55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1556s
max time network
1799s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-03-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2596	AnyDesk.exe
2596	AnyDesk.exe
2596	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2596	AnyDesk.exe
2596	AnyDesk.exe
2596	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2680	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2680	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2680	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2680	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2596	3012	AnyDesk.exe	29
PID 3012 wrote to memory of 2596	3012	AnyDesk.exe	29
PID 3012 wrote to memory of 2596	3012	AnyDesk.exe	29
PID 3012 wrote to memory of 2596	3012	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
5e11af47c89d6bcd50944f0430112ed9

SHA1
9cab3b1b26b8fcf8e315e3ea6c25ab234df1fbcd

SHA256
937fac2b65467d4bf5445dbea134c231d252a62ea0d5e7012f0fc1ba80801fe7

SHA512
50d578eca9da498993db10467aa366b94fa02bf5cb7e772433fb7f167c3dd61a48e06800b3e53063fcadb21418f4fba52fec5c16ad626a2fddb51b37d87fcc61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
328a0de6a5591136d99c84311242c58f

SHA1
20a7c8d434f7c114926d78dea019e0add1c6b1fa

SHA256
1894db561ee3bd33e4f6eb736f16b237f55143ac79aa14c65051729b7919f7c8

SHA512
e35e01370d5d9ae0da7cf20637163a411dc294faf9a92356ae7d7b230bdc79f2044bc79defde473c0973cd0b3f148885a257e4df336f728d882ece2c9c6f895a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2360e218b737ec0b5d805febaf4a1a00

SHA1
44c3d8c5684e0fc134b9558045c62f7255d7a3ca

SHA256
80023458e7dd3b83c83e0763dfea38964ad37d647c0607ea47f6f73817c2ea5d

SHA512
541cf549c4d24bee600fa604fc3d4a1cbc9c35ab596a9b729eb2e356264a8a26628aa7d68bdc0e81cc1c0ac1ad73330dfedf2c9a5e2d755b461b5dae7422acb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e3a22f185d9a6ade55b9cd731759feb0

SHA1
4a42220b4edaad517404e6d9eebacb5f543f495d

SHA256
eb3aded04290254ea6ed317e4e9ce9567f8e6e5f9db87265f6aeca2596871dd8

SHA512
e4eed732ccd5bc77c59e937049d23ea3e1d6e22171868ef91908385e6133b93e76cbb1bcaac14f6840a9fbb831ac0f4d9654b573daef270fb27898c5da3f831b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
b2ce0adbee3e1b997c42abcb7052249b

SHA1
b050cd899958187da40ca57d2f4d102a8b6c2d8f

SHA256
3bccc4e051e515471f32863f76639c077c406a1bac8e7e6cbe4e26a47da96ac5

SHA512
b1b30b258130717d94c7f076be668a61d93e8251d06cdc05cd84fdf1c66befed0a7c4f2dfaf6783ef6fa7ef6163111f39fcd57dc15901a0d10e145e94b87444d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
d1b93250892e97db5d28c6552fb4c1ba

SHA1
26773dd7589ce145b86069793476e6bf69e3bc00

SHA256
fc93b0a888e2df99e5062476e6010f7fecf327c50a1f10023335448e493ce29a

SHA512
72719068159746613bce7e81c322b325b81e2cf5872df3ff1f13b1e1a518c559f8285ae41ead1550434d03b78d5bf91be9cf40b197fd7fcac974e4c3a3a294ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
9f2c03c10e5526e1daa976c5c6378b2e

SHA1
418085e2a60941913fd7abf510bd398df2d3615a

SHA256
a3c1540f97c087b1da4a193e0571b053012858f7271ec5ab24cbd56998c48ad0

SHA512
02befc7727022c955cb4ed575af40fd7d6bec7c10cb4f95133d04f34bad25a1af9e980ed4cfd8e0725cef3f752c63d295b6aa1f767c775510541d49218cfe254

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c598d1bb4d804dcf16d94bb774e502fc

SHA1
c9223e136f275e3734ad1501e70e805f161ec046

SHA256
4a74f7b77287a2b39127edb2b4a5cfbb31f8db101ef02d9419b28d61fcb49996

SHA512
7ac15ae459521a6d06fa8aac64794f337084b66ca2af84d8f2a19ff13e773460b4133dfd5e0c443a2712ea651bed861ac75b9b6f831723936e6411bb0392d3b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ce93358b1ce22b79f5a0ae045888e9bf

SHA1
d25b3c9e9a981d6b6bd9d913d3a08fce39e4d4e7

SHA256
8cb461785a25c7e1f11b612e188224f762e0cd3e9c20623c99a3f51b9b7e2ff9

SHA512
7157a40fdac98d910ac4f1f579420abc2027352cf1fff110f338eaf35ac2303cc79e8e4d2419d0f3b02bacd447a3531a563eb869b0d750d29dbdf7a05780a7c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d8cb653a0d57b519b2edba1fed6a449

SHA1
53f9e44ea4ed7866959bf7fecedef3af9f11e759

SHA256
8e480cb6c06c94967ce9bdad996435bcc114fdb8cf7876a7b443efad2ba31661

SHA512
400df89bc38d105fc5fbac10e61f646d4e420b661995564b0edbe61c71d84f94682b465633f6f0de895731c40fc54529c23beb31d605bfe3ca6aac53612fff76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
967b0bd5756d84d638cf0e81be30f4b5

SHA1
fcf2845ab7fe334f9cafa0ccc32ec7ebfcaecfd0

SHA256
36297ae19d38eb42c2feff497e030e872efc65c5e9850684754cb951e9e8fb1e

SHA512
091f051f40fb7fe2d62ff1233936a7c92a81e092a8f999ea79f4c440bef1ae9baf26f027ab8f02b88d5797838a93c42632d3040f7b66d9c9b8c256fcbaf31ea8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb4300874d4f6403ee58aca075b61b11

SHA1
b4dad9e58abad547d8ee091807336b94f8288d00

SHA256
a116f5988b8310390901adaeb865a23883963d5d0943c18ce483aea458fc0e1f

SHA512
38535e55e0e78183759f0d11543b8254dc210bd0260b964b74b6c9ac936833f3b3efdf01841fd07c50f294a52bb69771bc3110f9fbd67f0877af3c2b69c5fd54

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d59baf03dded2d1c4ab7eea96c0936fd

SHA1
f7092be502ff1c62b563e9d09f7846b09cf3a86a

SHA256
1dea51133e0284cd94696efbc960660338275be2b1e24f758a3ab8a7fbf1e4ba

SHA512
93caabedc7ac574aeb8b07b39c5db885ec4984c587c02147b8de4faf0e7ec5b9c231a549c89088f8273ff867d867cd32f398050c432500305de9ac33f52c5f5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a87fa11dd531a8b1e42625856eeecd4c

SHA1
82c317708331e78f9a23e90a5efd037af0aaed92

SHA256
c471534329dd00ff3f74ad3c248fdd6cf12a14bac3182d23fc6abdee08741035

SHA512
6ca0e29a874dff16cd44f9709473b6dda2a25efccbc172d312be9f27e583f39ba3d438d33aa1f9bccbd4e5cd750611db11c0a1fc66fdb36ba563b61059af4cf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
e9e3070355025e8a01edfda6e48c64cd

SHA1
cbb9b25efcb22350f5ba9de15c27816cbdc4e113

SHA256
aedf3bbafb20decf9eab3a8bce741f93b6eab7163057b6ef75f5852d2860c6d6

SHA512
525f4ca46ab226f6c235542bea0fc828d96c57f33610a3bfddd19aaf025ddc9aef52ad71326864501abd11cc8c313e522670d198d788cb88d22a27af53ca4332

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0a1cb1ba80c883f245487f3f20153bf7

SHA1
39e27aa4f81337947cd52ec48386c3d9bf7ed095

SHA256
eecf778424dc240fe1f7c2b92a1adf5e2b9c2372342b4185a5fa6f22d872daa6

SHA512
54f030715e8f9a57167e221ea6497acb3c11ac6110541318c8a97ce408305f54e3cfd0dc7b661006f4992bd5cc76f7aac16217a6ed80a5308e5f8944da75c740

Download Submit
memory/2596-58-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2596-110-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2596-19-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2680-38-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2680-104-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2680-57-0x0000000074080000-0x0000000074091000-memory.dmp

Filesize
68KB

Download
memory/2680-18-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/2680-28-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/3012-129-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3012-0-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/3012-103-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/3012-4-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3012-30-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/3012-1-0x0000000001060000-0x0000000002797000-memory.dmp

Filesize
23.2MB

Download
memory/3012-21-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download