55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
155s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2136	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2964	AnyDesk.exe
2964	AnyDesk.exe
2964	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2964	AnyDesk.exe
2964	AnyDesk.exe
2964	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2136	2180	AnyDesk.exe	27
PID 2180 wrote to memory of 2136	2180	AnyDesk.exe	27
PID 2180 wrote to memory of 2136	2180	AnyDesk.exe	27
PID 2180 wrote to memory of 2136	2180	AnyDesk.exe	27
PID 2180 wrote to memory of 2964	2180	AnyDesk.exe	28
PID 2180 wrote to memory of 2964	2180	AnyDesk.exe	28
PID 2180 wrote to memory of 2964	2180	AnyDesk.exe	28
PID 2180 wrote to memory of 2964	2180	AnyDesk.exe	28

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
ed6b266e496128d9827b4ecd83965c8c

SHA1
8a42863408d5d53f0764f40e0585b196c2418ca8

SHA256
b4120e2083fca93be9afaae2ffff623fc783ef96ca96aa87d12afa30977e9af3

SHA512
b1d449e224d53f1b6bb41e9a4d4d5e8c19023f5567d21d87f32da576bbc2a149be69cfe1e8275abdef2b7d79cdf444864735de9737693849ab9580d747f53027

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
393ad9522e0a35d6222abe1817f23a67

SHA1
2a8b8e0cc57e8c9e75546ed3c2bb7ff94cba2371

SHA256
4f89ecd5a82c076be2e995dac39b9ed0370468f2e534f9eb4bbcc6eceb0619a6

SHA512
516778d61d8e90513dff8598f6f1579785144d7ef574ad123ea5d94c8ec3ec96cfc601e2a8fe46aa87a1498221e047b46ffc99bb9f4b3f2fa5b95e33dee35f99

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
eb2c7ece58c0d1d5520db863b7cab647

SHA1
dc5225964a4e29ca34f8fdb5ed818ebc5c4b2270

SHA256
db011b55959b3b2417956d9aedff511fab17456a6aac348f876fa3d8e98e4cee

SHA512
e712249f22d21d4be108e79a62346024220984c8cfe7a44d4df6c06549670c3dc7066ec2cb9d30c43e1560b46302e7a354172ede8e65a04608e239c023eabe38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
def7921340f600935611ec9e82e9f5f1

SHA1
7f032e4b9bcc0990ffcb3652bde7c00cf011175b

SHA256
6073904ff447bce8f3a6bf9a314ee8ffcef6f858e7103ae00e42881b56e5326b

SHA512
a0fcb09dd97fd1f5d35dd23d39957a6f14c100e57056c636c9b798113ffdf26573b09578288f1fb88ae31a717500b198e4d4efc0b8c7ed35a9b925c27b941252

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
432dcfda257d78921c80e3e0d5fce549

SHA1
c3b454e71882e1356a1057f49e081801a80301e5

SHA256
fcee284d37f28e80607d0fd832a786041aabde6d6dca824bffc0a90b1d69f4f8

SHA512
8d07fd068855390cfa215015c0836caa3744e0501aa35ac65326a449868f4bb2fcc20b5b14277024b11e453ec9408ce456abbe8cd58b1234a041d09fa34a13bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
2d2b68e9c82946af7299572b109ee61a

SHA1
e44ac75c356883cd312e85c885119917bc231ecf

SHA256
d672eb67e94a60a0f575df9559cfa85bba8825d7e745af761faf35a64b110c34

SHA512
ccc6a875a8b79c1792ba2ad815568faa4c0593309c6cacd938b4bd33c579ac75907b01709353b7bfff4bfbb63213de9c8231d03353fa1967dbf61ed8e1f4696e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
127b72a81b5cd8f4bae0fb5912e611c1

SHA1
8aed8bef034cc039ce81d00d578f39e0e3f52d61

SHA256
36b8aef4bbb297fdc72f12e70a9568e569a1b09bb7300c074f264361a8743e6d

SHA512
ea5a8f8f66ceed6725c03af4f769fb02a0b7c4e64e7367d7e07829e6fc975772cefa5e3f25337dafab7bf0c08eab5b85ae920a64c66acc9b063dcb05a8d0a334

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bf4097557a3d419b46f89ac76631e3da

SHA1
66ae4b2bb846d2383560f83a0743eae537e09046

SHA256
543bb0e49dfab8c0e68d8eecb52bc29cb0dc01db11a3da0ac5b732e61c694623

SHA512
0423b91fdc00e91aea56dfbdf08d43409c2b9e27ea63683d38021a3f0994094f9ce5c6f61e20dcb532d631ed37ffce3888bf20dd83ed34f85c651e77ccea7a84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b77ba905a7ccfdd341c45cca8642fcbc

SHA1
0dce3686ecad32b87a1b93638e959733912d408d

SHA256
ea076879b308c08ba2789fe07ac0cf03d89a77928f578a1bb4328881c07e5582

SHA512
ff3edd0896c452f7677c2ea79afc45b44807e816caec4ff0e1d596e0ec917e61edba829ac8eff3fcce3f34c0d510598efa3f88c3c3ade765e5cff9a5f315d6a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4c306cf89150bbac1cf89efd52e05176

SHA1
0774a6088f4e40c36efc2e3523c447caae9ebeed

SHA256
36d2f785f0f9d7a3f3d98ccef6e287952a876a0d0ccc82187c65956c0dff8778

SHA512
b5dfe03cc11478cf13000a6043ae8d30a329b140b76062849774c1f362afcc05091093482638ea7caaeb0bf886abd92ef9b27b351f00df574849474148a75e0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
240d164b192eaea6ffbe48987587f94c

SHA1
b5f1e6acdb24b890425b69bed02219eea1498368

SHA256
ebdaf5540efbacea1f2aeebcacba899906e87a88a2bd557af0a2950fa0c9d115

SHA512
18c12ae6e7977b92266a5347363abb5c7eca99cbf208e07115ea9e951d291da5a916c5ed1ccef2f05fb6aaad0e03454ff0381b4041c1ef2396dfaa02e78ef411

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2b1fd5c0d8df7a33360a00afd15397a9

SHA1
40e7fc7e53eac389840d068adb7a732a56d31db1

SHA256
5c947d0144f930cd1de406ba3a537d141f1b5b03596e8866f45a750fa6710d1a

SHA512
9423e84524cd4dade035c87c134d66032367ca2eee2c94814a54a1a51cd3916ef56d853465fa5276dec7fd52586fa50e42a45ae3a0909589f84602f4cfd63ebd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
c9cdb84f0b04d63dc40ac559c7f41f05

SHA1
ed9c3b96332fc51a084bd015b02027892ee2b5e8

SHA256
c61b06babea3b810537b784d316dcd940b4926833843b884af01f18647562590

SHA512
7e3fe3ed439c79ee17098de022394e5f9a762536d65f709694fa8acb5ecd65f88055e58500a78a3c937f9f53a762fe465a913b70aa36a84f2160fa763fe886b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
feb710c5c71dcd393d8690b980881190

SHA1
ca649c563bab6a9d498f34d803ac0051599642d7

SHA256
6dcebffb6581f78f3abbe12917b426fb865c0172148a76bbcb4a50d1f5244846

SHA512
01031372c88e437158d65ebf022569f1b7444e551a90fb670d92eb2b67fe11dae6913240dfb78f2c459eed1998c838a4dec74c69eb13bb978739ef0ab2c38872

Download Submit
memory/2136-118-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2136-153-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2136-18-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2136-39-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2136-299-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2136-285-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2136-31-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2180-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2180-32-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2180-49-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2180-227-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2180-22-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2180-0-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2180-228-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/2180-279-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/2180-117-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2180-284-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2964-19-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2964-286-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2964-42-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2964-50-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2964-298-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2964-128-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download
memory/2964-300-0x0000000000B10000-0x0000000002247000-memory.dmp

Filesize
23.2MB

Download