32fcbc7caa9834

SHA1
fde118df066b0a56e5a11cf21bee9092575b3f22

SHA256
b66c4415caf5a835eea63839a74298029da2ab3fcad12d74a6598417126a0a40

SHA512
c617dd880533d0c306cd55edf23ff478e6b898ce02a39bb34344b3d889c0da6eeb0a9aa1d92b7ef779ae358a2260ca4d927fd81c62fa9b7cd576c5611a397602

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
9cc18ec2fdbf71c06faef4b4469f6e53

SHA1
94d7d25eb46bd382f32b6445994903250e8045d2

SHA256
15ec71c851a5a8c0646c5cb5cdaac0ea2b734d2452a653920b0a09e9c1dabaa4

SHA512
3e7d6d690fe6732b26a6015b852227fcb1ef403d43936039383ab9638aa2841646a3273d28c2efd7782c5c51e136969e3e85105fa3ad7f20e4861fc580dc8617

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
4ece950c321217fd9545b3e93e5bdc2f

SHA1
4c56c575ba9fa316db7db74cd8452945daa13e90

SHA256
528eb74374fae001ed853d29bce180ef89f77ec121a028c11b5b2d82c59098cd

SHA512
505306835100bfd800c3ebede1efd77fbe47f3819e59572de565ae518a571e7240f20dfa5b851c0c024e29a9c183a7e9f5be8e16d960580ef5f49af03e6383d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
f76f561d8ab788a399f3b5bcd540751f

SHA1
9b55a9a5d541d325d96230a5bcffe49378110bdd

SHA256
4678303771851823d5ea058f13df81fffc63ac4f78bbce900a3b815a13ad4c1d

SHA512
6d6f69b4d7b9bfb32cd66e2e4b719c67335da138f496cb4209a46a72aa570f324b1fc31fc6876c7ea0fb066c430b14a5cc77367d56bb9c98d7c91b83a99c84ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
e8b40732415bbfb9b9270992d238dd50

SHA1
c806580127ed2f50564b3853ce8036738c47df43

SHA256
108ac85f19e9a15c2b49f3676d87652c6820765e50ccc7fff05b46b491f3bd76

SHA512
13ae273e4a64e492f14b921e6c302df30d3cf06394d5787a70b93eec96fa5dce37f5d14aed72a9ace605e6dbccad80789c4caa7adfe648aecf579935d8782ba2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fec9fd225201b218ff781f3f95d01e78

SHA1
c648158e58b82ab2f83c0cd4f8b4778601da1ce8

SHA256
5514a5522dd1fc7642ef0d4988ae88972f144ba41071ea16903718c5b03ff170

SHA512
142c662381ca72c7663ce2a0cc697113145583baf21801135ca6e46bb95a9523cf120baec37fe3191d06e41d60d712b0ef56ad590205162b54dc86872f0ef3ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
16f1d535be2f60d18de981d2e265ce60

SHA1
713bdbf8709c74d0999e6690aaf69550b9c831e2

SHA256
bb40c915af4a3b599ae0a2d80680101d9472af1df1c1f6551c5e67333333b668

SHA512
ed19c4c3c7f57f429d6a0f2aa44cb42640d117c8966abf9566f19918e25cb26c8f45b9801bdc862a93385d09b9430e7e9b6be946e3062fe3568084efc153f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
3154cdc9a31c05840f56824450070451

SHA1
94ca1d144d2c02e7c69709ecc3accd61c2773da8

SHA256
50f620cfacea2aec995e6b95b7ed2f863ac3c87baee24eeedf0fdee4b14f28c8

SHA512
f02e884263f26d0404d66916ab98f0107d05200ca3f79026218d643dd64656b9e9a3f4897563c58f7f1704b7cd9b77aa1b6f19f0ef14e61826f6ad7460cbe8ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
177bf0c6019d33188b1c001bb2704b60

SHA1
82bd81af579553500839736cfdcd4bb032f8152d

SHA256
81996c5161c24291907c164e1b14a6fc43d2ed73163907871a119cd3dd86b679

SHA512
c23e9ea11fe4effd9e0eadaadc8667d3409162138db4ab04af39e4949db80c2afd3c763e77a964d65f308886de474fb53eb00b803d8aa939714f9d560eba314c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
f5649c2469e16a5977109069cf0fafab

SHA1
950f394d7028d8347800c4d0174b6db430d1bb91

SHA256
a897604325f67cd11bbd67ea06c140f77a206a6b21e9e5ebf06d4ece1d752c14

SHA512
26648405812068caaf768386a2343ed958790127a6687316a992ee47acbba82c192b1199da0fc2a5343c20c7c29ae9dc9bf4768e4b796ee975ddacebde37f5fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
2c4db265824dfc2e7b51417bf2023cac

SHA1
73727cb401096601079ce685bcc77cbaedb1f20f

SHA256
009ca5f391442d0c110b02497244f352a2742565fd8b96831de154281c325da0

SHA512
6ba2efff1acf0da6f0dd5c9e5f972d03fa461b0538968af88abf0941cc4a9fc9457b3e59df09f27707419bdc1192f67d8f11b32e2609e10c69a2084bf24e13bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
621a0262ab8acf7f8bd08c787d8dcfff

SHA1
d1ae1628e3d5dd9c93962f0b454ea9f88d5092c9

SHA256
01f5d6269547c6380c6f09385ed36f5d5f712820f0baa3436bf3c5b50f80f71b

SHA512
525ee610db2fb6519425bb1c31bb52b5667bb1975f04ec990956855163989e681f0a4bf118c70ebe76d2bbe188e85718b912a472c27a6da9ca9f68c89e2db869

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d86fcdc80b34c197f57c8a0ee038527d

SHA1
08f0628a4571d2a8bfec71cd29249359e0fc7ef4

SHA256
71c406533b6bce29b54f4f39e190d06827e24db7b00bc9db817aff54de335249

SHA512
de737c16220fc05a931812157488876afaff8380cec29bbfe0bf3bbe9bffbc7471ac7b431b33f8355d5386a37a16c5806898bfaa0228e71e8ad3a6b17af0d1e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
892861883d5604d49422b8686b227420

SHA1
d74ca97b3c51e17d0e5666fa1de30c1ad6cc33fd

SHA256
10acf04be4f0844848e6295acad27097e47d1e01b5dbeb6a2709cf71bb4a10ce

SHA512
fe0debf82b6ece3a7e97d484816b76870e3d1fd6b52fa3627b3104e916a79d8f583e6c8e5086462f75b85d946ad596f6ab3859b36fefcb5da381400f60d6153e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3dbc8c5ef73f89b34be659c7aec73d5e

SHA1
7c7c7b74f4ce603744d29dd71683e2ed09647ebb

SHA256
355207054000a56449bf585ec93ad3c378705e6a8a23af45025b2044c1710d5c

SHA512
c1e1964a4c1431174720ed635f0f13ef5abcffd2fed937b6743ed81b0026aeef2c2b93123a05c09107ed2ad10decc58fead43a4db6855857ed0e1115b4730def

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a766a9d032d1e6e8e8dc5a9025fc4cb2

SHA1
f7f39b21c9f1489dfa0487fa4384e1bf1dd06d82

SHA256
61d2b7f8b9641192cd97d4dafab8d02802ad1268d348a23964ae983ad5324918

SHA512
5ebca60accd47733f43352138c3343789f585ebf3ce322f9079dcb305a93489f5d9a0ede4e730044c4d61e74dbc003bc965d86552e5c11eb942bdc1ae6119bf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f9db228d85c175e2713c68e236d67d2c

SHA1
9297eedd83d11500d16036a01b4c464358126e83

SHA256
9441a7edc336076afdeae98e612fb279994613804de9bf4896176123f0afd821

SHA512
fa362e75f595cffee952357159038a0720a36ddfc87f80bdfdb6ca738e13df09214b66fa8a1ca829915731e78dbe2fed4e04be30b283423fa927e159ba638002

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
076881035011b584323ab27a67009080

SHA1
88fabc8840b23015ff18f95ec11cd40c3b659c72

SHA256
66aafd4e699bd85c23625299dacac55162cc318f214928e85b12616236bfc018

SHA512
668ec31a0b6c8b303bf4212a4e475ab33e3a77d2bb7dfb1d75505d57730668c605f3d8529cbceb3116066c06ed33def8b46891674b49f4a0c826c7a267da6315

Download Submit
memory/376-12-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/376-13-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/376-211-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/376-226-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/376-31-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/856-222-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/856-11-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/856-32-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/3312-29-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/3312-90-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/3312-83-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/3312-223-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/3312-224-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/3312-82-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/3312-0-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download
memory/3312-30-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/3312-3-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/3312-1-0x0000000000450000-0x0000000001B87000-memory.dmp

Filesize
23.2MB

Download