55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	AnyDesk.exe
1100	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4564	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4564	AnyDesk.exe
4564	AnyDesk.exe
4564	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1100	804	AnyDesk.exe	95
PID 804 wrote to memory of 1100	804	AnyDesk.exe	95
PID 804 wrote to memory of 1100	804	AnyDesk.exe	95
PID 804 wrote to memory of 4564	804	AnyDesk.exe	96
PID 804 wrote to memory of 4564	804	AnyDesk.exe	96
PID 804 wrote to memory of 4564	804	AnyDesk.exe	96

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3872,i,6862816582779850255,3437582573780299282,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1b5b9c62ae927eb4a030dcbb963a6859

SHA1
e6af648e76a1c70d6058d76e4715fcd27f7b57fc

SHA256
6d5b3d02e6eafcf4116737f7600e699c5fb8b40db26748db06bf4c1764a96086

SHA512
64b63ed3d55277ef232403f25ce263a3d62ed81683183081108c4ac2218aa59d1c96da47bcc6a5890fcdfeab924aca82af5c6adf93d35dc2d9982967f7b17de8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
f173d6f7b3b9664b854253960920e766

SHA1
9dc0bb590aaf73791370b6c292568b1e4567362c

SHA256
fd74e83bdc3bc9f4b39c9a1f7b423737d02880a94cb7b1d827c014da832635dc

SHA512
44b670dc9739fffdf4ee10ea6a0c190e23a0caa35ad0b2e0bc280b60488b00bc137cae8f9922a6ebb81313590f383952b3f1d939903be376609da80d360869fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
13ade117a57fd521adc2cb4c84771ef5

SHA1
71eb99ff8f57485ff3347d798c8b8f0ffd2d52ae

SHA256
fb6e4ce68fc164352b6eb36b0b651cc490642f1fd7b617bd19307f69adaac259

SHA512
90b5b3d5194bc2c364e5e673ddfcb915a4373a4efd957d5b2ae6e995fc75f9c960e8073026ba7f119d3c2c910c38d2630dea64e475b6d018ded9f9554b96e7ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cb1b8a447b6392d07bb8ffb372316073

SHA1
5caef520e35e68d9d57aff402ec10c4fdc637519

SHA256
0539e91931bec25d80934a5a562c978858886997d16ee2bfc4e90cba5c5bc458

SHA512
aa0217a729e2fed378269659d1be3baa4b6c75b081412532d7fd45c7e80af4cc3dfbb89f4bf22ef5cadc238661888d232c1eb2225f5ba47d00e53ea936b00a20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
e49eface9599d9f0dfc94d29bbb4f23d

SHA1
eed519883e5165f7b4932e29df088ad2d01c70d2

SHA256
65b67f0de3546f9cf15ebf7f69f060b63390b997a2e8618959401177b5f40e33

SHA512
e2bd181c6b3e080ca237f9e94b0ff0a41ba80463e507cd36328894a86aab1a05951e0932ecffc1bb6f121cd43e8261abeac215113724fd01e1547100ef65d106

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
82548c7e9ee6726dcdf216056549e2d3

SHA1
f6d6c6578364eff6f88fcda84b9fff04cfb3a65d

SHA256
e829d7f8c61f13162d7e9157850aa7447e5ac5b5e3e6b78c8641eba62d0bb5d8

SHA512
f08db092f6c7a3cd27635c5cd6f555c0c2f08fe1182bfa7bd1e66fd04c0cc737974cbc41825c3f7c872ab38d84e60d0f9ec24a88d57ab1ab02e80f33d569afae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
010f619dbca264677e2609825cd5f030

SHA1
74f21d91b0c254d382ed8aeba10c48642ddd28de

SHA256
0881f2b9ffbbcec8ec0840e0ac92220f028c9ca2937b3dc635702cbc517f7022

SHA512
e0b1b9184842191999d851682483bd65e63ad81cc0cf57ebc401e6ee624ee4bd9258297fe7c020d687cbacfcf548fc914263e51c060dd7b716e764f4e1c6af6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e64cda519c1df4e57891bccd5cd4293f

SHA1
5dbf53c61461780c5ad486890d6003d694e099e6

SHA256
edf6fb893abbe5de71760410e4e768bd63a1b5ef34c1d9d366be7298f4bb087f

SHA512
b5874ed96dc68c1b5beb15bf981c622f95e8e2703cc4bd19f8c575890231f5cc8cbf3846c8db2b953de1b6b7f7678f224fcb9cf88feeddc3e7df34de279956ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2e863e9401bd923e4bc27b2fe05f520d

SHA1
5bcfaa322f3ce7aaf639699e5a319dbd6775f071

SHA256
e3612b950a8896f896b9e00db5dea40d6e36ec4871d27e260090d6ce5dba730b

SHA512
a6312026bf9a4fa4ddfe0314acacd043ac2f1cb89705dabb59f9cca7e1e95be9462aa63b60170159ba1cbf7431b01d307aae467aa472ec66b6fed7d64246fad3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b73314832c6079b37f1499229ac276a1

SHA1
38db42cdca558a1837fc52034a07b81ce64db184

SHA256
a4c15b5e251dd2392cc2d8af9c94107c9e4af387f94a18f854852bad76071b58

SHA512
4c0d83834018aa65e1bad053abcd806a4111451ec5d35290d65927ce21860fbedbc5b21ce85ecaa21a03e3a96d6d4265c0f3f9249c711dce6c79a6b50c4df70c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2097f654675b2beefc96c6ddd4b278b7

SHA1
e5a6a3a7f209e4123b3f37f9dd51b78b62682adb

SHA256
1d5187e862ff122936f77b47f9e5fb6724fffde80f86a8913f268a12e0cd70bc

SHA512
ca23e663ff081f3fd5540e90432e866869f5415e58a3d055f43e26c2e0dc31af2ce5faa9fd906f33222bbc72f36d23c75eb31cd283be54085fda92530d08ecc2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6d4d2175658a57f8b4256ea8abf8d4b4

SHA1
4475310350d0e3d8e210f9f04d27919f5cd55e27

SHA256
7ee57f6c67f5cfad9c418d20d082d1c3350e47cc1fca2da466c14e8914d377a7

SHA512
a87d78aaba8a4de7bc32edbdba81f82c6f939d9bff93b8872443c5b2c6a9fd3a7e9fc8fc00065c11f8c2a9ed67d8273ca452ac17466bcff2f5b7d8dc441b1825

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
da759fcd76eeda5559a714c7911e8355

SHA1
f405cd47952e647fc25ce73fdc7ea68c41436987

SHA256
ed26dc749835f817aaf7a69e467872cf664340155e3c0efc279f3a2b1a356293

SHA512
2e9e0cf7d38e8b88e8bfea3aa52db97fe1098d4f8249aba7e28ba50995c6d7d643135bfe4289023990ff5aa9273151544dc581ab6912395b18e82480589184c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b17dcc682c949ca9b7ee16f4697caa52

SHA1
b17f8669d0d044d489212ee9c6ef786dac9c4af4

SHA256
9a103c70000e4df380b449f36a804bebb227af819b92bf070957954595268894

SHA512
cd58baaef40fd71351d1c5970218c570c9fd88ba4dcb939cf72c7c9c1f395ed929952cb83a467e257c6b0df1fa3b9968236eed2948bbcee12542535b4ca18239

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
710882f45c701810bc6d4b301aa0e9c5

SHA1
c8ba31d196d74265f101ac444a1a1ce3fd446dfb

SHA256
582db827c3dcd3afe991489d59eae2c933d474aff5112f7dfb374de178194160

SHA512
dfaf173be2671a14a10270f4a6e733b04a71fdb403e2fc8da16ff222270f12d76ed3984bb827aa7df9a1d37c7de516536b60810ee90157150838cfc5d56a9764

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9245e2870cecfbffb89e03a12b0bf3e3

SHA1
ff4015c7112d2c1c7efe57028c02d1bef7998e8f

SHA256
68cf8da150d67f2fa92dce069a244f75e7e4e2062a54531a6893503092c527bb

SHA512
fa0f2357f222869c3bbeb0bb757a5a0cfab84c3384fa772b95c8e45b78bc425e0ed4bef20b1edba7a9b4aa9d9d785ff28da31553964a8e9c5c113d74ccea0276

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7086f5c82a2348f503b3f75131a191d7

SHA1
a8e4ac10df941394e0258a44b1bfc75fd65d24b4

SHA256
79d4adcc50b885c36371d7d50297b31a5b8a9f1169828a93cec823c224be65c6

SHA512
2df63a9737198b9f450b95d5a11d35d43af21faca06a6c0f3e9cd1ecc3e5ebc84015c767658c3d444a40974f1b04047e4612556677cf5d0a0cb088ce28d1f0bf

Download Submit
memory/804-84-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/804-81-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/804-241-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/804-1-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/804-23-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/804-22-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/804-182-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/804-291-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/804-4-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/804-0-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/1100-26-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1100-183-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/1100-13-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/1100-292-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/4564-184-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/4564-28-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/4564-12-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/4564-293-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download