55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-04-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2968	AnyDesk.exe
848	AnyDesk.exe
1264	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1264	AnyDesk.exe
1264	AnyDesk.exe
1264	AnyDesk.exe
1264	AnyDesk.exe
1264	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1264	AnyDesk.exe
1264	AnyDesk.exe
1264	AnyDesk.exe
1264	AnyDesk.exe
1264	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2968	848	AnyDesk.exe	28
PID 848 wrote to memory of 2968	848	AnyDesk.exe	28
PID 848 wrote to memory of 2968	848	AnyDesk.exe	28
PID 848 wrote to memory of 2968	848	AnyDesk.exe	28
PID 848 wrote to memory of 1264	848	AnyDesk.exe	29
PID 848 wrote to memory of 1264	848	AnyDesk.exe	29
PID 848 wrote to memory of 1264	848	AnyDesk.exe	29
PID 848 wrote to memory of 1264	848	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
31ee7a47b7545b7ed8820af6d4ee5ea7

SHA1
2cda0dd98f9ab866d4c11864d7ae81d835922687

SHA256
e40b577001b0dfe904ba18b55224ce4716504e04733a600a867d339d89bce28c

SHA512
974ce5489a62acd32fb9329bb45abb47ed2c78cb65e2f5192b045619713bf6f3c9d7092c1f04989ffbdda68e70a2bc710fd03607f1031c6e6046fbefabc2a91b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
dafac899ffc89048c30b49dade77f86d

SHA1
ef06708c865219c76835a4b984c611d847575b49

SHA256
39afae85f1dd6b39d4152649140fb0f90bd67b69299426ca13aafee574ab1090

SHA512
a66a1998e2b523cb8468632e543920d73f67423f421452794ebc62fedca4b6b88a5a22fa0f2aa41f6aff590358e52088eeedf2d668bf076ec6db6381074133e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
827b525504d87ecf74dbb25c0f89eb6a

SHA1
d7ef25e955a1482fb53f7e6b6458c0d3df49f502

SHA256
143f0abf98d8e0052e1db6b49ea4d20442e555d89d2edfc4939c1ce2dd55baaf

SHA512
9abdc6db44abeb6468f2e1469c3fbf465f315570532abe64f5c27340669dbccbb166f6f08167d11e74efbd2f64a5bc5adbbd702beeca4053d080f6b49fae933f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
7e3520576a1e66890c20d82e2171fba8

SHA1
3933937828a2231b5718ed8b8f1ea2cf1bdec67f

SHA256
6bf2a9e595c8770f53895dd2131e3baa2d21af563dcb51229fcb31dd66f68fcd

SHA512
ef95ab74badd9dd794b8a5b3880a93bdaff220b45824ca8826d4a2393742ed94cf7326c0d264adc805a9705c360efe1cd919a710983f9e566dfc210847b85fae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
675B

MD5
314469b82be79e2fa812eff987761dd5

SHA1
7cb1ed31ae2d17f07e7b7a30f69e3e4d0b52bf4a

SHA256
e1928364834a17d83e9f8aed16cf0b201e7199a0956385e78d82ac04b254db84

SHA512
c41fa73e10c3bbcb9cb7a099606637170248e2b489d06abdbfcc266346a57d20d346d124084cc18392a37d904eca8ffba7b18b4e68ef4c50e61b7eb22b0d40d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
744B

MD5
66b2ca9ce67090eda7c068e4438ed72e

SHA1
477e617750cca11e143fd1707adc75ae0d5da6ac

SHA256
366d844fc60674b7c5716d44f63675c3634135516863772d807ba9169bf905ba

SHA512
beebd25b8b19f3e6622cb4f77b2fa80374a8bdec7143ffd2a8f3e29ac61086d5a0435e11ecf7d0e23d31936b524d32ca029840d2da100c1bccf9cde7e938bde5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6f3a83d428296967e59d51cecba6a1cf

SHA1
1aa2d79019aa7747a521d9d5a99aacb72c264f13

SHA256
2dbe685db1f1251f83a80d0413e058d7ea9ae850a3e1f5e146a97e6a95b577c1

SHA512
3d9decd46e0297d788073eab5c5f723dc16c51a21032af7dfadf26e3684dba6d00916be323ede82af998d57b7cd7580a3966368131a24bd0827ecde89b461511

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
de490f899701e69feeb3e171887ce519

SHA1
834f5d727d6d60c2c28c51d66069563dbd1eccec

SHA256
7682ede6a918a0be1bc1b573da5557202d7d868eb7633f5b13a22b4d936850bf

SHA512
378f22fdd47359a706106c1f201ca220f17606ec4179e75fbcf7963860863be82d260c0e7ef9cbfae37e004f8b11b12bd1cc55d3dafee5de54fae666c2330315

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6dba4229d89d34f0a2fc3c8563ce08ab

SHA1
6f291049e55d6a6ecb27b7f3de937dacbeae9813

SHA256
fd60c0fdd42664cb14e5ba041b2a590520393283b74097797321e96653a8f44a

SHA512
3bda16b07badfce8b5fe647e61b6111b9465d6c91fa556b05a0d1b27e59048b1a60535dde86ed1b25decedfa69e9866dff280f74f256cb36692c8fcfccc24e8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
912c84982e94a3949244029f61818d34

SHA1
b5bb80da7259a959754976172688e93d5f4e458a

SHA256
edd3d6cddc6ef3d723f8f82499415f30a47ba1429852c69f27c8c4ac5600045c

SHA512
7c78ff9d540dcba90a1144ed737792f6f20a6a18ee0db9b31e3f01566a69f9a53fe59dc6221027f6b3d9b59b087d927e7403e476bf2cd920499486769e9ad0bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
517fef4c7cd7cb8e78ed89838796c907

SHA1
840c361d995569bcfe38c5e762693bc38d184042

SHA256
4fc3ea26891092bacb2a32c25765a9214fb2be3db991041142d2b540eaccbd6d

SHA512
27461ebe705426485f39b9bfb4a82e9a882a5ed89ad76a0335ce891193db25d97df9e61d30c7a3382b751134c03de2989d35ecd9ba5da7b1587f968ab0e8cc2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
45cf07b7e98102c1bdff48e0b628ce82

SHA1
38b114fc0d131a1d03148f9333180a1795a7c63e

SHA256
d23dffe58a3294a32b534c796f7901fd207092dc7c99ab55e189beb15c3bdec0

SHA512
3880cd96b84e00cc310a7c119edf6515689cffe73f404ee6512d64f87df6163c1509f0b9937834193ee72e7573da5514ddad0214321e03e1bdde1d18730dd9ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
27ceeb18fefca21c36f11f450ee4cd48

SHA1
6015813908e82ccd457242a7ee4180fc1716c254

SHA256
004238037a2900f09d3914dd3d87026cc34013012db435fd2acdef143e1a1c15

SHA512
1f64058d1ebfa13a54be6689386cc86ade8de0c0b7d25d1029d2fb2b8d64989f857fd9dcdc322f89b652195204a1914b6290d16c91096081f5816d46f6f9ef1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6fee10c39da447d257601ab7cf2f2bfe

SHA1
47169c6916a8adb0dec8301e55a72ec6c646d2e5

SHA256
ae4b5711be30d2d1e65b53c9626a643e3bcd2f2b6b0072ca85cebe603076daa2

SHA512
a47fe8c4f2b0cf7cf88189a26a653fe3b9b97b0ac17cd39270fcf23f4aaa7be6cf0f1056524a38a4311993529b06bc9584cf5206e4adf9e5e8473cc73fc109ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9c73e742384dccdd5b6e9cabc687a93f

SHA1
fdd2a54d8e1c6eec7d8a3544452961312f2d409d

SHA256
ebe3ce0979c55c0978c25cf668f6a9e9a606f6a401ae2ac5e1cb2c0155ed0c2f

SHA512
acc157a2d1ec0c4266bb1daac570e2b0ee75c2240ddf2892cafb437fa40c2e998d412a4b2808d4339e7dad3a8ff581b154538c5b2f3e7e2532d2cf409b62ce59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
933b1514a76f224fe8adbaca147d735f

SHA1
f6c47994a564a8ba489d461f1887595354e92978

SHA256
bf998d07ae98659827fb5ae1ca294a9d0e5346deaa14b230df43974bc478db38

SHA512
ff4d609019b92955e5561dc937ed4363f69d3b4fe459f47af2a727a94750c99653393a4216672fd1a69f61a8b9a1e9874476f9998f4181ccd1273058b64aee47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
830b463a5b65a1390ffb63224ee63785

SHA1
06efa785c66d75895e2b1976fcea8b05c1483f5c

SHA256
cc61c59a0341c90f49dd80d3659741e139f0c6f88262214127c97ccfcfb75ba2

SHA512
2d0c365b739a23b95c991db2733236224dc0fdabe1c804c8379a62b490754a0c4f90f28db9c53a59a59f53eee4ec082098a21f6a0017cbec27f6a32b325cced1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8233f2fabdf1c0d609bb5abd86fe2268

SHA1
c6d40b8b5acd16e6bfe401f0e1c1e2cfd34224a6

SHA256
3f6aafa88953ec3ad67a49c88097a8d8671d9d929cbc353c8d536e6785847e38

SHA512
a8c7a92583a10ac8ff5241316262bf78afc1c5003f0761e2fc3a8e401d86780eda5491b8e3dd785ec63199070a844892454f6180527d5858e2fbb9543bd1dd27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
a630a78a6415e240801b7a52980bf007

SHA1
babab11fe9affd468cd4ebf67925ba0917482f81

SHA256
d0419535999cf01be78b19c8cf3a24f393c1e85630eee63907c0024843f0d587

SHA512
26d808d6a3fc6c2ddaf008b634f6a40bff4dd7618dfd4213295cf53fd210c516be7ce909f0a629cd35bec4cea8f442bbd14a8a3f6370f64df85de18541ffdd16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf76e734.TMP

Filesize
3KB

MD5
a692c9a4b66c073598a8223b2c85b147

SHA1
61199ba186669daa78d280a57174e53fdb7d31c8

SHA256
61b870caa7a609280d672f1ac8b8791b45b24eb11ae1a9649c6c3e8d6bb5fa35

SHA512
4d2984cc7c80bc3eaa0fb8249dcb698aeb250e702028e36ffc886a72870cd8f0191d7ed0471e97e2faefdb89747640751aecdcef935c2299cafaf2920c58e4d8

Download Submit
memory/848-306-0x0000000000CF0000-0x0000000002427000-memory.dmp

Filesize
23.2MB

Download
memory/848-4-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/848-1-0x0000000000CF0000-0x0000000002427000-memory.dmp

Filesize
23.2MB

Download
memory/1264-11-0x0000000000CF0000-0x0000000002427000-memory.dmp

Filesize
23.2MB

Download
memory/1264-26-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1264-314-0x0000000000CF0000-0x0000000002427000-memory.dmp

Filesize
23.2MB

Download
memory/2968-21-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2968-309-0x0000000000CF0000-0x0000000002427000-memory.dmp

Filesize
23.2MB

Download
memory/2968-12-0x0000000000CF0000-0x0000000002427000-memory.dmp

Filesize
23.2MB

Download