55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1793s
max time network
1797s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	AnyDesk.exe
1892	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3648	AnyDesk.exe
3648	AnyDesk.exe
3648	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3648	AnyDesk.exe
3648	AnyDesk.exe
3648	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1892	4580	AnyDesk.exe	92
PID 4580 wrote to memory of 1892	4580	AnyDesk.exe	92
PID 4580 wrote to memory of 1892	4580	AnyDesk.exe	92
PID 4580 wrote to memory of 3648	4580	AnyDesk.exe	93
PID 4580 wrote to memory of 3648	4580	AnyDesk.exe	93
PID 4580 wrote to memory of 3648	4580	AnyDesk.exe	93

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1babc7e7cff1f2f897ce07f463b9f69a

SHA1
2552efde23fe2734db15999e794ffb0abc9251ea

SHA256
13de2b252748821c2d4bc7bbb5215b40d208adfadb824c7db7ae3bbaa9cc4070

SHA512
d239923dbc9b4760e0d321b12b5e531715dee37b173d3123dc6a5f9256916fa0ae9a4cbedfb460d32f73d6768618039774735dc631fbed97f118e52b509414b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
786ceeb1e9d85eeb6a27c9899049e0e8

SHA1
d739c784bee1fbfc8266a30f4dac5137e19f16cf

SHA256
5b42e844ae0a6f9869986529a02868e3c979a313ea4d44737a6eaa007e25c83b

SHA512
14133f107e5cb182dfd5bbe2884f626e8ed810203365d69ddb3a85a87abb2849d9ae3cf3ba1ab0cb72d813cfbca4c3178987712f00de515f4533f30246c9fffb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a641f9d3f5d9ccbab97372f973f2e4a8

SHA1
08d080c7715f05540e458749edab9e67609d774a

SHA256
cb09ecd1f4895086f3247049f06f391bec38ba73a449a647d658c23b1e24624a

SHA512
efcd202861d7e84be3f9c2458ec73f8c82082b7cdef40dbda526e2173fd76235b30f64267ac2b1de8202c16803da8cdfe73cba19d170efc5fe79e6d8ddcbb19b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3a1662525f967dbd1e2616199a4e2f29

SHA1
657d322affcb0e404b58f43120f44ff1d5518160

SHA256
007ac186d105a73537205717190f7bdb1e64cbe8fa6c489e160d84c410854bef

SHA512
26fb81dec1a0a5186a8901786f940162cbf4a8d87c4d17e31f5ce9206b88e59312ac97d90ad7daad1349f276ac9c89337f93da788b8036747b77ca251ceccdac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
8dbb9cbae0a33e0214c2ad364e302f66

SHA1
34880b272fbd545a854d13a20fc7efeeb27ef78a

SHA256
d6f4a3d403f555346448623d248a0755f4b28be151c61da39be2dbaae55c9ffd

SHA512
6899920eeda2b119e2b8f6953c1ad0998d8fc009b12bdcd96df72159925ca0308f894fe0c6b06d3ca11a34bec9c63510e5918f7ce91b739086adb9996f398acd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
61554df1b12ceec347cbea0386b544d8

SHA1
51c425eed515f215d24d4970d63787deff24bc92

SHA256
00a9384d350e9ad6d0e9daaa547c3cc45ef581a8682b5608b88f19e0da3fcf43

SHA512
815d86f14b9aa98db7e4559b4006628bc1dd06b0cb922a0daf3e7c8b4db14422958b50fb91b691a1616e851acf505df51e7141a6e3df528219cf02152317e615

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4428bc48f3a828ded36cadea1a87d32d

SHA1
03f169c88652058cbe6cd0324da9b382fbedc6d3

SHA256
929677d5f1fc37bc98a057118883c35b728bdec3d6e7cc5f67fec7abcedb6450

SHA512
23993a433839d336a54fe17f87772b062bd0c2c474590f0c9500afa6da064f31f4a8acdb36198cffe19fbe2fc6c161cc870d59d037e8be0c6637221ed418ef1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
74dbf3f295ce3851ce5e9705df844824

SHA1
bb85dafbc0d31051147edc32c6a1aed1af24204c

SHA256
57c95a4c265eecda6c807908737367be10606ddfba5a9a30311693c677a09507

SHA512
bea05f7f2d92f68e275e92286d5e94dbfe8c818627be450edbf1c8e4922cef7823a4e2f1d9afe4199fa02722a340786830f87ae6788354957e4f0f0a9f13975c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8b0b5f3a18b2255f90f08e441d16e290

SHA1
846f93b1a1d54615aadb3fda8fff7b1fd592ec01

SHA256
305f370a7523e606d1e5837b3a459113cf76a6cb1f6f860cd9d57a8d79e9043e

SHA512
0c4f036421cfa30e08b0bf4d84e0da84544b2509a46b07cd6cd5509ff903a114e9086e9015f7a37fb22af697237c2067a42f3bc68d1e1d09d0f45e514eb28454

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
870f84cb3acab87c861ed7393c97abaf

SHA1
242d0f493e80da0ee18ea36d2f42435339ecda05

SHA256
21e8754a0f0ccf9ab8eeb406e14f8c5fef8595690b1f7d14ab4b345accfba7fd

SHA512
8f39d8cec2be6221268d51d0a8657733f4e71264889b636de58f6fd87cd87e9a9235ba92bf7c9f1515bc8e71468970cdda54ef150fe42cbe42a34f85b0edbffa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
2ff543f8995c833e1b59684a8b0d10fb

SHA1
0dc9dfc61d69512827e46e88898d21ee7c10c491

SHA256
94186eac85fe265709b8a8dec62c81023e33d74f64f88253f5c10a378f2c27e3

SHA512
52a7e4b680ccb63b610d6a5a4b13196a2969b9c838526e2961696f8dea41cfeca8d3c5c99f05bddd9030de64df02166ccb29a7ec3af5fc40d75994eeffec3497

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ac9237620ab3ece7d885dc1fdb6d68e8

SHA1
8bdf408b02d5214cf6e10d98f5c6eea7df50053a

SHA256
7108bed8ebb230034fd0aa4ed7244e016c18b9c5eaca3bb69e402686c1bb9320

SHA512
3361d404fad0d4842a735f40057ff619bea69d89e3e38e258a942ba0a77ccd3ecbed41a216004f183458a7c53498a3f0a5a67ef54a64d392eb92da131e2f4cdc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
506eb40ab13bb3090783563a5f3cb6e2

SHA1
d1c808f202bba403bd15d2f67c4b8eff17eeeff4

SHA256
174720e251b2d9942fb4535fb795c6c39e7e9c45f4958c7d0594d1a36a5d608c

SHA512
e6dc7744ee6c1e045963720540e2e26f6f164336a34af1a975d04c1e70be1290970226ee78c1565b0a76f9f6b28e7a6a55c454ad5b8a7ce501689aba7b1df14d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cb716a9c5b41cdafaa38db668d8b5c97

SHA1
e88efe637055922f69d86d380dc7815817bf9909

SHA256
bfdb07bd7fc1d1ed5c1ff29bacdb83cd96202515bface8ad47cc65f5a38af2d2

SHA512
d6dc0252074242652e266c49c85b8e18390c91f6dee436d79a589745a6611a25bba807f2e93fe40ea27ab3077fe198d4c391903ab6cc97ef9424e4e8e9fed631

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2b2f0084e49a15e56f9cdbd3e68aa358

SHA1
ff408e7e9d5dbc6a674d51d4ba7fbd23cd237627

SHA256
e7b0f24dc64ef986f3f8d62c9cb38ba41613d73ea5fc61ae97f600137e1695ad

SHA512
b98de4ac8fb4c2ce8fb222819e2c4f380e06f1d68b88cdeedec32cc3f1d754d74c8c13fba0a300b558422b79690db702cdbefcf5ed1a8be9af4e710f9ffadf29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
57e9591fd3672bdec364788ae3007ed4

SHA1
151c0fa9ab1b50581e3bc61e18e8cca2bdca2547

SHA256
4381cacfce0216d3045d77b10eee64aac34f31b0edd0bd0dec2ec818f16e8ba2

SHA512
f2e4a8862127acfb554cc10d6ee84e723bafb546515d0ff5f7c120347073876d3cc05e78fd71ebf949760f81cc40d908841ec9d56f9960ad415e36f335098d56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
29d665d4ded7929bbb885382854b5bf6

SHA1
664e63f833beab3b9e9ef1d7b92f2bf306f94137

SHA256
5699c263fcaabd0132d76508f2844e5296a05926daeed9f839db63e7ae7e675b

SHA512
43f17f716a277996b11beaeb382ea76cf0a0ee721151b9740169342691136b8883212607884d0bbff882895cd1c0103b34c4afe5baed7b1abab786940c88ee50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
00d902de033e441be9077cd0d440491b

SHA1
8316e032b77891fbd7fb433cd01361576d604b9a

SHA256
a97a41e939796bb266f680147469d63ea74a65e58b68d09deb72a1b9c762fba0

SHA512
32a06f9fde5a490e82a071fa5c4baa8808f0ea87613894cb15a45f85091e4b645a23a0e7684bfa944d6ea624bcc4f494edf5fb460bf19e482053322ad4a874f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c7ee3d2a00b3e15630ef3f96b196994c

SHA1
c94ebc6acf384d4174e0ece9629b9e58cd916de3

SHA256
c6aaf9d61242569da4c728e96741243d3c1ec6e0b455512e4c2e8106001e0bc0

SHA512
e42f1505acb4baef5a35590b4d26aba333dfe0e69c0a88ec1b207440f7688ba7aee922741a8ec2782cdf34d83f789a9b369a1ac0efd7c294c7961930694ead3d

Download Submit
memory/1892-248-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/1892-244-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/1892-12-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/1892-27-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3648-33-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/3648-21-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/3648-249-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/4580-24-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/4580-0-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/4580-245-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/4580-246-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download
memory/4580-89-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/4580-23-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/4580-86-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/4580-3-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/4580-1-0x0000000000440000-0x0000000001B77000-memory.dmp

Filesize
23.2MB

Download