1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1792s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3724 AnyDesk.exe
3724 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

432 AnyDesk.exe
432 AnyDesk.exe
432 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

432 AnyDesk.exe
432 AnyDesk.exe
432 AnyDesk.exe

pid	process
3724	AnyDesk.exe
3724	AnyDesk.exe

pid	process
432	AnyDesk.exe
432	AnyDesk.exe
432	AnyDesk.exe

pid	process
432	AnyDesk.exe
432	AnyDesk.exe
432	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2912 wrote to memory of 3724	2912	AnyDesk.exe	AnyDesk.exe
PID 2912 wrote to memory of 3724	2912	AnyDesk.exe	AnyDesk.exe
PID 2912 wrote to memory of 3724	2912	AnyDesk.exe	AnyDesk.exe
PID 2912 wrote to memory of 432	2912	AnyDesk.exe	AnyDesk.exe
PID 2912 wrote to memory of 432	2912	AnyDesk.exe	AnyDesk.exe
PID 2912 wrote to memory of 432	2912	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3724

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
a1a4771b7ae2d82bf670422704eead27

SHA1
5674dc41f97f8c91e6e5837051eaca2601b7bcc4

SHA256
4ec2ff1442b581c5fe973b2909358bf0a9bec31cbab335aed5dfc7ed93ec08c2

SHA512
09ffe088171726035d43aa3717aa3048d43fbb1186a2790d1784059d131af95d1657866a2751fecb58d60d1beacc9e85c2d4a8ee52852ad1943616227cc854b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e0333d3e793dd511e31d206c22327217

SHA1
4d136e9948d0e3989e26c044bd26cdb66a2cce16

SHA256
15c6e15b31e1237f5510fb87832ea242a21079eddb45b8809d162725f2b68ce0

SHA512
b8a8137e3dd2b1f0479955032dae8e3c7d6fe286797cecfdd4ba354c03266ea39cd20afd15c15d36cc89d0647ccc887b63913d4052028ce349a98ea0e8ce49ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cc038df06c1658a576daa19a444dbdf7

SHA1
124dedeb837488396fdef4f657711a86923732a1

SHA256
996cd51750f205b16f707210f10efd04b82933b5f26664546421c72e13a19741

SHA512
11b5ec30deee5921b76a08accf7c66a1ec644f4d351167bf7d4f5f4832a28cd575d61feaa72931132840477985ae4724e8ecf15f7871209d89b23d5c388e7b87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
710fb2e0179b4c48b6815eb3ec7f5fe6

SHA1
7c9147b25b3ac49fdb9b691ad9dfbdfa9c361b73

SHA256
12712cca67583f332bbc20134714d3a7233df37a54e37e208d2d5717e8feb9ae

SHA512
d26ede75a2e8cb60894e21936eee6404ec26dc84554a622e47f8a30dfa67ecaa502b452a5d12805e8c918b850847c9fd2f328acaa18083ab4bab105b760b298b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
506ab8e61af3bbc3f5628dac2a196939

SHA1
d4f4c0e2b2bb3cbc71de12fc09901bc84f61ded2

SHA256
7f44474446b9b0f266b60002f91c4e6d1aa71fe302cc2a12fcb0f8eba78f2ed8

SHA512
12a3be5f06a52054281d5b3b6d29218f1019aa43689375cbc6ee94ec549a6f2318fd092d44c3912ee2c79a5db425699c24fc3e29c980ab8818f23986806f8362

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a623dde7df5031b0cdb0b4b3234e699d

SHA1
2e26000c55f02196aa190ec701fd929a64a7cb44

SHA256
369226518db29eaf5bbb17678dafb6d6c3d1fd715971a0737fbcf89767a90669

SHA512
6c82aea4e153991de31a9af32d5cba3f00543391a074098e5c70cb248baf690704816646461be8921bf2a8a63dce9c3cb2a499f1889e85be238f608966fad353

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7799bb510b0eddd2b9a4f4b2b1138fd2

SHA1
f60e16a07f42f0b49b1a400d59cc71eb7543c934

SHA256
81fce158aef8da161f3416cea1bc8d9d4e8ceaae3a7215221b332b413df2a5ee

SHA512
e6c33905a7a16a7d241c549bfc03a0905cfbef328ab0c49c002a80bb7781856e253ec3fb60a32f8a3848a0925b396de5e1cdbe858cead69830f28f421e2c488d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2b3f358736524df51bcd4ac2bc97d138

SHA1
917d3879393473c0919c455a653b61cc1f82e6ed

SHA256
bb75886b9c5af0eef4ab5137f5a10c51d9c9a345afed5ad72dfd4f458ff272a9

SHA512
b9b70041dd17543973b80b1124888a9a1109b9bdb24c8ada29ec69914dc66c979a48aa7a84dc656d420e6edef6c58489a569f79f4f7e4d48c172a11a14b23b7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
926b2d19d1f5195914c76e81abb1c523

SHA1
3f0fbf015ed56a782baabc7196d7d83cee9e0d58

SHA256
e637bed31691f422230a9aaf7bfa01f3b25a16b081da2d95100686ccfa67ae68

SHA512
253824526eebd78198444ceda857574c5d1f6340b4ee7909350ae5cf0ff61859eccda5ad5d42254459efbcc5dc0514ee645dd8ddd0367da98078f9688ac189f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
40ab9a5806e7c45221e13b947b55f23e

SHA1
34e4d2dac359bcd46f1e8363c80f95a49d492d32

SHA256
6b6c4af94c406900e5635f059e594250828ba02a5ce0594a0696b8d6dd5b3150

SHA512
44b2a7407be2ffa930b5018a988ec9b09f9a6d0d5b083ce40be487e42abeff9d89fdabe05148938faf56d0467e2b7420b29e950935c0a9e76dc6fa0ed8b69db0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3ee9e6bb7bd579f88d6b5be329e0fabb

SHA1
052f4e4a31ab503b5c6c1b841fb7188302c5e2c1

SHA256
146c89ff0d8048f6851cf46997d368a239be345d9c85fe153c74b0c1c5cc3321

SHA512
b3bdf0bc24d62a1e8354e0172d2dbb3000fb7b8e5168e7b8a5f3c2b2c6e3fe91314275de571692b2d710fa5cc575f1ad961ce4d887fc29944ad1fac2db7a718d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f924c081f62239711f1528cad8e68b66

SHA1
11bc470a00085060af3c925f25c19b145faef5e0

SHA256
3b3ee2cb9d29287b505abac6d1c7d976e32047bc93bc3ebf51f6e99705e6b986

SHA512
33ea574e758d70095747a6894f9126c27e95fff9c8adda8323e5343e7359e25aae4355a5f9837730573770a9f844fb7a65b09f90484c0b18d1ff94f1c0630603

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8d322feaf62e0de1dd61d7d61d93b198

SHA1
da9f1379f9f8f3deb1159043c42aa79bf4136c9e

SHA256
25e82b38eabb0d9765ec82dde0a7e6fe7f3682e23b537992c333281aee02d902

SHA512
e65a785fc2000d84f33fdc86bd2468cdc015d33d16b0585171512ee054075e7408af1db82c318af070890dda1c23aacba33373096c9cd479a4245522747b74c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
57ebb5799ea54c158144e00acaac5cb1

SHA1
2e8792f482b92480f736621499ce2628e3516a6c

SHA256
bac75de7272f885722f4925ece589fcdbe074e6fd188185695e05a28cf98a622

SHA512
68beda93693ae4fd71a7cfc875f6d2fcd88173a9a5fade274790033fbaf6a39c6e6c777383020fa6ad4ef2df52a4d5059885706144cb7db9f27e8d2a5eba860c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
100b9b5736cbe478b3c9cbb808de6b4b

SHA1
a86320fdaa4e6659abb003a45bb8f6da3eb82525

SHA256
0513d3cb06455d50cbab17643a39afa06842d0af0e8aa6399df528e7cac65bce

SHA512
ce968a1ca987ac91ae9e107c5fba36d3e80ac39ff18bc6b61112039a17c122e0f35d0308a041ebff5c00edef796339bba3edef9027d5c8d3fa1076b0e7e2ee06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52827cf573c8abdb1d7b6f02a415ff7a

SHA1
1f1aba486f60039ea5b467f50a53e39df4a1cf57

SHA256
774822f1fcfc123c2ae85c6e07714554c2ab6eaf42351549b1d06c47352d95f9

SHA512
a435fdcb93a705b251472c3aea73fc14e505ba300b767e707b0186f6ae201936e81357ad0559587a139757b9e5989274a797bd213a8cd0de1e914cc74b54dc37

Download Submit
memory/432-10-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download
memory/432-223-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download
memory/2912-0-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download
memory/2912-7-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download
memory/2912-2-0x0000000000014000-0x000000000124A000-memory.dmp

Filesize
18.2MB

Download
memory/2912-221-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download
memory/2912-227-0x0000000000014000-0x000000000124A000-memory.dmp

Filesize
18.2MB

Download
memory/3724-12-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download
memory/3724-222-0x0000000000010000-0x0000000001759000-memory.dmp

Filesize
23.3MB

Download