55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
294s
max time network
295s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2560	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2564	AnyDesk.exe
2564	AnyDesk.exe
2564	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2564	AnyDesk.exe
2564	AnyDesk.exe
2564	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2560	1664	AnyDesk.exe	28
PID 1664 wrote to memory of 2560	1664	AnyDesk.exe	28
PID 1664 wrote to memory of 2560	1664	AnyDesk.exe	28
PID 1664 wrote to memory of 2560	1664	AnyDesk.exe	28
PID 1664 wrote to memory of 2564	1664	AnyDesk.exe	29
PID 1664 wrote to memory of 2564	1664	AnyDesk.exe	29
PID 1664 wrote to memory of 2564	1664	AnyDesk.exe	29
PID 1664 wrote to memory of 2564	1664	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
aec1d7ee92482e80d2b12c2a9991d4fd

SHA1
1cd202ca7df20080d3f8c1370779d901c7f27e28

SHA256
26dd7b1271b0144f8c7b0db62bd7a0166892e803f3634ae7573ab9d21e5f75c2

SHA512
dc5b2319c7b57442bc6803aa3d8988d837d2c5f0cd1f0d0d7f532f669f2db2622be6204549e92bc59049f7921088ade87e4aa84dfebde8c7cd0965711f31d3c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
2d8c5e486eb898e3732e9f1ead46b0fe

SHA1
d96128dae2d8e1528cafe14b1798473fa84f4dd1

SHA256
2d52efc4ef5aab72800a586004f34e7499fb9016fd2d42c1ca68bb9645c2a4f0

SHA512
7fc3b970625dae5648dd69481228741e775acd0ce800bcb7849927e89b62a015f580fb122cbe5e3270545540b96d468598575eadc72be18653c32c5c1c5d9aeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
866d68db1c4ac903a396e14cd188ba23

SHA1
35b77b2ae7465955f18735e37bdd7524d718cbb4

SHA256
6f7c16c028a81fac4f6e7113e7eb20528ff16a073f6ba03d52a0991898984e27

SHA512
5b38c716d8b2749a89b80717aaa18b3b60590d2693f7e57db57e42ba997cc5201537a2f2e25524ee82f4cab51c244236b587b6b8ec46aa185a8b26707cd541f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a2c9d3e8b72dbaa098ef4d733d360e9f

SHA1
10821f7fae9f70ab78a1c72f2e91808cd19fd738

SHA256
342b84ef540c936ceee3073e7c40769b040ba5ceb969b5eabb9c0ccf4d00c209

SHA512
8a20fd0933c24d7a2c714f799f06062e56474d9fc72718caaf55ad45f2fbb936f1733ba20e2f0be3d48f8fa7ce47a20192e9bcefce93cebfc7068a97ed46f6b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
9d331d8d271134446380243344b574da

SHA1
88819f330d4b43d634507bb24506f29261bdd3c8

SHA256
de4ad2c52e2e2c5655678986f96a767e11d1f890202813a8ab854907466904ee

SHA512
223b88e341ac4b2643e96535730091afcd64e0503e585df5820634aec9f51f9068b03f334b11bc5ff683350970177260b43e68a5939e42697275ecf6cdb70aff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
740ac06aa9c34f5fddad9595decaada1

SHA1
882a61724e4fe14a1cc8e2da272af0932ed40d7e

SHA256
894453ae4732f6cc64f4ade3402577dcc14f9dea7b6850fb90cefe509f85200e

SHA512
e2ec60c78dc65f2a5e492f227476b8fa6e807564a33cce1f1d4a7afa0924882d681d783610f5fdfe64c6912e51060b64f4f580521eadc03b20cb4ec38b9a5974

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
242de4e41179135fa0287e6b6aa8e861

SHA1
cde878248426f670c88e70c62c8ad72b21df377f

SHA256
de34086862e0c00ea4c083f01e1901c5658162cfbbbf108d84747577f5728a8f

SHA512
ed0724a935c3b4ffcdc30c018594a1f2e01c0f14239fd8bb5e00ea454b7f1304ad88943cb26e19b31a6f2cebe509767b0f2c48bb2ff9f9c42e965bd1109a8bb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e7e4afe821c99d8fa364c74bc2c8bd95

SHA1
82d5897af4dd541a599e7ad24ed3679d3006a40b

SHA256
6f164540743b47f427536fbb66573e33db0d3243618a1151594ee8a601804320

SHA512
db87e49926454fb59791d74e46f31015213a55c2515ebce4157552be95a9c33c89e5973e3ae9d6660f71029dcf69ad9fe09aac9a80e6befcf3fb67e2a10c20ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dfff84f3a52ebc4f20511a9442b53d8d

SHA1
ac61c7285ba6eda26cb3132bb7dc4ad1a5521707

SHA256
b2cab922f5ce6e7ff109ffe0f15eb0083b27a54ba317fbb8c22ded2c2ad90473

SHA512
c2c11a6bfa5d5f16b4af75e76f9234387562f95b3cb0d1af9bb7a265f50415feb5da1ddde2f00c36687b535d43f050c9c19efe738f02ca60fe18d2afa6ed26a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e9a9dc468fe4a88f5d55e7873f11f75b

SHA1
c7fab48365a977f3eeef250a6d585151401ef4a6

SHA256
34b6a065ccff5dfb7ca8f5e2bdc7319747a0c39fa09f0cdced18cb36fb5bd199

SHA512
5d473dd706ed74638d401978bb1780cd1177b3f52a22cf2bde04442f8e9b3cae6ccc3fc1e34dc39b03e78e1909b523204b06b9b0325f48c93bceb18659f58976

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
627646fb4203b9eb5dbd784220899949

SHA1
8dca42e2853fe9870dbf546c7112c17603206908

SHA256
4a22787cd3c03976f86b95cc6492f70642142114d291128b26f42f5aed04b2a3

SHA512
b4353908b95e2cc9294d7abe93d938e345248d0e16760eaf6083f5ff1c1268044b9fb3d93461e6a5276458db0c582da5acbeb728ebca5f997507fd7248584041

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
84c4bdea39910367644646a0b45b745d

SHA1
c42f80133ec3a23a324669793c974507b2bc67fa

SHA256
6a52383e36558995d74438b2e508a1991ea93c6d4d34ea4db3cc236e0bfd4d41

SHA512
a151d4f5d66c8b5ecba9e1047b79aedb3bea458012c7b99b2fa1567c17a9ae50e03547a51d91e08a0227fa2caf8555950f172ad27db6f3a607b2e40398f683e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
01f38e13b3d7c64f66a97d1ee41e1aef

SHA1
29fd9dc191f22351fd34963a38dfc230210dce49

SHA256
5d49d2161f9cf2c439ad6e5834187510b05456931e3b11074ef43b5633a6d95d

SHA512
901674e285a86414d87681a2efd385eae9a9788d14f696ee31d2a3f73ae02fb2ccf547a2e7ea67bdc91e0da05d5116ac58402fa0988aa966c00577e6f773422f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
031a9f360cc33f011e234217a7af070b

SHA1
5be42c44ec04f009200d78e7c7304966c05eb216

SHA256
9473791e4ee9bce94f79d011e9f75071741508a3a5deb826a0617c9dd9a4b743

SHA512
2fb5ed7941c09aa22ccef20fc27b96527834948126e416b7edf2eacc0258132b4d3c7bc7d6ba818e098b627a1dc2c6273a6db6b5a556af617098844b1d789a40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2463da66367ed0c16740e112b867ec3b

SHA1
13d5b925ddc723d494d05ee3fc307b35070ae63a

SHA256
5313bf79406f21c159455f6e69281760cc3b2395acaa3f4f1ead82787d36bf65

SHA512
f9d811a2bab157f85fbad7583945b50f40bee78cd62e9b2f81342a096be1feb9b010915a7f5e9a7308a672d781e221d165c8448d531f4a16eddf731ccab48640

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
facd75c8486dfaee549667cbba4642ce

SHA1
f89c67270a6d36597675e5cf28c8e9149195f17a

SHA256
3b1cb6f0bfe52d93d85c7ea2145c2b7cd48c6811196de9d01c506c01630bb89b

SHA512
7e31064b18554a38b2b46d7813d6bc963948b177d102d52d9b5de2f51cf12ae354ae4e6fd58bda3714fb8d61eee0d2c80abe0e74d96cd68b441c97d586726b92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08a1135bff790e8d68e53313c762ef9a

SHA1
e1aafe06d3d66de12c04938ad6f6f2b4b8b1697b

SHA256
e013b3d82a728e33c0c95683832c4bbe7940227d5d4ccdc0ea2b55ffa49b6df3

SHA512
50a64fa27d32fdbf578b810b4d3aef8e85cb19b79b517fca550caa5eef1f8e8638ef940e74a7180657d2455ce4c27ea8d6c42fb509946372ab5e31afa6c47d80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cacc3e4f8b8ef263ccf63d0b789ca9b1

SHA1
8075df944dcd2aa37e00c51ac341a71eb334d31d

SHA256
7101224badcf2eb997f903e02cc4f4104b2242f653f6f740d60db554d771c5c1

SHA512
d43b9055d34dd60807756124ec7f3755501cb0f68a39ce66d06547466638a8c7b926f96b5ec8deae155251771606f8942c30576fd8a47447f1aa3921d3a1bf97

Download Submit
memory/1664-4-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download
memory/1664-2-0x0000000000B44000-0x0000000001D83000-memory.dmp

Filesize
18.2MB

Download
memory/1664-0-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download
memory/1664-249-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download
memory/1664-255-0x0000000000B44000-0x0000000001D83000-memory.dmp

Filesize
18.2MB

Download
memory/2560-11-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download
memory/2560-250-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download
memory/2564-19-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download
memory/2564-251-0x0000000000B40000-0x0000000002277000-memory.dmp

Filesize
23.2MB

Download