55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

17-03-2024 17:54

240317-wg2h1abh27 3

17-03-2024 17:48

240317-wdj5jsbf94 3

Analysis

max time kernel
192s
max time network
202s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
17-03-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1900	AnyDesk.exe
1900	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2756	AnyDesk.exe
2756	AnyDesk.exe
2756	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2756	AnyDesk.exe
2756	AnyDesk.exe
2756	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1900	4612	AnyDesk.exe	72
PID 4612 wrote to memory of 1900	4612	AnyDesk.exe	72
PID 4612 wrote to memory of 1900	4612	AnyDesk.exe	72
PID 4612 wrote to memory of 2756	4612	AnyDesk.exe	73
PID 4612 wrote to memory of 2756	4612	AnyDesk.exe	73
PID 4612 wrote to memory of 2756	4612	AnyDesk.exe	73

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
db69276058741f2ae1c1176dc0aedfab

SHA1
5cca41c7c5715dc7729def485fc4102634e66a5b

SHA256
e07ee5d7b6c112d7510e2b6e58fcdf02a3fa834764d63e13fc656a523a1c5fe9

SHA512
26c04f9ec6e0fed568c48514218f9c76cd97ef80821c17430de40debd695c2098d294e6950021a141d177f5a4f4673240e9ed7e746d0a255f8925024372806b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d03b68fe29a188b011f282dab56f4610

SHA1
e669df970d8d1459ce6f9f3d5eaf29849bf19a12

SHA256
5794b8d4084c4aecc9893142ec0650f8507f68282cd5b6524edc684a2f2b25c1

SHA512
794069bbb79cf39011fbae0536c080342181cfc51ffc6e367e6412d1681e4a8d402c18646155eb82f51a3603c61e97e41732ce15605ad42d2ee27653494808f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
27f930a312216ecd54f5313ea97e9585

SHA1
dfae007c1aa012dc6f37b55160d89d2a8f900692

SHA256
a964eea8bc2be1d833833b2baf50c14a6064ad256c0533240539c3b4b4172b96

SHA512
c332fcfc6757050553512ca4ce6234bd4b470e24195e25b6c77975f5ada5bde97644e9c90087293fdc1f9016ae3e44444197750318c294cb63ba79be359cf7a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
bf7d4814b93956a5c6e80049ec46d195

SHA1
633ffac0d6aa9b77f89a0e707b64cab54ff35715

SHA256
08f65a6de30b2f12ce16375d9dccac647282fd1b911d073b542c8ec321d7bc2b

SHA512
15a579b7e825d75a895c37b63c4c2c0ff5e66d4c7261b5ef7487a9051d75a3e48b0a3c9699d98daed131619bd4b119058fe03fe1c137852867e4bf5cd6610b2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
e4e1dc58a5b06776888cba83d07a8aec

SHA1
e02607e21a051da1b1ea086c8ee8195ad4823eea

SHA256
5e8d51e9e567e96e1e30406def9921f2d9f3f554a909c6d229b529f3189be4f9

SHA512
1a9600d1ad5a150ae9915058f5d0ff78c94f63576c0eeccc60d7660d5383252b4f9462e29cc790043bb915c8feccd50649867e2ece5e8a9bd82785c6c3943e55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6e380bc142162117ce4101261b8c4ef

SHA1
e994e09f9cb56e32e5b2f611c98fbefbc4ae47e9

SHA256
6fd852a2baf6fbfe58aff444d9ef60628c866c433fc4df03e257d907ddf7435a

SHA512
9dcbb410c71bce4a4ad91c43887f63503cfe36c5a8bee1c33f429f3de02643a5d5467f47083d2265179bc9c77ac9f9b8968f5b7e0a55394480dbe1b1c62f1904

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
036e7530cdfdc8cb089d7d051b877edb

SHA1
2ed507e76b01ac537a0d0407be324e354cf8a6cf

SHA256
e1252494ab33dfb93121f3c88db105ad4cec8afa0d87ef1a20a063d7d8c1dff2

SHA512
2b1d9156fe1e6365b4bb0fa3a603918ef5e0bc9fe2d697eece50c904ba38b5bcb159d350353d9f26f8796f5ceee7fa24228a3ab643336edf064b5f250d0a9d71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d9890361d9a97bb911ec3e4c0522d6df

SHA1
f482976b623fc66b08ac553bf3cd462602f7cad2

SHA256
6e551972fb65e8dd19c241f89dffdf8dd28e8ad0023ef0fb89d4d314ac654b33

SHA512
2b5b823b337571eab1c41a6265502f0bd469a18d27bd803724967c035a1f75004899b082ccd43b49d76d3589e1e8e04746ed456a778c99c08809ed57c61e7447

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
318b037a9374e87e95ba7afb64ffc35d

SHA1
a755269965fe07fe3a1d8cda291eca981d7d7d78

SHA256
9bacc1c31eafb4d2edcf48854cda748a3d4e6ae985cd0138a110addcc788fb0d

SHA512
ed574f7560cd92c76455fd2bda3aae3382955dc94ddadaad6512259e1319b6d107cd7bb5e01105d24f82a382ba1e6194720e5bcff7ddd34cf4dfd2f5b5143e03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bb077afd5172280524a356318de4f26d

SHA1
d5456723832a3f575b1beac07fbe4f8c2618553c

SHA256
b3f28ef37752db0e9751159f3eee313f8892da774d9b8ef48c876a0336aad092

SHA512
598b4b780267cd9761fb46cadc6a7c44c1c3f8f49ad8b6314ef3a4bcb265fc1b4f6041ccd182b48c55fe8617562cced0b795bb6ad462a65718bc00f9044c37bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d7de103001787b97cb8e7d03ca934b23

SHA1
3a39345d91b99801ffb2e805f6c2fddd6d66753d

SHA256
e7c6d7777abaf0651f62b5600f02ce00c84fb983367bcc4dd915e34bd2702d70

SHA512
cc3ffc13149b946e06958a929bac931927067c433a2900b60dfd243f2f01cf63afb44e8c361916e3a368a53cf9aee113703e0b9403e45a3eb3d7783bd31964a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c45581fa6e9c47d94e1661dda6dee66e

SHA1
09121c64402c00eeaacfc6c795b9fb5c3885201b

SHA256
4ba1c573e214cb41b2f39e955b4cea6bc1c629fcacd7e927a69c2e7980f43a82

SHA512
bd2ee1b0a29abdb25088eac513d045f5b434b9cc1b848b71c2b11461db8792e9eb2f0c5d694ddbb64ef8531b9950e31df95959191db499e948ce8208561af65a

Download Submit
memory/1900-242-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/1900-32-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1900-18-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/1900-229-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/2756-20-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/2756-230-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/2756-31-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4612-17-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/4612-1-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/4612-4-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/4612-19-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/4612-86-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/4612-197-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download
memory/4612-198-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/4612-87-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/4612-0-0x0000000000DD0000-0x0000000002507000-memory.dmp

Filesize
23.2MB

Download