d663d60610877cf8a98796e696f01222d5cf56e4230c5475ff3f8f7e93c35088

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anydesk(2).exe
Size

5.1MB
MD5

863fa58aa1fe8a88626625b191d4722e
SHA1

e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02
SHA256

45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
SHA512

ffd3bf831e8f0dc605706075a9763c68552f6560aa8660d7993e5156f64032fbc4ff6134fd333822e3090fb863cecff9e463316a8d9c3150152b73f8377aa2bd
SSDEEP

98304:m73/fXBy7vaQfw2Tx9ygyzn00+IQFikLo7ANSDkatVVoj9dU5UywL:AHXk7yQpxy0LEAADkahowULL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk(2).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk(2).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1708	anydesk(2).exe
1708	anydesk(2).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2624	anydesk(2).exe
2624	anydesk(2).exe
2624	anydesk(2).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2624	anydesk(2).exe
2624	anydesk(2).exe
2624	anydesk(2).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1708	1300	anydesk(2).exe	87
PID 1300 wrote to memory of 1708	1300	anydesk(2).exe	87
PID 1300 wrote to memory of 1708	1300	anydesk(2).exe	87
PID 1300 wrote to memory of 2624	1300	anydesk(2).exe	88
PID 1300 wrote to memory of 2624	1300	anydesk(2).exe	88
PID 1300 wrote to memory of 2624	1300	anydesk(2).exe	88

C:\Users\Admin\AppData\Local\Temp\anydesk(2).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(2).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\anydesk(2).exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk(2).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\anydesk(2).exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk(2).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c3846f05258b53272b6f70ebcce7a54a

SHA1
ff913da831cca3f7d791663d5f0d86c2ab713d54

SHA256
362369ce6ac1d9c1a1875976b07ad42f0b1db4e2ac92fe807d2ee6cb2b9af2a4

SHA512
a5db612af7a14aa0d8f75a85d14a7de3c5a1561e41bc22b2ee48264b53af7f8c8e1e3d8d33ae92d224662847012cacf54d6853909a8b7e308072625d5bcec8f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
2b171e9e0cf158c77ee9b9bfacae0404

SHA1
a49e51fae09fad6cf82bd61c9477da8475f38ba6

SHA256
1c702ba2e65266ed210822ba97878fc58e87b38ce7b2a7bc95901b2c577e4e1e

SHA512
c36da564d29091db4dc650c4e2e599f11bd1403f5010c9444543b5cc8e540fa21c61b96ac33921f056ae72852b56bde42fb5effd0ec39ba61f18d3dcab844169

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5afd38f08fc1e21e353dbb97be090905

SHA1
b296c370d681f4bec836a10f9ad9c3073401b54d

SHA256
e50c9b94ad0bf27b936951da9ee9bd89c487f84bb1d45d6589d1788391b39f05

SHA512
1bdb56afe545631515feb58592291eef2099b80d9535d3acad40bb6f73fdd00bd6e8c4c2434b14660c676345e15a94fc42934c2e5b5df63b9e8ba4adba176a92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
168a69eefa2eeae5d40f254e266ed82f

SHA1
583b87de960cd8ed9f0d822cbefb66592c13f2b4

SHA256
f6a73ff0d58b72eeee4a65d9488deea60502137d26796ffbe62643f40d50cb58

SHA512
411396329542ebfeb0e54a5edef8d60a9450add54a0fb19f77d7a866bdf5298d43cda382b8336bb2604d5b16a68222d9bcf8874cb3e3f189e92e59a3a203d56c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
6eb59a30a9a7327ec548d39d1f81eed0

SHA1
7f1e7147a85a6e375d5deb638e6addd154de24ed

SHA256
1882a5242bff30bb7ab04ded77969f42b9d7dc1adf4723104b5c2492802f4cb7

SHA512
43e73e47c15c8cdf94883a9b14fece76888a3d5ce57de00edd7b1b1dd75ffe3436371ffc9795ee3560bd9ac6044f98cf7c69a2be7ceb69e442a5d3252ef3b6f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
68641649aa59341dee48389e87bbc585

SHA1
bda07689059a74a6695f2afc6670b8e0c5f2c98a

SHA256
c46db313a728d09083392ab537a913ba6157de2afa818e02bae020d1737e956b

SHA512
66cf8948927188b3646ce5af7cd3cebbe86e52542416cf3dc1bdfa410694c026258644d32bd3570b2145474e4f866b59ff6078c0dffcc429cfaa55ae78fa7d1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
761ccc5f8c74553388187842bd14ebc6

SHA1
8123d99994f8489e7c34bf3494527493f6209a0d

SHA256
69ae0a3368e6bbe21f12da3c9457617feac055ba4682da1bda8c4f91e13ef1a8

SHA512
5d2bac76e709e8183d3a7b93f427420fb91b34745d1ab2d1365082d86d7627719ec2c1f90d30c43782a944dc78b5eee49892fe709f068fe629c6d825cc945924

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d0c4f97eb3d82c0c2e12bb0b29e16918

SHA1
3bd0daf02ea405e2004d7f7d1446a700eb554b23

SHA256
36466d0c3af92a937c3d629ff1bc4f59375898b9de31c5884a3bc5858bc6847e

SHA512
5ff601db94470fb577a3f707813d08a482eda8d84a7ff32551b14548998897c3bac6fce91410d6f2e33224af8117875ab6bd6b6e8c38cb816c8faee3d5ef7f8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
948f89944f4dcc412c7d2a699aa28d2f

SHA1
1707f26568939bcc374bbe11623e363e271f7876

SHA256
b111042f3e0241539da3bc7344efcf2aaec8123309cc1c139868a412dda6bb9b

SHA512
f3a88fa433c9b93b7f2abbca138bf3ec612cb85c2df728567f5c9520364cd7c71d75041e1d701dbab68c147b85c2ad8a7bcf1155e9da3d6c7eb9ae3f78f0a92f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
763f5e1c5b8bfb74284443c066682e2b

SHA1
fca632dd869d7b82996945dabe18ad3fac1914cd

SHA256
5ec643425629fe5f20cfd86693aea82f11e6fc705a659106c3247a5d22e14cfd

SHA512
1c804ba603ed74fc8b416249b3b8f89159bfda8875f949d4d6a5667fbb839db3464310a4600e88b3757d5030009ad9c28137325451d1a40073c5e1684ea63b7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5262fee1efefc99dc738b25d252c5484

SHA1
300513a2311af94ea7d9cd4265bebc7231238463

SHA256
c056679ab502df4f3fa104403a445070de8d3ca12350e1f9809e815eb91ec557

SHA512
83cc035c45c51b0d266fd437644652ee49b2a2ea855bdf80c57b400cbf9ce1d771da2c7784593ac4ca91151b251e7b7134e490e5e185bcc4680b78c4aaafd4e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
dfd26f304b518145610c2eebb35bfa20

SHA1
9b5e83c7c03245c15fe437b6e3e73d86618ac103

SHA256
9ad58b64ec98640a1007429be68d7ed97df560b0e9a9483afd03dae8c5ffdfb1

SHA512
cfe52e42f778719a244897103c77e200a463e0762229a2e0bd3d6d204b5b47b6d6a63bae5cf371b4acca02046816b9ace4b9848825ff22653200352cdd7267d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9af3d46afbd82f6b16f6a70630162629

SHA1
ce470d3048ba9bf431ecea80e77a878f4a165a13

SHA256
dfd32dd6374fe1c3084eb7dc82a985f0a0699320d42357f769edbf9ae82fc4ea

SHA512
e50f17dde74d105f2388f7756e75690006f1b7e75fcbdefbcab0fa1c20ad4fd48c906de938682bdac877c91812d4820f021457a3a7736aac39dc91a5793a13b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3b8bd4ea88efaa2cc0d59f91166c1238

SHA1
326f23e36b606dc5a7cde26f8ae9259f03b6ebf3

SHA256
a70d866da85f8ba79dceb206ed137300b454d4bbc47b785beb1642ab95f6d8e7

SHA512
89b21a7ec2b1b7d17a7f7ea126c70a6c85647f3c363dfab0cb258f60124c06697702fc1e6ffc1b02185856595e2ed57cfcbcbb69d805087e7330d7f714b59c4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
03f0f11a7db0a0b8c06577abc5f29366

SHA1
20bb0ce0f741d6e3aa9c515dc8e5f99691f6ca35

SHA256
e2fa9564a40a855d21665987781b3d6b69e1cc8b1f659f33b79e8b01e7573a46

SHA512
285e87ddafc534cc4950dbae9873426aeeac16f94963d586198722f54fff926c1fa80966a261886ef49c8a0b5af66cb27724a2d8b12e741e55446ee9492b27e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dc42c840789eb3b38c2ff73c1eab1a10

SHA1
01a1dbbf09149dea76f5d24dd483b428f8c20e71

SHA256
f658ef4c44f2047a788fe4d9df1f242f8d7b39f8f82e92be959fd743c4e2debd

SHA512
616cfbb7c2fd71661fa55b7436b7b1ab587f9346b8a17786c02be50f94c2aa05f8d03de0d76c3d25a523767148f497b28244b2650e80cae5e28c0a387777bf5a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1eb009516e1013ee1713949c9214f4d6

SHA1
48f227ef8cb07a97b6e3adc2ffe66963f9cb53cb

SHA256
244bfcc3e41c8218890d900653d37a5e233323293f020aa7f746ed43cab97754

SHA512
2b2efa3060a168891fd105ea8350f4753bc81db20a43384f18ca4e1310202b036482fab63d0804ec0167d8246bb9cd8784860a7cc20f215129266490f08ea25d

Download Submit
memory/1300-29-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1300-1-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1300-90-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/1300-266-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1300-255-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/1300-254-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1300-85-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/1300-0-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1300-30-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/1300-4-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1708-10-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1708-12-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1708-25-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1708-267-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/1708-269-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/2624-11-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download
memory/2624-28-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/2624-268-0x00000000005C0000-0x0000000001D05000-memory.dmp

Filesize
23.3MB

Download