55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2276	AnyDesk.exe
2276	AnyDesk.exe
4804	AnyDesk.exe
4804	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4744	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4744	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe
4744	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2276	4804	AnyDesk.exe	89
PID 4804 wrote to memory of 2276	4804	AnyDesk.exe	89
PID 4804 wrote to memory of 2276	4804	AnyDesk.exe	89
PID 4804 wrote to memory of 4744	4804	AnyDesk.exe	90
PID 4804 wrote to memory of 4744	4804	AnyDesk.exe	90
PID 4804 wrote to memory of 4744	4804	AnyDesk.exe	90

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
00b424312ffd6d37833cdfb661c9ebbc

SHA1
d22f734cb2722e65a9775283bb2559bec4e0db1e

SHA256
90bfe3dde097166dd73b5d662ca2afce11a75ca6bcb3f17ccfe4cb24fc3ac04a

SHA512
da0fc281fd9c554a7c616b37c46c89a032a77b8e996c6654111e4a5f32acd87c9331f1e71ea3c47cd9919af11058f95e250937732f117bbfe9e5518dd5684115

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0ac81e86b5c85f9032d36a364d4fbdc0

SHA1
8284259e00a867390245da32dee0f9183f8ba242

SHA256
bfc6309e1df61619d252208414065e778d88e79c4acec7dc8d8d848d88c17683

SHA512
b4dab523dc3aab903962c498a17674bd3a3b7c4716110021578f88a8712df1fd74da743efb388109af0ad12611fb2d85d2b1f5e30c8ccc6ec341932dd0a57afb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bf11f0d1cb49de598b18000f89cb02d2

SHA1
0f636ae2dbdcfeed49024f49da599e048ad85c64

SHA256
73e03c59a2c2973ee22b40d58dd3a622f7edf9ac42c2e5196cff77519b0765a8

SHA512
1e1e609f6f246e894149c2e81af28bb8ac56117df0320f214ff26e3806f82b30683163ec92bd69d2be206363c36ad2119a74a9d31f2095cc77af1fdfa83a423c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6a45160a8e44bb5d15ecdd0ffc6a12bb

SHA1
7bddd6bcc8a4fd2069e14907e41632b56b703267

SHA256
c3293854e59ace77930b50091ee189566f8e4f51c5bc09eaa1cdd9c1c6b2de71

SHA512
01eebf49f12657e381744f1e96006d1d1b8d5c8e8e7af3db09dde2c9bceed47775015e65de9eb552c6579420abfbe93fcd415b70004683d38fc4893e7c4977f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
1902fc6e7749a27188656d2efdee6927

SHA1
c64b39f9c3f80a183dca7f44d8b8bb86a0e2fe4d

SHA256
2c48be187d5ca26b4f3133c68df5ece930e88a2afd7995819cfbd8a601b656bd

SHA512
0894365e70726fcdc91597128706acf3d11dba2dc22bc09b75b22a3af007be3bb94579b010d26499a0a55de42a48d857c6fd8de9f995831b3510d78612c58769

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
744B

MD5
7b4ae50dbab305b4c3c6a013778f3b6e

SHA1
0304602dbedbd81430b4aa3fa0388d7b0ba053fd

SHA256
2edc3fdd3f78aaf0de36f92431c84e8a08d6a337f9a94f6c012399259b5f90f4

SHA512
9c8987fbd07aed673a43b2463bad4e45d8c125786d9002e12e39c85d43640ba9b3b28f1e8f7289330456870960087677afd76851c51f94e4a632707590307128

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
424668a5f779d7f10d9697b8507d30de

SHA1
4b6ef270d3ec66e16dc431fcfa018a66ec8ee49c

SHA256
f98f45af2c5d86a4dc870632b64fcad33eb1bc6531ea6a20270308128bec74f6

SHA512
73307d03faaf05b86672a18dbabcb442f55c26e69e5bd2c1af0a86b0023005968ddba8461373d951b698c85cd3d2a9e653cf6da4de47cce1f279228ef02e4b24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d9a8333d353cd10ae4d3db06e4706e61

SHA1
eca5d8ba519db473ee8306b166bfd3787303fbcb

SHA256
59d5f07a76ee79da093e5bcad27bd9831ba27377b175112d6621dc70156b6719

SHA512
2ff9f3daaa1033aa82b9136ddf223baec37f7bf8af4ceca2544e6ede26068ac51a3497d16d368087d1f7006a16801c6ac18bf00ddcc86659f4617a44e6153ab3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0fd2f35718602fd2ef81a257ee98d8ed

SHA1
94f8ab5b89fccd7fc874a94690cfea95539ac75c

SHA256
7a1c093f5f8a2ded3b2e34f1b7062996165f0d094a76697de20a6b12f5052ba4

SHA512
8ddfbc18c0b5c61afda9dfd30d37ccef5823921990ffeb25b1377ae323753970113674305cd5f6b13b771b0923c16fda3a8ce8a66097eeaa6c941f0e6bb93bbb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c77ef3c679f81f9d3f3119ab82071943

SHA1
cf56cfee08092756ba9f946f23df260cfe7635e9

SHA256
7317bb197c15c501a748de6f3f37094bb1fcd6fd387a06d7a2818d0ebb2118bc

SHA512
f135b2966ac543a6c067eefc55e0d9ff3c859bc9d07f4ff6fcb3e45193d6327369fcac0a615897c91eec4eda320942486ca7541bf1284da5e9a30fa31ede5ed2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c851c4a0ec405bd32746cc99929a87cb

SHA1
f5e324d0f8deb8b396fe837cbbb865756588033f

SHA256
adf5011f0150ca5cc93e74d02eedfd6b55d1cb53b3fc6b599e7051345cf9df1c

SHA512
0fcb5edb5b407a0c89d553c5b68405190c2d1896cbd13de59904ca78f27b69bc6f7c6bc8f24d8f0336a6ce72f0300e8944ed830aa09ad1bd28d9f2fc3991194d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
33fb0d60e355dd6284dc25bebfb2f811

SHA1
f67d28635e005271b4de0e45a64274612cec6b61

SHA256
8a13f4a937b10e4d942b94524d295ab706f25654a93a090e8f291b4b80998498

SHA512
839a814a75a2763dbdddf94a0c9c2efc36835aa887a5f0bbbbf7c8d4b9825ba0c7c0b27eb46883ad758a39d655b7e469b1be4b4ddd6b19ebc6d3aa3cec36e12b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
963f2fb876f600b3fc4eb2fb1de7fd58

SHA1
99b87a137ff209d810e36308cb93ae3ac0fbfca9

SHA256
93717bf0a47e089e267d42afaf1dad16bcee11a401535df2fc5def134a9e7958

SHA512
f3ff95cf53515732ba8d2d5a79aea036c658364030176107860a8554300731b78d5da816fe6b401f6b10fd4a8eba00696aff10a7ce346eda1409ac00cb55ae5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b3c46bc95a40b41b14560cb257fcd0be

SHA1
7a279a852d67e008757af2eaffeb0962a298608a

SHA256
02c0c383450892febf502876b8c740088fa6eb91e2ca341968c0ce36eeed8fd3

SHA512
975dd8980371f426f12f6f29f9178a8534980a9bc867165adc7bfbaa1b42a2f8a070d8fdfb97f7d78ee1d7a689c244f0c354b96a5c1ca2e77fed21241cd1a255

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cca4ecc4a5008f1edddb1acebb81a226

SHA1
f4c4a4ebf432d887544433cffb1fd9ab000c20bd

SHA256
ca060e491d1b3e45dceec25a4bfbec7a138a58e0de9cc7846b1b728d9452cfe3

SHA512
fd645234d3783f333830cabb760d208ca4bcfb0d33da1f3bb2e47fdd27937e79c9cdc8252b0b7a76e44d3ae3b7c4a18a1ee2dd301f52f02f36e5d5f229b89d68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f1c5e72dc3bbb09e7d6b20ae79b02dde

SHA1
9aef16dfc3cf4d7e027eee7e06e94c77964b0666

SHA256
2bf8bacc49d1855aab9e7f43961365e5473ba2b84609edf485f696b2c1d7272c

SHA512
733673d5418380508c06b80918a859c13f326c7c1430cc6633371b909da18fe2768be782599a00a5b10cddc9f0aa9e0e9ea458d331112ee021e66f7e0cf220bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
38153219dd38fc5bfe9ebbc44eb2d396

SHA1
e8257fadf4c619d1adf4fb103a2755d5e8908f9f

SHA256
3a403ffdbd9f438ca7d17e434c0816872eabfcc18265bfb26483928f049896eb

SHA512
604b247690b5ae16be09e1f0f65a154c66e56ed2b7a317a5dd5b2c77749eb9e6e9f0a0950a579d95ffc4cbc95ed4e3b9da464313d2dc93f16ee93391c75fd24f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
822c073a88aeb02ad494b45af0a6d14c

SHA1
c4c3ccce82f81bec2e34cc38a565835c7be6ab01

SHA256
d84decb5f24455157e220d163c68e782195ecb0ccb075f871e2b2b0f1b13a11a

SHA512
417d48c3fade4c0bd54b5c0e000fe1e9b1e6bea1469468f5aa0465ed925ca67ad55c490ba34ef5f67e86c62e005911b5d33a54ad4fa019dc690e0ae1629a8744

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
95392c7cd20c7a8599c46f736f6b76b3

SHA1
1999deb7c39a263a67663a4a356dd0419c8de6c6

SHA256
701c8be240da695e55586f344d1d896cec1f4eaf7e7d7b45b4aae99eb2a0faa9

SHA512
0b62b4ca3f48a36d0a9303d75b9dd278b2a99d7fca3181257ff8ce0780fb75200765cf829d2d25420dc2105afacd9dbf838565d5f3ac328d45bc95cdb6c8fdd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
22825a70e95e8f664fcf1cb6368438b2

SHA1
0ab9d64f77744f02f88f5761d59a4beb75110405

SHA256
c314a10ee53d7056086108c81c84d0a0009be11f94766bdd0200a416aaaf1cb7

SHA512
57628c9703f16efc22767e1b6b2d4cabe82fb804ac87359c396f1998b38044ca30cb02aac42944b8f38a4945e54d16008fd6e6c8d3395ebe1fbcab0814860da1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFe5940d8.TMP

Filesize
3KB

MD5
66769b8a646428d24b89e132ed69041c

SHA1
43ac0b67b3bb4b8656a61efe2698606cdb8d9cfd

SHA256
d9bf5fd132fb5a4667ce734bdc4ad34a47021ee7fc642e83c782615d01d9090e

SHA512
733b5f16bfe618df8505be28cab149b1091c5cc16bce873524374ec5c93b767860c2a7d340fbbf51449bf4e8dc50460f3db17686d2aa124f8ad3f21765d2abf7

Download Submit
memory/2276-236-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/2276-324-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/2276-320-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/2276-30-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2276-12-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4744-239-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4744-16-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4744-329-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4744-33-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/4804-282-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/4804-284-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4804-276-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/4804-277-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/4804-1-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4804-280-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/4804-281-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4804-235-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/4804-283-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4804-90-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/4804-23-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/4804-237-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4804-24-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/4804-4-0x0000000004210000-0x0000000004211000-memory.dmp

Filesize
4KB

Download
memory/4804-319-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4804-0-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download
memory/4804-93-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/4804-234-0x0000000000E10000-0x0000000002547000-memory.dmp

Filesize
23.2MB

Download