55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

17-03-2024 17:54

240317-wg2h1abh27 3

17-03-2024 17:48

240317-wdj5jsbf94 3

Analysis

max time kernel
181s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3804	AnyDesk.exe
3804	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1484	AnyDesk.exe
1484	AnyDesk.exe
1484	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1484	AnyDesk.exe
1484	AnyDesk.exe
1484	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3804	4736	AnyDesk.exe	94
PID 4736 wrote to memory of 3804	4736	AnyDesk.exe	94
PID 4736 wrote to memory of 3804	4736	AnyDesk.exe	94
PID 4736 wrote to memory of 1484	4736	AnyDesk.exe	95
PID 4736 wrote to memory of 1484	4736	AnyDesk.exe	95
PID 4736 wrote to memory of 1484	4736	AnyDesk.exe	95

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e9fb7deb4ba573af81c09f6b45e6f43c

SHA1
887b422ea7a6b9f083343e8f1f677c7e081d588b

SHA256
c2aff1c2fb059f5de5599054fde3f00c31ed95e33d9937b8e8587cb45590ae2a

SHA512
2d6ac1039b056d8cd8edc4b18ad7acf46b7f8117ddb0385b9df2b09abeb6524fa6077a1ad686bbc19bdb96bf57c2fc276b35cd309058dc19244cf90ce2a97b92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
f7afe50235ab28f37770bad07b09fc7f

SHA1
50925eb8bb4ff5f598a173b54c83620046efdb6e

SHA256
006cf50fad493926461515075049a632a8c16792b705a1b872a2a654cbda10ee

SHA512
683c47d3159359001c1bef89c5498ae8caff98fb4145d274cb0193a7702460b759bffcc3eebff29fa331fa50a87723e52afe1c214688d023dab923dc54732a29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fac1558bd136c89cc092ea8cb6cfeb66

SHA1
4d420d3ac34e9813846a764254de33a5667fea09

SHA256
4b5be616c97bbb6bbcf51d48cfcd047085324e7d8cf6ad4a36e742146aaf1d14

SHA512
3a77d15a6cddf429167d0a63a48a071ee0befb2ff04909c3e68232eec59f3a11990b966b0b07dc72693ea7e109af76ae2d5978a9e1de889ee15525dc08d631b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
10ab4b4add1a57f794e7d1b55f1593db

SHA1
49f84fb384afc761477309d964a215fa329395d0

SHA256
f19ed7be32a8f8066b1b5bc8f940fd8ebccbea40197d470911de1a2f4d3bdc1d

SHA512
1c024e37ad6003ec9c585d6c0741558163ff4537bfe53dc1d5c62a04c9addd11b720aab893d59a1164bd3046244841cfc865e5cc821fafbb1e16ba06d975ce79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
912a67aedf771830f912a5bcbd33dc2c

SHA1
34913329c1705a2b6b51ba68b14a789736cb368d

SHA256
22836086c9fb885ca0c7d3507635768cb1a625b422924b6e90b46f5b1c1e692d

SHA512
dffe6f1b143498736fd02863da185363f4d68ee9d9f668fa4a19d949ce7b147af505e524883bb8275a5bfb0dc8fe86e32b44190255a0ba17dd225b28a6d9c0c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4805813ad2b6c341051fca8039738d50

SHA1
23eb3c1a2f9012be0b53f5002fec002091ab5b2f

SHA256
47ca2417c4b8de06ff514562ee2687480da410e329d9e01c56ac5f4077e8b62e

SHA512
0d7fb7da4176f18be4aaf26089b396fc39227cce843e4a92ca85cf0ffe716f99940aabe9c460371271235bb8a8640ae47be1c0473617fcfe7f5c2a56e4fb7ebf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d19dddbf52a9a552c8c281662e8c8c29

SHA1
5ca02b2ba45438b723d39647f9e77041dfb0a0d3

SHA256
9b0c052b39d5d5dde56c5a9ac02883b537db69cc7cfe4dd3dc3f8005925c6187

SHA512
b050fc07ba7ccbbe3c4d2bc3ecbd8b3b6f45989d7665593434d79010008f6602b38fa267ade744f80a4283bb89126f89b7191b4a97d1c569cc63fa0189062cb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
573c1b55db166df6193c901880b22f81

SHA1
11ad93903e16eefbdf48d05a3cb71ca2c21385df

SHA256
8bbe075d11d7bb9048d3c5a89412d4ef5fd8945be58034562c17595088e236ce

SHA512
c894825ead2800f605b5894b65276b2e9639bd20ef9808c5491afab7ad06362bb51215789f704fece5aaa537a11a929d069c6e69caed6e6f6b71a3f2a26163c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
752023f864217d55139adb02d62d32b8

SHA1
a825c9716972bae169dec0c53655ec84fe67fd65

SHA256
3a5edb8b2e546757bb6fffe10a7e4929de0ebe508e48674fe82f435cf30fd492

SHA512
f54249f734dfe836a132b2f7cd46631c3a625d5f6f57291a7f76af02b60ecf5e0e7a41e7e5040b487652cf1c32bd392c05e069b9a926d1628336f29219695dc9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f968a5f030ebd9525a6144da21f6131b

SHA1
938c48dc9a00127ecd82ed969f61519b7a86b1e9

SHA256
99dd776d6440849ee529bc3b3a5a0a2845a14277c739b7d41c7ff313e4e3d31f

SHA512
6fbaafadf81d2b2e016f5caa2146af94dd74ae26b2402f99620d971901f59a1ba2adbc60adf1ab4ef7f0c2a8df6668b3d076a764c8fd0ee96b76a2b421a53d8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f1e576457a6aad25acf7b0e66bb77a65

SHA1
e03475e54a16ba94b6637314374c252e27917c05

SHA256
e83fe7aa192b3ecc8da975a2f3d554a343b47b67b948afe1a42e78008c8f2a18

SHA512
b76d9519ee36382f9dde6cb422080b3ed5d54d286951d3311aae4619261aacdcb62fa9adac26326ee2eb5867530b6ecd9f5480628445dac07edc06716b1d5b9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8c01929fd830a4c15daef3273afc98f5

SHA1
1c20c0dae5ec14660808b36ba921b2296b047ac4

SHA256
141aefd161ae8ba027c5ecbd7aac061dd33e8a08a9f3955f81ede787833c0a1d

SHA512
db626e61901b6ab83088e4b9e76e925db7267ded16da834aca8d9f8504b1aba0ae49b6647e1bd7d330ecb8b805ed7ea0e60ecd8499bc3f93236bbb7e3ebdf0ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
82fa5f7206ae83d64a715bf51f761502

SHA1
1fc01b7eca536a90dde6f0c64fa0d99938841d24

SHA256
79d87ee61fa2021a7bf493daeda9c3fb81811d32ccf654c61fc7af3b926db51e

SHA512
fc13c9ef39d3679668bd5d6da71fbe3b40c7bd7050f002075b4261b17760de472539c7f0fb18828f9cb1e3b0ca5e898657daad628c0731ccd87053ad02decb3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fc5780e877159b4bc5602903f90ac9e8

SHA1
dca4a941b9507cf18d1c2920055a31e2b713d8f6

SHA256
de9e8ef9acaa2d38fd7469302f2b99c5ff5ceefda58a5f8d26e8265e818af7f3

SHA512
cf2c847169fe98bc15a010de4022c55bc1486c56cf9f6fe9b49c81d3cd3ac9274cff7f628769394fc4301d01b1cc8e8f2428c670682b307958fcbafb6dd22df6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a6c9765a295587e6b8ae8730788fa8fe

SHA1
9261370791a63c4c16ad94940aeb3f0ee9b777b0

SHA256
0161e7de59e39a07f501e76a64eb5f50e91ac3386748084d65845eb16705679a

SHA512
769d421a867c55af1dd0d52949692daffc14dda6876a848a1693e35535200bfdb929a470641b064513698ea696732c23fead901df328f3c1ffcfd135c452a74b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
066acb7e0071de848d45f6f192bf52c6

SHA1
168408d3759e3399e90411fd5c9a97ecb93039f3

SHA256
28e8e5450e0a5527748a8ec63c74615996401fb1bf384e657e905cd6800032f6

SHA512
edcd5f9134f2267fd14f6bea09de82a454a258c942c2c55be35ea8d5012475313d3b9f9397d982e4c8da90f67c614b65e1fa6cb2cbafdd0f085d9ca6f76ea9e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0d1f235ed70ecb81bb582aace56602b5

SHA1
86c4de9a8cb9a858ba690b0574b15dafd8e7ac20

SHA256
59247af7f8cf71672c6c7675f51ce633ddfd0893069af22c0ea9ccf0394f6dce

SHA512
88e6f2407185f4353b550f33e547a4037dacb3dde33ca7a358bc74ce2a0f12fee919e5992322cb921a7c24497a0476ae503eb9e739cc34018cfa2ed80609abb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
aa432279393cb707ba2a496aeff6fe71

SHA1
bd86fd09659c77088be9fd1c51984d8ad8202ce7

SHA256
a1d1dbe2c0075f7f40c3d7a6ab25f6bc98e26a2ba24729290d3742af58abeb9b

SHA512
bf45e27d6f8abee72bcef8f678270892beaf9352fb9f1f93827de5475bfb45fe664449bb84ad7e2d93d4917fcd4f8ae597afa17edac274ce1be4676c1205ba76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cba0a15fcfeda0b600e0659f82d08bcf

SHA1
7d3468905f7d588a6ba5d812b6631723210c19e2

SHA256
1ffa249b2e5994ac61a1335ba9111826fe9b6fd7b24d1e97f38c74d3f1f94aa3

SHA512
fdb8490a29c03f5ed84e3e14f0a79ae5c08490e14b0e83f2398cd0c50d4c1de22a471cfd7ffd21757fa6f80edc5a2e084e486bc4c1d1643c279e5fcde2704d2f

Download Submit
memory/1484-12-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/1484-32-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1484-265-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/3804-28-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3804-13-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/3804-264-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/4736-1-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/4736-4-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4736-22-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/4736-99-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/4736-79-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/4736-251-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/4736-0-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/4736-262-0x0000000000B90000-0x00000000022C7000-memory.dmp

Filesize
23.2MB

Download
memory/4736-23-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download