55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1884	AnyDesk.exe
1884	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1116	AnyDesk.exe
1116	AnyDesk.exe
1116	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1116	AnyDesk.exe
1116	AnyDesk.exe
1116	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 1884	4032	AnyDesk.exe	88
PID 4032 wrote to memory of 1884	4032	AnyDesk.exe	88
PID 4032 wrote to memory of 1884	4032	AnyDesk.exe	88
PID 4032 wrote to memory of 1116	4032	AnyDesk.exe	89
PID 4032 wrote to memory of 1116	4032	AnyDesk.exe	89
PID 4032 wrote to memory of 1116	4032	AnyDesk.exe	89

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
43c036d862416416feb63c3ef85f287a

SHA1
cd6bf66711ccabffcda63fe268a14244cf1497ac

SHA256
49cd5bd7b9f5e7939d00775b2d00c23f5532b324125833738495991983f09a18

SHA512
03fe0e13f5ae9778e6adf9562e8c6539b19c2c523e6ae566f91ab356069d45dbbcbafe864dc573a581868202747d7eb9a4ee19d22ea4a779f0c5e13b388e7a62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
bf8cf3a2bd7043ffbe3cccdf2863bace

SHA1
01f359f2a4f1d757b7cf38c1857d6fc4c7926693

SHA256
3050d4821878081265fca47adc442397e1841c23771ac44ec34f66a3695c2435

SHA512
47c5d6bdfd08c582b93bb615b4fa523b87ab31fd542fec929d537f9e0a36f8845e9cf37716890e96852c7a739b37ad1db8febb277f785399aa338a2eea68f243

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6bf039061fd7ecbbb491eefe6f9086b8

SHA1
b89d800d5d5f0e2920b4deb0e8db88eba3dd46fd

SHA256
151a9d03503af1a2f9f0052428a33d20cbfeb4dd5a96c5499e4ef1195ec5ed64

SHA512
640c85c06d15f54281236d421f081e12efd2d4f77d9dee791b0bb7735abfce1a4256f70c6ed08f67514ec67bba920a42edf0564a823b70734ce5b6fb084cfacc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fd470b3e10cb45db598bb8d1d8f365f3

SHA1
55504467a06438a270a3f0377739f0b68a68a5ea

SHA256
86d37f081394ec9c73ef15e2642ff3826b5e3726061a970b7a2607074fe21d6a

SHA512
8b24c138f688b0126f53fd2a1aceb7c67e0098647576368b5755e9ddea290097f41d52f7727152814a4bfa8309c2cc7d204b4f4f1aaa8a99798bd60ad121ec1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
9a151bd182309a67be18be7d22f6468e

SHA1
35eb4c0bbae4c98ae866060348d7db42b7607252

SHA256
86fab97018092148eba4d70e0ec3958ad78e41454a87da2fed3ef878f9de7391

SHA512
95b003749bf551a8dde11fde16278224b049841b2aa9bf50ad63e39fa71c6ce3aca1f4c6623bc9cbe00364964dcb28cbb74aa0554811167ba66bffc436ab2343

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
52856c1fc5ceb93dcc3dbbc972bf51cc

SHA1
e50eeb1ceec72181b82b57ecd3690eeef89d5bf9

SHA256
44da7fd40e90b39cc5a338700c185bc0ed8013faf46368af1da726dfff120c77

SHA512
fc1d2b23c49c02f575609f9bb60d61dbc11766ec8bef5ffed77355e2195bea9bc17e8dea8008f13a8d94476daf0d31305f4ec1a881651562a4f511ba787fc560

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ffc5287d6f88d2dd4ee1c316e054e97a

SHA1
5007490e1e2976deecbd39cd35b6e7ca79125714

SHA256
5f1782db784080405f41c1fceafd35500392ab7fdd67ea299efb2d434e629acc

SHA512
74164375851b1ae2ce7a5a796cdbafddce6eb03a65f3109c9120df29de03bb4b20255b51ea99b6f700babd25d10b475885031bf2bf1cef754e61ed31d2b8011c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
796c9ed7fa0f2331a93cd3d24ee4edf1

SHA1
8fdb264b1a8c3c949ae86942f670534b3580b20a

SHA256
55e813ed583e4b22c5b780c5053a08a9a791d95ad58725d73ebf447b717f3038

SHA512
5185a6516c96443ffd625c4dbe38dbfca039c08502d091e53de00a2ee0b373ef07d1f174bb7a9e06fde3c59f9e038a80855cf9133101cdd88d9c4d10c6a62309

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
435c5c62c4ec320851a5cc9ca9d348ec

SHA1
52d50404cafcc6a7e2fefcfa83aa032439318c1b

SHA256
7f17e7bd97aae342ca13a11a9067907e5369c08ef70b9cbaed84186296499826

SHA512
d39298f63fa38cb9e41d33cc1b2425cefad901bf88f0323d53e4ad21f012d40c41f7ad6f984b54804e43b64ba14b6f621e9487f1eb8a15e808911c5656e38453

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0116943fc5a5936926f052a62dfda0de

SHA1
03885173af9cf72483043d44c78ae632523704b3

SHA256
a5a8521d891322c5dc602b3f879684b63a70ebce92294d2906d9aadb8623d4e6

SHA512
5cecc81746b15a174a2e4e86ee3e32c866655721d23c8ab7e04e50a97d58031180a13f0e6cb69595266a8e69c35e75fd3ee73db09f33237a4551f60dc4542b3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
aa50e2e43cc69d2cb66372a6ec22ae17

SHA1
034b88159be91e8e977bf4fe97be7141385c700d

SHA256
6d689c7205e8a0b272de3915a29a98066c1b3576c29c2982892dc6b8ec84b6bd

SHA512
39d8618f0aee71e71e463dac14bb6b2fdb46c9d10fa55c0cf6daf1873ad22539831a714b7eaaf7df2b2b675c16b82243741f10d95bd73328ed5b099f19d1cf97

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5c42e84c5bcc4fcbbac6517fe9bb8b22

SHA1
f1696cb98326f5a35f4660e2ca5043c1194609e2

SHA256
c2e3ea36c43982c8ceeb0e2270123dc91987286e22feeacb835b8c10843c7882

SHA512
a11ec4bd1974e076172f74096050c847b416fa18a45dce5f8ec747f12ae7d21f44a0a899588a0e5e60d76ae5887dfb57b88e2a37f82da2a0c3b941cca7a70a9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9e38e674ac367e109e0e4d0d86ac0444

SHA1
0849a17a8dba4e444730040377f1f6f4ae51ee7d

SHA256
100a4616caa5e2a54775dc48a9988a067e6769225e668fbeeb9780689c4c0a56

SHA512
d768d1bb04664e720e9388b9dadbe6ac72cbb58f88d9de0cc6d07f45a4ee406d9b1763a89dfa299b1e55f9e09c446b60ae49d2cf99b66d14397ab2e02123c715

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8000e282cb8809a11691b40bc61f4a27

SHA1
de293a8bd57875e8caeac322a382ecf1964ebb01

SHA256
d05c5a971790ddda7a112f4480e859613f1bf9dd0dd42422f94ba0a2c7be13c5

SHA512
9eec9104295e6cfc949d378bc99727286a4239e465d8f83ea2619ce91936ca8bed667f3fc23bb6bb7120a53005e24aa60bad136e0b5a7c0b4eb9251e23348d44

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
07336c75e8c79304bd32346263feb775

SHA1
4d76d8c697c4cd630e3ecd6c720654b2f7beca3a

SHA256
43a02b4ac50be34da917f3e691943f5b5256bc8bbb87b609b0ba1e4cfc62099a

SHA512
64fbf63fe1654627cf0eb6d128a85e70364849580809282819d299c8eef35eaa6449f24fce0e2091901eb7aa5840c69bcc7c000fd1d4115a2e9c627fb658f369

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0d3224cde66fd79a2c42fe7199f155ef

SHA1
96b8b04830bdda4faf959c302157d62f8d6dba83

SHA256
0292daa1920005c3fe26c269e6d67bcf8a7aa02e5fafedb618e4eda9034098c8

SHA512
96a0ea2ff2732146b18ed37dc1b54c55b2c089b7177266ac4d23bc69105eb7d4a027315f91f8803a6574eb7d3f57632e1622baee17625f9cb9695574ecdbf6ff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d0af98b7582f1c11c9e7b62af877afe1

SHA1
4e65107156ec3f49ce131a298f4b1b3f405f92ba

SHA256
e6238f921ed6ea9cc8a8b10c5a1aee19d83f686e1b475f15d5acd2b956ead91f

SHA512
bc00e47eed03b635c4743150b8aeec69ccd68adde29b86b5fe8f299457ea96ee8f3d8555cb62a9022316e1097f2495c66852e11d243a02d2a75e2bab7d8d2348

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08ef6b578a1d9211fd7db56dad006d39

SHA1
f7f241ba36b2ce2685009a97b2e7186ee2c8b6bf

SHA256
8e8c72da1ac545e96d4ad6c022ec2ff573c01fa7347d69f7e85a75163d8cda8f

SHA512
2eed248f9bad84bb71517228186f5fbe433f0cc805d52e7ecbe0035ef03d023776031ef9827b9e01c276c61375b2568fde9bf4857976aae6b2e6850edb7c4a87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
31171e4aa303271bff65d6657ec3148d

SHA1
41b9b05788c9ac9f77f753c516d3c9f6bab7a9ff

SHA256
98a3113787fec9bb73330043c9ab0e7482fbf79cba1b57f401a2d801647c2d6c

SHA512
a1b8d3d411579796dae5a6f402b4324c92aeb0f00ebc4ecc4da74fb08b6fda9fcace9a5de07daf106b5603937c7a4f3854bd81e73bd0d49eeff45db1863ba689

Download Submit
memory/1116-20-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1116-244-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/1116-12-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/1884-243-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/1884-14-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/1884-32-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/4032-33-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4032-1-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/4032-86-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/4032-3-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/4032-230-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/4032-0-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/4032-241-0x0000000000280000-0x00000000019B7000-memory.dmp

Filesize
23.2MB

Download
memory/4032-45-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/4032-81-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download