55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
291s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3656	AnyDesk.exe
3656	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1612	AnyDesk.exe
1612	AnyDesk.exe
1612	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1612	AnyDesk.exe
1612	AnyDesk.exe
1612	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3656	2876	AnyDesk.exe	84
PID 2876 wrote to memory of 3656	2876	AnyDesk.exe	84
PID 2876 wrote to memory of 3656	2876	AnyDesk.exe	84
PID 2876 wrote to memory of 1612	2876	AnyDesk.exe	85
PID 2876 wrote to memory of 1612	2876	AnyDesk.exe	85
PID 2876 wrote to memory of 1612	2876	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3656
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
ed3a1115e2d5178ada8c5141ba9b0656

SHA1
82e8ce06bc9b1b39c5162716ca610680215da327

SHA256
a14afc9cff24826306e3bacbf2829d1b11fa4033392cde85267763bd067b66b5

SHA512
1b31e29e39d0814a9a9e50325a8e157429cea45270c8c619b107ce0e00749dc602dc0684ec09ebb0eef94379c6a1964bc2210b7b9ddd27871c4301ba8807ea59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
49474c30b03c595d5e058e54183130ed

SHA1
7de09c306460a85622df824b8273fe9f73c39d24

SHA256
6dc35a12a7396356311530d3faeb601cd7722cbef295394f8d8aca36afd9896c

SHA512
44ae8e4aefb82c34d8415a0b799937cfc564da5a851b54837e4e52d16c2afb30160079f7243c6b93428b65e89a5c8932b7a880f925711b9ad1497c38837121f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ccb0a925dc7fbd2af6746062709747a2

SHA1
10bca0a698fc2ab22a69b3045b9ce8b03693a486

SHA256
dcc631817884813401f44d9f6751f52908b8135ef307d5e907d53def14ffba7c

SHA512
f76e0336a297a90ceecd301efee516f83d2165daf239383aff1d8a144a007994166515ec8915846ebfb9576f8ea7b0749230b994fd46fc7c36e05aa722e1032b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
22d046c1641bb5f0f0c6204d5c5824d9

SHA1
076cedc13986eef311bb4ce1d37233fc2078fb25

SHA256
b0e041e130ad7e2f659b68afb03f764ff80403d660eb9e53379d41e767527106

SHA512
4f095ecc4cbd11b7db129549c1d316ba0e9b789a07a88c51d9960eba050d698c4b3f5dd2d1cd8afdd7b1f9a53dbc4023b8e4fe10c3b8480184cfd367a3731215

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bb4a810d3d58002df5099a29af2cbf8e

SHA1
765d271d6a374968a8c6c214c7597b9bf9e5a5d9

SHA256
e6ed390be9aa63dd34fc6153e97dc82f1301a6423317ad1f75c878710172ba78

SHA512
c704fbccfb0a24e95f5beb4382303cb098bb64b24c6b3f51b131ec27d3badcf83f7facdf4004d5d4691e8a75a9973eeff60699bb1a3afe21337c34199e39ec90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
c5e852f57093a761415a6f50e95e86fc

SHA1
0e677f7188edd0dade4ac4338658faaa4ab12a0e

SHA256
429d5d907bb6e706b77f66b7024dcb59ad6e0b352241bbdba2f8218c99b94649

SHA512
65adacf4f1ee78097992b1c03e63751d8657bd0d49c002a643f8c59319e933824a8f1aceaa6d2a911ac7241a46461db089aa9699ae544f1bd74ac82dd3173a61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
4704bc6c222831e5d9d48ae776a65cf7

SHA1
2f16131458e2d18132b7aa3a0b0235bb48436bb6

SHA256
51230ca7137a4b634670a45bb7950d1fd41dabb55b673f23a362ceedaeb1b541

SHA512
89a8182e12b9f62dfd57118ae439754731dd768100c4318153317af555fa66fb4c1f4312ef60933140c815854b0d41ff4ed966ef6764011b569b0caa3e197dc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
ae6727bfc55ae0701b79c79ca3e2089b

SHA1
c7215b9d6ed172dae1a5f509e6356c72ebeffd4c

SHA256
1f108dfa3c2011b85bb721a66f21381ad29377f0d8bd88193becf4b6ead24daf

SHA512
eb6d9b76898a3e215f4940315d353f7c314d7474381d4443c40b7ef85923279246f244b5c4697c890ff9a7bc9169a2bd204014d744822a1636d83c43179ebeeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b87a07320e31b1e28cd34e388f8393df

SHA1
a3a5178b86bdd2c5cb0654f541b665faca6d4256

SHA256
85e00230011f65e7bf941632b6aff6028f0d28a3e8577eb72c2eeeacf3c25a7b

SHA512
a6ee4275b8457cfb54c85e6a8e136013edaed139d47ef0bc5d610080189fbe9667c0fbabbf4fd98ceb0e8ea71597d079e8a9e9f43741e53d3cbf8905aa193897

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
95c51e2e72533c5b7ca17c9085f060f9

SHA1
5c2f376cc36b6c7d7c08fb433c6a515a825766d9

SHA256
c81403939ee5209761b72b1f46427044fdea1d9865052582c528f764138b1b8e

SHA512
dbc573d20d69451458c7767765999726ce9435ecf5dcbe4808cf974cf31a3c76bef1a4281c59030ac79bab827804778163a9840c4d3bff7ad964c85907f58e92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9cb92dc26e109dd95aeb026c23895b32

SHA1
e7d4460db8bc9d0606904ca8d3ed173bfcd6dc56

SHA256
34edaf7da740022aa6dcd523df5db69b6e476a24987165caccc9103ec38fbc58

SHA512
9db2576ac04fd2add310cf53b24f4402a33185a7f5b762dd0ef96d5c6bcf9ea4b180cf536568b4f88fa5819bd623a902abb29d836d887dc4a7ae86e889f39e1f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
dc7552b7dbea047a2b03b39e0c8a14dc

SHA1
a0f58bbf1e2b137d9e03ff07d1abb17db8cc3c6f

SHA256
7d759c40ea5d147016ed92b301c387408f097a744cf83efb3002fa15aa2e584a

SHA512
d2daabc3d285b9978b39d63ea480ef47d48c6812756dc06cb3c307581ea8f560b774802536d7b717e0bb12112e1a99704dee9144813c62b5db08d730e8b2c7b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2a38d2ba264a2efa1c75c4cb5739eae1

SHA1
2d229be142252c0fd2016f2118eaca7bc6a95fbe

SHA256
d831e3acdf17203927fd3b38b0292ec50b7e8f2be1185482778105f6197e10dd

SHA512
309293fd0ee62bc084495530dacdd3930c2cd4b9bed808bde211706981de639c3deefcdc39c24b406694e70804ff9fd74842c254de4ee0838cff0dcaa75afe38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
e5c83f1a7956086e9f2dee5c29ba0902

SHA1
6a6a7cfdd62a614c26ffbbf9999169edd51c0456

SHA256
18fea7a2df0e783b2a277ba3be0f15429f2762fe60c8909f3d2821d9a8901580

SHA512
1fa29382657fd9b47ec25c046b6064726213aa60524e3dc01fca580b58d09abda6d4ec926b71a235146ae4888e6a4332ca5c2db83e9e81ee3ccd153a2959bdca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e46ac58494a9c668d3aa525551fbd4cd

SHA1
29a852a6d723534a18668984b5c09185dfc088ee

SHA256
3e148161664574034e4f821b5733e4f4a792a5dabaa39388ff0d0d2c8397fa58

SHA512
e1700898a07b0ddd6c9bd1a21d24992e061621d7e60bc040f801e747b07c38dc044e3c2551d57e5bb1b08c9c18062c3cf57fbee1e32306ce20293474c4e83c28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9d1ca0ae26b930cbcb263162532c1b6c

SHA1
b806411adbf13f312b346b9ebd66370d24d9278a

SHA256
2dd757f3ccd424ee67535eb0f78057fa54f62ef777db2ab27c91a78e50c73884

SHA512
ac29a369d8216e27b4a0bd78603e0339206a923da8a4c89a6a4cf5e3888e57a158f2d31238f7c86d6d7230bf147271e5a5fdb93d702e133b3a499dc352ff67fb

Download Submit
memory/1612-276-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/1612-13-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/2876-0-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/2876-8-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/2876-2-0x0000000000604000-0x0000000001843000-memory.dmp

Filesize
18.2MB

Download
memory/2876-274-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/2876-278-0x0000000000604000-0x0000000001843000-memory.dmp

Filesize
18.2MB

Download
memory/3656-11-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/3656-275-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download
memory/3656-15-0x0000000000600000-0x0000000001D37000-memory.dmp

Filesize
23.2MB

Download