55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1791s
max time network
1797s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
18-03-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1880	AnyDesk.exe
1880	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4896	AnyDesk.exe
4896	AnyDesk.exe
4896	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4896	AnyDesk.exe
4896	AnyDesk.exe
4896	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1880	2080	AnyDesk.exe	81
PID 2080 wrote to memory of 1880	2080	AnyDesk.exe	81
PID 2080 wrote to memory of 1880	2080	AnyDesk.exe	81
PID 2080 wrote to memory of 4896	2080	AnyDesk.exe	82
PID 2080 wrote to memory of 4896	2080	AnyDesk.exe	82
PID 2080 wrote to memory of 4896	2080	AnyDesk.exe	82

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
054918c41d19d13f5c1640890757c63b

SHA1
27c11eace34c338520bd6cfea80c330bc303d07b

SHA256
72223f88fffbc528be6e5be59310b30deb27180d4529c165bbcb6e590fa54053

SHA512
30153fabc7909ba7428b35840629d2093c00b4661b71f520d97fffa460b3c1ef8bbbba3178b140130f023a28a950974978560a6be269a2958721c57c9bd56a11

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
dfd0d1634ac3a318686fa52831c682f8

SHA1
f11f67ad2a8949dec069d407eed7bfdb64e4f3f6

SHA256
7d8a846909628a35e352aa6f2eb1264009402fa0258aa6e5fc7775ffa14eacd6

SHA512
c2dde04c442d106a1a2e12afa362744039dcaa1853236c5dd6f86cb8a5fec1ab4ef712775edd121b7f6e2e52752b8cd780371c2e338fd26f445765be73bc004d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9c9c06cc5682d8601bdc08557a0b9053

SHA1
7b3e9e34c5481562e2feea6ba43ab1ce89790112

SHA256
b8db19ffcff81ae026c4391664e2ca3bc7009e6bdbfd7916548796a98aef1fd8

SHA512
588df4bb1428df22fd00f3d23539581482b5b4306a635c6e979d91a96fe3cf4db48f75b756ef8d3a481ca2cc033b010f6398448e3643e42fa39cf027413392e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fa7c862a554788e5eeeb5ab004a62c05

SHA1
5079f73dc30d1f28734e12adbda8a7a1f7db63a9

SHA256
ef404c9d345b7bf274f616fd41ccf79b70f7a52f0eae514b841e7f47190eff82

SHA512
ce07b6f940615063854db185dde7cb7f5e18a8f1b364a51d74fed7257a76a0bd732831c96c635b14197b01f0028c74393e3a6fb1b86ba2422c173e0f46a98560

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
4b459bdf757fbf452dd65f506be97b48

SHA1
e9177bade3fdd916714530b74954726d0726ea3d

SHA256
077e4ca22608ca4134b12df3cfb4041e40e681836541cbe9d11a0acb7a15f072

SHA512
bbdda7277fa25920935248d10e8811a00cdd2d835a157cfe76443e62e43ae25c2371f9b2c2f0b8e82947cb1e99be2236d64640cf0a149247b3821848a35dbd24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
a19fa2ebc6b03c04cd3aa8049f2939e8

SHA1
f030cbb709f73e420f6a2f22c329262797ec4e3d

SHA256
82cd472b8df1f8cbde127129e5ed6520402016f883b6edd45b64906142e2be81

SHA512
0a68da4a90e2e32d6cecc208f96c41d720df362f923925d7122f851ebae898de6de45ea0fde511843c057a0e29ac1eb3bad228ae6a33e1b8e3f6892c9333a421

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
331659c763e377b6c19e6470d88f9a85

SHA1
99727e6a24c0a67f64de97a6cc01d9e91da07aa5

SHA256
99b7dbb9f2e1ad90ed8103fe01903f62771547eaff8fe6e40ca75c8aecccd84a

SHA512
6d136e9beccd475f27773e2fce1b2ccf08b5b6bdfb682b14cebe1b9de57f83c8a8394da0effae8b5894ec2508c50f470d0f8c45ddf9ee2bfceb68b3a7a7715d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
483a65cad21d65b67bf47466d58d5a36

SHA1
f86a9d82c03f45789f5d1362ece437248ee196c1

SHA256
9948b13b792da5e7cf6d728e5554b2c63ca23950a41bb196f3148e0319ce1a74

SHA512
0ef0533a30c523599cc4e5792b78362e1296176e75d158f2f1c43120e6133ea76bd15909a3edb2fb320dac70cfbb42759e8760f84b2aa7f07baa819aae04bce9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a24f16ddd37b9dc341480a9025be6aa1

SHA1
41a6ff28c261143b1146bde28665b1098a7c4318

SHA256
9a0c0e054bdfdefcae8634c1fe9776df99ff261ac52b9fc474056eb70ea588fe

SHA512
f851c3ad9eb2589285a4ffd165ea4ac0f6412e2d5cf8d8672aed09997b92c273ce74b69e79a9edeaaf33d874649ac55150dfd3df18a66a7ba54dba48f6b8fbcf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f978603bea555433717b3ab4a7f73b25

SHA1
5f972a89bf5f1338797356e024cc3a88174b7d57

SHA256
70d146209b7521affab98b4cee6eaa57af5ff7665b542a2f4ebacfa4b84aeff2

SHA512
fc35ccd710677feff21479324b5abcb22509685d922bc8235fa555b64056a681cc6f789f8e2d4285ef281d2ba79fd650b8529b7aadd2473c26e4668115211876

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
1138246c61c025b02a3ae777a320a271

SHA1
1009c28918203b6aaebcfeb86acb92d80a5b15e5

SHA256
4a586660d0b3611ff17f8a338f09e70d78a2003a476fe9517bb3116947bc03fb

SHA512
39698304b9a1e0c14b139d6ea2b6376d774b6385acaaf965956cb4ad24f05ff698d6f1cd63cfa06de5a709428201b7eaba9dc0e2292a27442b4386b799641569

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
6a74a9b456f07ba8c2fd6cf277ecd9b9

SHA1
c229e654dfbf8d383935b4254e531088ad778213

SHA256
909b352d7ab16293cb3ea0aaf4120525fe5f4a576677ed0c201f2514c60171c3

SHA512
5588551561b34390d2e64a7740c2a3290672d108a830e2150119306ccf0dde3ea91c9aad614ee416802686ddc536a421a2ced67be6c09dfa42b075233fae1c21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
01f70505c93a8aad1e2ef9056217a1ce

SHA1
63daa844519583faae50c46ce9b3b1ca2a509e09

SHA256
8699ce0acaad039081988abd8ded4e8363d2609e44fdb19a1a7734da5f1a34f7

SHA512
47fe820361ee4bccd45a133b30fb53398fcb7305ad0bf41d457d51ebadaf444b9da2599d014fbe553532cdfd2be66aa263f01480b3e57ac55d59c896702afbd2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7d875358cd4da05f2b5ecf52c650a259

SHA1
4369e8abf1237b617ec2513d6d1e419732657953

SHA256
aefd748ac1d0a3e9b35e36b4acdc67c72b0b5d8f292733aa7964cc01d894d26a

SHA512
393afbd0937415c6f9c710fb858b5b457920d71a6a3073d2ce6854a0b8903bcf3ec27d90266cf62ac1c2cbc966ff2f05d01df09516fbcb8013c997df5ea4195a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bd831a96d7d135f4d43dce812157cadd

SHA1
4e04970d22699315d767f5f4ad8fc0dc59a7d1e9

SHA256
8f40025cf125a99023b3e281f99dc5501524e590da0a3badf6b487d427784597

SHA512
03c7b71946cf895bd0368fee809809bf7c72d24fe964898b0a49991740a37dc334fbec8356a25bfe49754b9be3616597d6946175894583b094416d23cf023d28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4e393e604e42f41247c98af7d3dd5fdc

SHA1
4fc8104e8925649045f14ba50db83076eda5e91b

SHA256
3fe3ea10f700fa95a6ca71dc43b677638b037f0884314ac3f4c42e637e200384

SHA512
3ae87750f744bb70ea504d3304e3152bf8c0405ffaa2d0e98c9eeab19c1f04f237c2616a615592f8f01f84b7226fb6bdfd2c055c751d64ccc9ed8897d72faa60

Download Submit
memory/1880-13-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/1880-33-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/1880-12-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/1880-255-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/2080-31-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/2080-90-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/2080-87-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/2080-32-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/2080-1-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/2080-194-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/2080-243-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/2080-4-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/2080-0-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/4896-34-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4896-11-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download
memory/4896-256-0x0000000000A40000-0x0000000002177000-memory.dmp

Filesize
23.2MB

Download