55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2704	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2816	AnyDesk.exe
2816	AnyDesk.exe
2816	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2816	AnyDesk.exe
2816	AnyDesk.exe
2816	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2704	2968	AnyDesk.exe	28
PID 2968 wrote to memory of 2704	2968	AnyDesk.exe	28
PID 2968 wrote to memory of 2704	2968	AnyDesk.exe	28
PID 2968 wrote to memory of 2704	2968	AnyDesk.exe	28
PID 2968 wrote to memory of 2816	2968	AnyDesk.exe	29
PID 2968 wrote to memory of 2816	2968	AnyDesk.exe	29
PID 2968 wrote to memory of 2816	2968	AnyDesk.exe	29
PID 2968 wrote to memory of 2816	2968	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
92d653c14796f37a54d746ff8a8c5c62

SHA1
f6c5b9e947368812e1a7b497031b65e142857848

SHA256
4ae6fa6a1db6d12cddb8b8f07041ba26cbfa96b67903ed4b2bcc580bb0997b24

SHA512
e250b2c8145d3225ac04dba8fd4622e112b38244b8fbb420b31776758e9a0f38ab31497bd55b3d468211c1ded2e543fd21c10c67ea51ada0207f0af3a093c2be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
47e82705495a07501905e55e10ac2f09

SHA1
8b400454efa8a3a2bc6db01714d121469b90865e

SHA256
33619c05e8bac2933c3282d58b08278474a4997aaf7fb049b1e297a61b42e0e0

SHA512
d8ffc6bcd76d62d96f8cb02d93ad678a407a5f8467065407603cc44d5dda78728413f1848e1f5ef233cba3300f64d41e6ec4f121748e519a23fdf96f14218f41

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2b16d4859af4084526997e4e77146c8a

SHA1
3c443757bb3d6c4e7d05e99175f8deb2c1f23740

SHA256
5f6d102b9f5554b633bd34999f14611a8ba37b21ddc0342a50cdcb5beeed9cf1

SHA512
180daf187bf2a4935fbc97924b6ff138c3514a9f94e02fa0757d20b28ebf5722e21fc488321dc9ba8b6fc0c6d6955157d61686df3fc95b588ae4e1a23f94f974

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
363969262895154f3bc7cb49770673a6

SHA1
691fe61a7071aad7d8816359cea5e3985debe45b

SHA256
b587b18aaeed086769fa6a79ad87e593bdd8b1d1c1eaad9961e285fbddd4093a

SHA512
6ff9b5c69c66a22e3864a53dcc8cf9b1926fc90c05b710f59f6c3d0781c1d3fcf2ce077cc7ef7d5a2161deba3162ceb95f2887d259b22401896fd0fe2b2a09b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
c4e74bbf789823e886ee9dd93764e34e

SHA1
4b867e76d528aa29e7d053d606553e4046d17d5f

SHA256
9aef2f906d33af594e0a19853ea6990861269128bd61293ce4d291aaa9194273

SHA512
c05d355272208b3d81c51aafa5da13a37a2365463afc938ae187121a4ed8e0b87f9a7e5d541926a7baf30ef6640243b1d1768c0aa1347d05d84f3827d7509202

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
26232d3441abb7a32a43b3913932fad7

SHA1
73c11f1b965f73ec4ef740b8d3f1817f9d138f5b

SHA256
a42dd4d3558ed2f0ff88a68bc22391e3eb4d077027f9c3c2de76582a4c51ab63

SHA512
ef7a13b90fb83a59b18206813ea48f276ee91a9f07678263857a29642173671a16513672cffc024450faaf51578db8e757676d0a288bf41a587137d15057273f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
367B

MD5
d663403f26a39c72cd3a76e540daf9d7

SHA1
7004aa4de96a75d3023fbb57bb599998e1de2539

SHA256
8db03157a85e6b42c38619f50fb3c2d3d0896cd461a066750e079795d0257763

SHA512
ee2b7bf1a8f2e857a53c62edd3329c8f1465ea8262f90a92a0350e50b365d03fcd85498d977ff23af6bf4fa64078c5d98aa2a6f50a37549440a5a489f57f55e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0ade9cfa88132822e551819e5b5b05b3

SHA1
8ae3abad4227ffdaea4e4ae80806f922dfe512d2

SHA256
a5458ab91ed4fcbd72c5a75e899e342794a88e227ef57be31c4e7b362dc10076

SHA512
a3e9d91a7c20f9450fc59aed08cb700be370bd1b144a31b53011dc04022cef96b36c1defab233da964053db853153a1b9caacf6b1dc3a536b5f67f2f9d040ce7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
49ceefdcaeec4b8e724541518de80000

SHA1
27b6a79e22e3fa48fce4ac9c4d863a546237768a

SHA256
2fba49fc1b311cfd98625fdaa3c3fcd1bcb26ae2563b24ea176c412a02377329

SHA512
23123269738b114ac9b30ac896f315e6b5d40da6f2cbb150b158d67799a8f5749d73e287c13ede7478577c4ccec12e2651b9cd5ab77e1958c0739ab29978610f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fe68315fb7e56f05464056e28cfdf7fb

SHA1
91bec379d577407d196c664d55ad1c2ebb293cbc

SHA256
9650259ba8c8df0bbb28466d099cce909ddb486e7aaa041d434c8691c4741eb0

SHA512
e3e88fcfd8cbc24ec7b4ac6e5a3264428a268438f5949ba83dd3439ea5ad1bf173fc959d1ccd0dd8dee58e093d21d5482ed75005729d333e21dff38144ce719b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
71c3d619bf18f7c3148b3279daa4f5f2

SHA1
f303c3ea69cfb22b59d4f0169b03320206f638b7

SHA256
95310bcce3cfaed4989f168fe688ca0da027431a184c0e6ae51e9d0daa8edba7

SHA512
71eae0f1ecb022c2cd198df52c29c9ce343100934a865da85e235fce3bbbb58bd6fe056a578a9c54e0dacf1973339d803784d71f59414c14c9873ed6d1b4047e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
54504b72ca3c8539fa54c705fbbfcc96

SHA1
a6f225d46df3caffc04ee984d3693f31db6c4ae5

SHA256
41066e019d80511a68083553d9915abee4cf02ebbccbbae1a488df7fa5e4dc20

SHA512
e4da2f04a9aaf3a411ffe6b97b03e4deffd13534a7db4655bec4c7e8a2a295cc93cd752a0b301727ef80c2c783ab41184900a10b7958336c952f122aec23ca0a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
233ff959e48961a363017dfdf1348ff7

SHA1
88cbd174d51feecb54b0c86372e2835e79f272d2

SHA256
b1ab886600127d3327c5b7002d3b71ba25520f0ba402953357321a5906be67c7

SHA512
f59937bf0aa3753c1e05ecd3cc9503d1e26d8e961d008a31a0911f72e79f1482502b9d3fe1ab824450844faee3fd828cbd99ddfb75064466622bb6522ad5ff52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
230f811a36e7e1ae432156b1682b28b1

SHA1
69d77c5abf79fb85dbc9230003972bdf0fb996d1

SHA256
a6cc8ba5576120518fe682583f3ecf06b9cd7ee4a25ebdb916b3c0fd033eeeb5

SHA512
5cb5ee88ecf2c1593b02f40a353bdc2dcb00ba2511d52f1a232972533241a04210725cff72bacd527e9e5e6e916c255275d10db7065c501992dbda70f0b4de96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
04c1e4cdc9f4f10d00f863bfd3c7eabe

SHA1
6785618add892c31240598cc98ec072dc3c18b02

SHA256
6d194be4a8629a1f654673a9f13b51e23ed54da85ddbdc7000117bfdb423b207

SHA512
9749fc03d3bd410f419e1aca358ff96ccc661f1ce0919e16ddfaeb9ba55c73ea8644b0ca56fb55ca6f3955a7c337a7456e863a8820bdd4b2b2da03af931daf6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
bdb4b025e991385c243902de0d8060ea

SHA1
9315e9e51f53dac6c73028a66681897da2306a20

SHA256
e3d218f23662b90f6bf49f5f758b28c523e2e3c9db7caa0ef5ef4ae4dadfe49f

SHA512
8de955f8fdbdf56fe957d9309c128ab5e62bfd0bb2d1c1170c5408b1068f96f73ffcb71afaf2ed44433ea95178b7035e072661d7dd340e354f314e5bc8162ea5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fed37f56bc3dac559ac6c6676d247de2

SHA1
0a923c255c3da935f9eb9e4f208ccf680abee36c

SHA256
2061637f34ccb331e743048c45548921a01cb8b29189e131dbbaa702d076e58f

SHA512
0c431c6e051c07734c0eab3bf1ac25f61e6fcc51059721de2eba005c0c923fb7539017040141e7df4aa59cf2fa8fba0c64f18d2300fbcda10341e3b0ef2ac68d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2969d689fc80518bdecd461e835524bb

SHA1
8a4a68861387d3c5d9c821e233a54e0690e0082b

SHA256
077b0e9c7e2768caae39d14cd0648f2a3fe23d1a9d7d255d43e3d37619182fca

SHA512
4bbe45ad8cf28641f5bd668c5e9ebd9d60b7572b8a72765fab972569633577beaff5ce394d94c08db0badf2aa1091fbba01c9f93d7081ba587cac7a58df45a53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3c8069f9d18670df0ddc8a2628037517

SHA1
6002ed1eada6f0bcfde619254926e26350952c79

SHA256
8c8c6c624c0c7356293a29fc0739fde7e74eb1b0b23e0c016f3f0e92def9da45

SHA512
177be1737c73fea50ca3dde119ff0cacddabbfbeb6770161f112c0e6bef1247fcc19db707965a319cc99892aa112f85ccad294c41d3af32129394d7f7707bb9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
efcc1fd3d19e69b8ce5cff3aa884df57

SHA1
4c020cbd328fc4bf02414f8c36d6f49dfb150893

SHA256
cd0d4b1e1b87646182e8014c53c56737df68b3d9c5dc12be94c021e5516b8ca7

SHA512
2886d7e09b6666f9cfa7e4bda4818d45bb21210509654fb82997dad1353f2e7bddec276accebbf6fdd7f7af745c0920b3a8c15330a055f12fe2498d9adb744b7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f70ce0caac70278a2f0edda008243822

SHA1
d0b98fc8269fd4af7a681e521d8c45141f00186a

SHA256
9f34edc6a43a92236509ec2b2fd73a3beca3e4209490a72793362099a3717eef

SHA512
80751ec7281ebd7c199589f553887d5c8c2c68edaca69b09e8d3848becb3d0f6954c79ce888372fa4465b7dfd193e29a80b4a94961521e20675877ebf9ada12b

Download Submit
memory/2704-298-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2704-151-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2704-13-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2704-35-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2704-14-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2816-11-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2816-153-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2816-299-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2816-29-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2816-243-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2968-92-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/2968-22-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2968-244-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/2968-23-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2968-150-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2968-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2968-1-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2968-297-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download
memory/2968-91-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2968-0-0x00000000011F0000-0x0000000002927000-memory.dmp

Filesize
23.2MB

Download