5a8a76a01446c6a7f89d3bfcb7e97a1e3f559251912c7faeab16ca5b1cf119ae

Analysis

max time kernel
1793s
max time network
1801s
platform
windows10-1703_x64
resource
win10-20240404-uk
resource tags

arch:x64arch:x86image:win10-20240404-uklocale:uk-uaos:windows10-1703-x64systemwindows
submitted
23-05-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk 8.0.3 (2023) PC/data/AnyDeskportable.exe
Size

5.2MB
MD5

37e172be64b12f3207300d11b74656b8
SHA1

1895d7c4f785f92e48b5191fd812822593cbc73f
SHA256

bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
SHA512

98cf7a591beb4af2066ddd9d17caee69b3cbb42343cb4dc0d517fb99983159ae8e960c315030487b3ea22b2512359f108a6cfe15ec3b725c040ac06b877c88ff
SSDEEP

98304:pgBOLscYr9NrQO6lSdAd7qvlyBhbUhrZsTY3ycd8izlxGhzAqK3:KOoc+dQO6+Ad7qdriTYlfzlIhMt

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDeskportable.exeAnyDeskportable.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	AnyDeskportable.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	AnyDeskportable.exe

Loads dropped DLL 2 IoCs

Processes:

AnyDeskportable.exeAnyDeskportable.exe

pid process

4708 AnyDeskportable.exe
308 AnyDeskportable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4708	AnyDeskportable.exe
308	AnyDeskportable.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDeskportable.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDeskportable.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDeskportable.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDeskportable.exe

pid process

308 AnyDeskportable.exe
308 AnyDeskportable.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDeskportable.exe

pid process

4708 AnyDeskportable.exe
4708 AnyDeskportable.exe
4708 AnyDeskportable.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDeskportable.exe

pid process

4708 AnyDeskportable.exe
4708 AnyDeskportable.exe
4708 AnyDeskportable.exe

pid	process
308	AnyDeskportable.exe
308	AnyDeskportable.exe

pid	process
4708	AnyDeskportable.exe
4708	AnyDeskportable.exe
4708	AnyDeskportable.exe

pid	process
4708	AnyDeskportable.exe
4708	AnyDeskportable.exe
4708	AnyDeskportable.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDeskportable.exe

description	pid	process	target process
PID 3780 wrote to memory of 308	3780	AnyDeskportable.exe	AnyDeskportable.exe
PID 3780 wrote to memory of 308	3780	AnyDeskportable.exe	AnyDeskportable.exe
PID 3780 wrote to memory of 308	3780	AnyDeskportable.exe	AnyDeskportable.exe
PID 3780 wrote to memory of 4708	3780	AnyDeskportable.exe	AnyDeskportable.exe
PID 3780 wrote to memory of 4708	3780	AnyDeskportable.exe	AnyDeskportable.exe
PID 3780 wrote to memory of 4708	3780	AnyDeskportable.exe	AnyDeskportable.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3780

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe" --local-service
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe" --local-control
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\gcapi.dll
Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
28bcad4c90b248cd80db23ef7ee34197

SHA1
67c31708fa542d47b0b6d023610cc029c5b486b4

SHA256
4f79e288f04ba095b4d87dffcf36afc289506ae92517ffbd2b72b5db31c4d6ff

SHA512
168fe1aa43bddde6bb1f7afe0cb4874a7001e909453259b6073d0645c910c157ca91c3b9a11157b77c60898fc553948930a614211f3ad27130a3af3d542c6244

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
17931118ef07645e8ead8fb29b5bea9e

SHA1
0240ed78347a14a4f9ae32c033fdf0efde958f93

SHA256
bbc8f39d4515b7b0b29eb33546fed9fb61affd1201baa9aef6680ee7d6d25780

SHA512
87d2ea51c4cdfc8d647fafedc1bfc4f09cf7b759904eac9b488e1cc370b4af0f202c1ee84cb2f42a1c108d9820cd49eefe5723e43ed2386db1bdf75d1003d314

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
991ffb2c8d0012a45381c414024ce6e1

SHA1
9899ab2324e55cad5c3d053084739c20e0c2cc34

SHA256
62b0f274c82baa7ab2539c2dab178cb27300354518892a8e9d9ec3f3f54dcccd

SHA512
a566e3ffa0a52b17eaab116d352ea4b0a68a7497ae379c061cea37c13d96cc73bd5b089be64258a0e1ca9573762dde4fe01021c7c377e58726010b384a7056bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
681B

MD5
141d031bb00a80eafbdbf9ddd6a3da46

SHA1
a46022df9efc67bd499aa24ab4002bee06deaa85

SHA256
0c18d55c000359144a7ac513ced4dd3263744918918545999db0fffa6d871a8a

SHA512
575c726d4d5d8c02a868c78279d9ab991b150f58872690d9cee0f22ed054f070e31ff1318d46fff40286aa2cc88dcabde0d2df0bd94689d7fea091e33e1ecaa8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
802B

MD5
cf7d35fab535ebbd8f10aa13285e223d

SHA1
4db140d66acfafa6fa6a42cc79223d36dab65c31

SHA256
1e84044e1c4f6a3f87e13bcfed0bad6a8ec83eca6ff79ae88d62ae728522aca1

SHA512
3b8b79f8a4940b11daf2bd13981f693d0482207b7e59d755919cfa54051146d3245a69290f3cb69ad2ab2a80d035ff511ba382dcd92152a918e8fd6d46bddaa5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
c0836077a449fcc82b24a2761f844490

SHA1
59d02a7aac7985efaafbd20aa62919cc209546d8

SHA256
832f6255aa185f3189075c4912b9e99040c16758d120d3299197f300ae1903db

SHA512
401ecade1981c1a2a3789bf5eb90f84c21cf675165aa480d4c3ae4127ec39ad89e280684b38f733039f870724c10d16622990bfec9c370d4bfb719d78c412205

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
3fdac754db188c31fa957bed0b672091

SHA1
ce74d86236b36780ad325415a47140cc4feeb692

SHA256
023907f32fa07fbc2e66e0c4e3ff1fdcd570d34e43cf25a69d47c404899fac30

SHA512
2ad772d7ec279f492429af8cd495cfb742ce1797d5ac3b46174d575f25210dc2301744bfa865e4b7a5c92494afb0e21b99e2958740043ee1e857eff0caecdb9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
a938b358fe8def0f0b39582c8af34a04

SHA1
a500f4053e25b274c5bc718b2ada68639ea3692b

SHA256
b4ec91dce8f8f5d615305e7e9370d75203c7a3db6975600200c21d133ec922ef

SHA512
f868fb49c0132539d63826392dc4d3d60dc5131822202ac6f1ff56c56609ec7613ea4c214f59df78e756dd9af5bedfd63dcfe08d89ae0f5a6b80e917aa7a90a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
9996a117537c0a3ac7189d90ed3572e0

SHA1
706740adafbb8d395c9cef4e32293c4cc43f80d5

SHA256
52a60c69d1876b87426a9e911de5208b7279efc2aa86161da763f46258bbf9b1

SHA512
39e665deeeca1e33e5e7cc6af29ad34920645db38558b948974aa15c7a35645c40af9ec5d2d958daba29dc5630afad66dfccfc897d120727c8a0c507ec7d6739

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
d3fe1b6093d981018d85457da3a9cc00

SHA1
25c44cdef43228f80530d8ae7f7f86b4b45b707f

SHA256
8d9b09738e3d4d59a9c0f86219f15eb1a21ed7e6b1cb17673575d50ad2028dea

SHA512
1f01904acd52502316d4363aaf2c8d9a2780e2adcff65e53fac2b04b3f585fe56e9d99a1207b2bd4643aed1cf3c99226d0c1edd0ee8c225b3c15dc6c4e08a54a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
b322c577f613ab75d9e04c451bdd232c

SHA1
83944f155bb620ed0611a0d1d8829513437c85dc

SHA256
ee98f90b4811aabba64564700aa5f8e78e25238d3cd429510842a1f6c5b42112

SHA512
4d7d8ec1b8559303bc6075e4c3bcd2f9551ff208d3100a5fae90a5856496c3dbb1a515b3d2a5675c7f6bcc4cedf3480823134636205d744ab16b797e25372e39

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
9c076ea78d902f877c7c1961101a4a9b

SHA1
a1c99d50570b555d8670327835b5dc05818ab9cf

SHA256
e20c2209f464938e504097b475e94b272cdd48f17078170d04930e5427fd5fb6

SHA512
f87f565ebb44ec225f88ce441fd223722b152a8b56877aef87e48529540bd247400d0d0b13081f6862d8540f16b765d24424de9c8a1cb80ae090bb1e37955705

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
0e04d27c256bec62912ca514b047a725

SHA1
f04f42d9c3a363be63dee81d620e71df0d34c13e

SHA256
da57a9e2f5007167cdf33e5a93b8a2f89902ae1455827b2151a7bd7049a32251

SHA512
c69e3b6cf105501de537e56a35fbc48840cae979906f0d6c5b744aa61ddc03ded9d00b30ce57c8dc78e249d67f2b44355196249058496ae562aa9dc0148ceaab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
482f2d675a93064cdf3c0874cbb7a921

SHA1
d788c73ae50562ebecfe9f48ec3afa26b1032f66

SHA256
da9e33029199bc357b0620fb94c7aafb6298e08305fafe440f44a2c446780392

SHA512
612983bdf4fdca84687ab62379a72ba997c7dcbf097db00a6937f4931f803eebedf467da6681d537aacb03e0d63602366aab0e665b2b9a3fb9918f403d8dd6fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
06ab8e66fb6c4cf97a9627f4cbff822d

SHA1
6c67c4a68458118aef7d07ce7e820a78eb1a704f

SHA256
f9e9a06f7d7f7a91f6a4fa408c9deb77c51e241d8c0befaca127ffeaf908d9f0

SHA512
8d348a87162d5988007e80a66822129965fd24f35d1f6f9772c4976c447380428b28296b79b316a27650289bf81e20b5e1ed9b381f65df7cf233847eadc48dde

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
47ef488a5a41a90ec80626c3f38e88f8

SHA1
ec6784edaf48bb0306165aecdb0d78830bca54ef

SHA256
134f8a36464b0e89501cf91eb01cd6dc51dcf28bfc09774219764d2bcec8038a

SHA512
9b10029c12f40124335360e060232ce102486517a21bcf55a9eaf61acedf00168b02b020e4dff22cbf5d883c35888df3f7d18052e053c2cefc4c28a3e6298e83

Download Submit
memory/308-13-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download
memory/308-204-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download
memory/3780-6-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download
memory/3780-2-0x0000000001264000-0x00000000024C3000-memory.dmp

Filesize
18.4MB

Download
memory/3780-0-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download
memory/3780-203-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download
memory/3780-209-0x0000000001264000-0x00000000024C3000-memory.dmp

Filesize
18.4MB

Download
memory/4708-11-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download
memory/4708-205-0x0000000001260000-0x00000000029FA000-memory.dmp

Filesize
23.6MB

Download