9e4329afbd18a6a1fb67331c4c63662bc6324713ead6fa1bae07b22283d39ce1

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk 8.0.7 + Portable.exe
Size

5.0MB
MD5

40483c4ac249b747060ac46cce13ab6f
SHA1

0b82b980eea1e8d2be9e70e01fe1421aa38abc7d
SHA256

1d0d0a6c3770c390744033232a8de0bf682716849ebc2866118c65c51cf5d4d9
SHA512

d589e46cacb338a8624b07dc43dc88d3a4af736373e5023021b7c9cfc54dc957cb40850a800054800ca24aad856be49279a713b02134157ae57cf3b028fa01ff
SSDEEP

98304:BUBtTfLX1LNmue0GQwiGPzWpXH7VfiDmsDXEc9bl4ziMvEZWj:BUfZL009wzzopfiDmsDx95ItEYj

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk 8.0.7 + Portable.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk 8.0.7 + Portable.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4632	AnyDesk 8.0.7 + Portable.exe
4632	AnyDesk 8.0.7 + Portable.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3892	AnyDesk 8.0.7 + Portable.exe
3892	AnyDesk 8.0.7 + Portable.exe
3892	AnyDesk 8.0.7 + Portable.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3892	AnyDesk 8.0.7 + Portable.exe
3892	AnyDesk 8.0.7 + Portable.exe
3892	AnyDesk 8.0.7 + Portable.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4632	4376	AnyDesk 8.0.7 + Portable.exe	88
PID 4376 wrote to memory of 4632	4376	AnyDesk 8.0.7 + Portable.exe	88
PID 4376 wrote to memory of 4632	4376	AnyDesk 8.0.7 + Portable.exe	88
PID 4376 wrote to memory of 3892	4376	AnyDesk 8.0.7 + Portable.exe	89
PID 4376 wrote to memory of 3892	4376	AnyDesk 8.0.7 + Portable.exe	89
PID 4376 wrote to memory of 3892	4376	AnyDesk 8.0.7 + Portable.exe	89

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.7 + Portable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.7 + Portable.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.7 + Portable.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.7 + Portable.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.7 + Portable.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.7 + Portable.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
3ba303637ec6fe901d97df7589bf4b1a

SHA1
ed5fcc595bc6c3b3d444aa95fb05305739e1a3e0

SHA256
7687c4dbbc8dadb7d5c4c68871c48888f6c3b6d9a2d4ce1c71c356f6b0d84601

SHA512
7478e478cd19b4a59c5930033843a836d6de68b1fb07c857a481b894d7778da5c18b706ef0a1f784c4fc092b1512513a6516e55c3895c5dc34e88abee6882d81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a41de357e2cd1bf0bed4e40df97a5cac

SHA1
5e6ec68606ab3ee9a528f48de6ec0355bac4c9ff

SHA256
48dd76628af767f8aa679856056b1e57a2d0455b8288fa4d1e404c625c5fad23

SHA512
021ea222d7d6996453fa946d3f088cbf21220dd0b32a577e0534453277bfc3902655e578bb9689f5de965862d58dbd25d6f9e4ff8d810241d30bd56b02666014

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a2fde4398083db1eb0b48753b8910d5b

SHA1
2849c7b61b1fbb77b9c9a2f513d25b257319c74e

SHA256
55a0a9cd4124e9dc5c09be9d1d2ece7a234e572fda7fd59ed866b6765b519eb6

SHA512
569653ef94f3545848350654a9f52b69d96dedcfa3b9a7bb45651eba7ff923f959e240fbbdd97b1fd43ca07e101693813f7db91f83e98ee1df9ef793cec99167

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
dbe6867565ec136accdab31b6d8d792a

SHA1
74afb75e93391a45f4c01f67e8152e257f217acb

SHA256
5fa776fffd84c8e4d9eeec08194393b3bd644b891bb7ce9aee2795c98e4a26c6

SHA512
76b48ab9aa476c8405697e0ada89ef7419052faecfcef1c7ad09b9c918b7b645a13dabaf750c1d67666be1c421d74c5af83f4fcf1af2e16d440c1f55144c78b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
a19c5fa997926f4861a4ae52a8f08e0a

SHA1
d8f6506355cd560116149de9facd802aac5c58b2

SHA256
5bd6bffd2f74bc1fdc94479afdf80278bea1b5d986a28bac36bc140922053e9d

SHA512
5d8db5a67fc5d1650fe42f49bf9efc988a76cc26513e847270595de57c32943717f89c05a614cd20f9ef17fb68ac49796fe304d514b2d2329175aac9517d7613

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
46ea772200d4131d531ad3a44fadeb9c

SHA1
61a1ab49a7c071f516b4161045fb5025567a88dd

SHA256
0e2ba0b2b7fec59a2f74a11f6945e831d212e16938900c8f1939c96562c682e4

SHA512
ec14f8d063f738c289acc9d6aa8b1e2fe1bf783faa6600bc5a1abbee6fcd50c38a28cedeb282a31a483afedc86cc5812379f844614c7d913a59981586e56ab1f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5ab0ab1003aa86aa7bc2315be5fe2d60

SHA1
9b2380215131c92893189917e9ad7587a39ba8d0

SHA256
a7d4ca7db33bf1c510949650d5e8763652a547984ad841b7ac325f5a1c974c2a

SHA512
ca93f7e2196a48ef45df2770db354017342f427c8a32cba598701e5c71c13dde050b1d7e8e6e529ecb0053d009ebb45605427de5e10c40b8ea337ee35285ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
64ab6a9154ef08a64d357f3b5d3622cb

SHA1
fe9d2932f02f5f5847515038a520280d8ec1570f

SHA256
8ed2b23f58658191897700a3005c331e2592fff070970793d42bdf26f0c8a145

SHA512
335fcc6fef8cba06b49b792d861514bf45583ccdcd93281763b492db12eba63d2a90fb4ed47dcd5bb85071cf5ae5c4352d67a18100c56af9e07ec3c38b6e5b10

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a116b210370e5c310b53bb15d7e89187

SHA1
8f4a70b9b30cb431e8a28d4d0c85bf75781a2b98

SHA256
aa92e8ee7461dfe31491ea6964c9352c833d8a58035bf35ca5c985de46647975

SHA512
3437dc43d2ccf6f50accf5c18b73d8e1f77855fcbdb8a43bd2944e4b721d074258bf5d6ac6e2b113ae86c5d5b37dac0102c73b655366682655b331f702e5e642

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4729cb21872bb3d504be8949d08b5349

SHA1
7c203c1b0625ae09edd2edc292b5a2af8d30ceba

SHA256
1b35e82014a17d151ee5e901237811762a0cc9dac877308af7389ea74521b561

SHA512
07df196d240806bbb6e38e2e3e5c33a498acc186f61a4b72679e640aa2d54137ee8a4cf9d16343b0cc1479d281238293f61da8a08262f0fb76f50cd0b349102b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5a00f1de07b63d68f06a50776488e61d

SHA1
9a1baddc2e1074e591e5084b2e2b5d3514a4a8b4

SHA256
d58f5722a5e890fb9ca4bab00a27b2662e72306d39893509b50027b53f17fdf5

SHA512
c0cae468d78c91b6f00a1171c1ad0bfa41c2dd3b5fd5deeec410594015aa72a37e226e11df1d279a7086b03ebadd569ebb05e57177aed5d86de3954f1bf9c883

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d4bbdc823c85b0b85e246f5f5525fefc

SHA1
310b44e127cb3b0cc6e353a93f915b62475e252f

SHA256
189bd040b5dac631f6726b429505de3e0580355db7cdb7f4508f2cce4b6c8d2f

SHA512
8aef5dcc9d1c5bc5566ff069d1c8dd07d7aafe4802baec9af005615642e228aeb3c34fe4c439c285aa975cd2b9a01f7efd32220c6b7cab9037e074b052ea6016

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
68577df93a72751e17b251ecc264aaa6

SHA1
4a30757f778d82b6894e434ebf50c5e380643fc3

SHA256
a9bdbf06577c16e033367018dff368a282322ba711f4c737615019536ca8dfb1

SHA512
f7e4260b986ec310de51652a8b47fb8aed3093240f7f3a466739e5010f6f9eb64e04b8826b0afe55b91222cfd19e94c0e2c3e431d8975bc980897b7fdb32b0fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1c19d373237061a2cc5e6edb7248cf38

SHA1
b989cb1cbee0acf9e0c33eaed8ddfe17c5939d85

SHA256
50a508125967c35e5fccd78b24cbb6e379629b63a178ec2ce59e69189aa07321

SHA512
a520a81995aada35e6aabf24a831e8569f9621abfcfcb41463d03fdfdeeb50f4b7b9b8dc1aa009a0dd1dbce8c524f073dd189afa83d97170a69e1e33316ea49d

Download Submit
memory/3892-11-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/3892-244-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/3892-35-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/3892-30-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4376-32-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4376-1-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4376-92-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/4376-4-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/4376-33-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/4376-89-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/4376-231-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/4376-0-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4376-242-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4632-12-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4632-14-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4632-243-0x0000000000010000-0x000000000173B000-memory.dmp

Filesize
23.2MB

Download
memory/4632-34-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download