55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

17-03-2024 17:54

240317-wg2h1abh27 3

17-03-2024 17:48

240317-wdj5jsbf94 3

Analysis

max time kernel
133s
max time network
134s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
17-03-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	AnyDesk.exe
2716	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2716	1984	AnyDesk.exe	79
PID 1984 wrote to memory of 2716	1984	AnyDesk.exe	79
PID 1984 wrote to memory of 2716	1984	AnyDesk.exe	79
PID 1984 wrote to memory of 5060	1984	AnyDesk.exe	80
PID 1984 wrote to memory of 5060	1984	AnyDesk.exe	80
PID 1984 wrote to memory of 5060	1984	AnyDesk.exe	80

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
15acde3abd1f18a7dfce56f28f85f376

SHA1
4552260f32f287e7e74035f0693921acbd3897ea

SHA256
6758f75a3a4809d65f82baac1b8d81d1368e2c10353478718a113ccd5e8b2652

SHA512
9572545c9444e60ab80ac485519a257f06629659c1c69e8834a0e36690f659d237051615d343034bfd233bb6a3a677e197749c06e641498a202bc8f8ca6ab7a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d97d93200739ff12132263df7f1079f2

SHA1
9b2ed98210fa90fba21a4e0da27a6774949109a6

SHA256
97dafe9c903e962dae9e5b27af14afa1bd43c3957e77da2af8df652c2bd9c2e5

SHA512
6182533d09ee4adc4ac86defea623ae52415cb3da99fdf813b2498cc16384c9ae7a92775f69dd30f9da25955270f0fe49fd505fec3c2b3a3e6a3604331ffc11d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8661a2b9cf03ebce6db27db098576a38

SHA1
569b826c72118eea02ba4690314bc3bf73d36bd4

SHA256
59800b4dbd7009a8881cbc0b3dac425c420580bf4ee87d8d17f61fb5a6d43651

SHA512
c27012e369a073fc96fb8438b828338dbf5bb7ee28497f08756e8b77202fa8bb8fc3862a0a9e645c8253e567200e3c7f4849bb7bc993d928fcc706a11ee70a55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
8e224ccda40ef547e93f6cede5f54f8c

SHA1
7debc8c7d3928472d12b18e93a982c944460d209

SHA256
330d753fd5e4d177896ac3562854e463995674ee74821c889c25731601a2e73c

SHA512
1270aed3b7e8bf62cb01203f216846bce37e793479cdf2544defc9615aba7c63b42e28df80be1a0a56963b6b73a959616f4f37a3e88a4269128ed2f3228414fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
2768917d30bc0af3bba99b18da1b4d9d

SHA1
23ef962e9d8437565b42cca34f59eecf33ac2276

SHA256
40627341638145ee95576cc4de811ac3db67f218a747998cb190c4efc061622c

SHA512
cfffe16d92af9d8f49f0d9a440e7ff111394aa0f56106bcd2f6c27edf50a4eb291a5136a3e44a180ee1bd2844257a56cfcb6f41ab289497a1bf2b877bbfd5fbb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4b9e8cae0270852c44f0518a14a8bcbb

SHA1
653c99a1a98c97c36d4de7bae62f7f85d2905e97

SHA256
5f76cf060f4abec02fd5ea6769d9fab0b13e3d0adc6df1db27934e7601902529

SHA512
8871a0d53ed8e0f2f52d7a1e7930d6892a60670cb5a03a50a7adef814360505b7c1247025b47e811cc2289bc8fd5cfec5e104ac67629172e9e95054f839f9ddb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d93bcd30c03f4a8d61d91b7f6e08f554

SHA1
b12efb2fb9b6c4d1811cb8bd1f76f566fca519cc

SHA256
6d59e6b2c1d37f5f9ddc7e6f6507e14f2e70f7ce043aa826781f82fa1d01ded2

SHA512
7ad30cced1b4eb7015dd28164ae8c156e090608c5ff7e8b93908700b9ddc4dc031c08f2736fb9b23cfe776771302ea94aee1de8d5450a3198c97ef8dc3977594

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7e73000c8bbaa2fa52625b7ee1b502da

SHA1
c3d77b6744163b09bbe41ace66ce9e16a69ec535

SHA256
36b35d26db17de4fe08ab9992bf599ed6df1d8b870f04fbc715009e911b48ea4

SHA512
366b7f9df2186702a2b5f1f70c29ef44fe59129f7b5afc61a3bf1b6da53e6bbbfd614c2f88be899759c7ab2cfd44e4647b2e3094e295f11d6683b84871faa83c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4a30d54072bc54bd1163a940ba55ae6f

SHA1
0947809444d0beffa63a2f7a7e206aa1903827eb

SHA256
73a7aa8d62057274506e83680dc5ff39945630391574e3e5ad0eddd67e1dd396

SHA512
1c87dd35c9d5a15b45decad5bfe0dc80f7d8e4c7083c6d599154e00702fc62163affa20d28887ae8590c88a4bb39e4560a52d3b9de807852f7dfbe87edb28259

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2524bc31f0c2890826eddb3593cf3dca

SHA1
f146273666ca51d3e2af00a3c7a1eca3e933f25d

SHA256
e0e9f5c0b09d951c315aaee39b1b2ebad7d240afeb4f78b4a6af7720a4129079

SHA512
0e2cdee6d4dabeb6f520218cb109b3c3d8342a868d3951609bc02408667ac15c54434f7d231faa98000dabf2ab406d3e979acfafe7ff5f65e984c208bd035339

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
eac846854ac62f55a047b971054a0ea2

SHA1
dbe68bfbd24a7f07305fb8cb688884b0837b5dff

SHA256
531314927e2495aaea32fbe8e3476aa0d24138c129ca03a2058930ccb2b20a20

SHA512
cf394ef3781c2d3b9ca3c26d01224d6f6cfd581802c5d5d648c5b0966400ea6f2e10af42da9100884e8dfc904428770e4be5e352f3ec2646d91d099355849a40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3403d0c83c3f9834c706922fc32525c1

SHA1
236606a21150db9812f402fa6b4b246b1087f8fe

SHA256
17878863558f992b809c01e2b8441f40ae922e8b4f4a73d826d696b0bfc67345

SHA512
907552b91770908f3540b062f31f263031b75f65fd7a5cd751e8b9fd480348e572381c9d1791cce35bd3863d8f9ebaabd1fcf31fa9ffa7366a15cecbb0a737b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a322a46a9bc95cc5bb9dab3e50570693

SHA1
96aa34cf96ec4649e92b09093a485a89f5d9440c

SHA256
de6a6cdf79d50031790c0cca1c2b3fbae313ff362d1515f3b2a488a3379daaac

SHA512
ae9d890daa9856a048b11d7b1487b3331f71f5b294e3f6f8ac80e03bbde144b1c210c2dcca6edcc484260e97d80c8ec194412560ad9c033b9efa320726b25963

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0b07a4f22625d27993fc695f7d433dee

SHA1
7c7d9ead5031c138c26f93122364c74a1ebd8d77

SHA256
b04f4cbe51a8ea437fdd5567962e9fd48863b44e6d07dbac736c97cb9b0ee270

SHA512
39fffb85ed77290d0595e46441b4017efde7c62e51afc0bb5b28732e993f95593aeab9b161b2ba07ca94bb2106d2cedf9482d0d797282e49b04235cd7146f5fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0b9324abff989129803f9fce3887928d

SHA1
392204dedc6ac5f7bc99d034ebc348eedd4e9efc

SHA256
f779ea63f1b2cbc14b82975c5f319fbf93a33b02e2935135f7345bad80f20d4c

SHA512
45b8168e8ae00e57d186d59db67c041ed4381054d7fa78f87152ff921beae6ac43f674a5201bd18974a93a4b83d780743047615dede3062712703076340b602c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7f72ce32cacbdf56608344aee6f22981

SHA1
090b61e18876a1ef8675edd61fa48481ded92f44

SHA256
a15e8a38d906dd9dff5c063c12d8676f0c9bddc29669289176ce2cd306c1d384

SHA512
706d0bf8ebb11d22850208de2e0fa76e91d25450d318f957ef8359bebb5a25762e59f6b23a79ec123ee64c95d90e69d66f964c40b92ac0e2a825af39d051de0d

Download Submit
memory/1984-28-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/1984-4-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1984-80-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/1984-244-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/1984-83-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1984-1-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/1984-24-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1984-0-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/1984-189-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/2716-31-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2716-13-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/2716-245-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/5060-12-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/5060-32-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/5060-246-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download