1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1793s
max time network
1795s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
02/06/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2480	AnyDesk.exe
2480	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 2480	3404	AnyDesk.exe	81
PID 3404 wrote to memory of 2480	3404	AnyDesk.exe	81
PID 3404 wrote to memory of 2480	3404	AnyDesk.exe	81
PID 3404 wrote to memory of 1144	3404	AnyDesk.exe	82
PID 3404 wrote to memory of 1144	3404	AnyDesk.exe	82
PID 3404 wrote to memory of 1144	3404	AnyDesk.exe	82

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
4aa89c793b1281d267a0215770a5e0d0

SHA1
d2d7e67584764248d560fdcadfa29ecbf9b46370

SHA256
3654fe9c18f742566417280c91287e5d6496d91829a088caad796f08b5f54cee

SHA512
1da8583305e177dee37e9e7c18ddf8d486b59aa86ac4c32d307b6f26a49111c4cb677c856e843a8a3ed17c910c412fbbb5044d7869d7e4bfd8eeb2fd0f052b3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
546e53bfe634f6ee9db86ff2c52bf7f7

SHA1
857edc6e7e57641ecb1bc577a0d401fb05b78362

SHA256
3b0a9c2ddee89a51b26f26947ad7f16428c36f89e057f6b8b48e8ac85a0c6afa

SHA512
7711bbc562d769ab2fd0656c973d764686403493f1b48b5a81da8caeb89a407596d4ab467762fc8980cda71f3153a98548efa91b58ec034392d1940d89e05f5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
85df3ee6d70a2a7a49035f6c7c5994f4

SHA1
5193a9696e08c3fed4f8296bf7b320b6ca06949a

SHA256
2e81f2411b31aab67ccd28b87b7aa617deaddee57888cafdbb0875d49d683539

SHA512
9c0dcdab29b91255828adbb10ad9ca43c4b92834163c1d56e51e3b6aade21db6091672005c620f02705c933d9980c6e12b4e6944bc7099a9a5ebfbc3d6eb6a98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
84925456ee64d5f9c13afc74ca5376b8

SHA1
aee959f03d7b796ff45d8c0ad0c33d7efed831ca

SHA256
e54128b5561664bc1809c91c838954eb8b81139eb1a2d66e7df6249847fb17c9

SHA512
876f97bfde40d2e4eb29778cd6c83a0e22c68b6027a25095393975a0094d7d76404ce7f60ca3da9d40d1784c534d23f75a7d08208052f910af9ec861e4052de8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
e6b3c1657e1defdeb0e68a89a9d7f73f

SHA1
50ebcff92e0e86ae6012865e7d36d29d7638a734

SHA256
771933c4baa19dd1468386b4e85ae4f877f15a26aad1e34e9ae9d7efb20f3ea4

SHA512
2f5571aa9552cd611b7374e9aea1d20b22727e636b1b76515a344b483d874a066c2ac2e7ccb370823562a6ef6a7845677b97a95d7cf4f688ef7408a58c37fc40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
399fbe9fbd42e4a69eb4789c87a856fc

SHA1
677e617324548eabc6050f08ae66f6fb9dac34a5

SHA256
b49b4ed412b7bd5ddb5b349122851360ed477a56ec7296eee43b4fda72a21234

SHA512
9e2a204c73b1637ecb95cfb6d27963bc0f70c8b2758b4f0ff828beb6eb950fbdf8a3f0367a6604c9f2308212b940ed09c7d6fe02deba2b7c4e260bf695a060f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f510708757ac3c2de1ddf1c03d20e7fe

SHA1
98f406e892c9e47848eaafc4b6e07a49e17c2ffe

SHA256
904a825a12b0a34deeab5bef58e79718e2b857522c823b41a3daba6d2aefcd86

SHA512
d28830ef9809d1d733fc1fde854a1c4f8d530ed1e059fe2b60fee96c7f224b6ebee15e3d0a917302a672e160793f5d8caefd82ec83eba80d8986a968128ed751

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
55f185ec54d4e2052c0f256641b33cae

SHA1
4775e47f59d7b9edd2a8c1cf94a7aa379c7694c8

SHA256
f78272691e501d278a75b5607f4c2c76c6e47f6d99384925263364ba0bdaabef

SHA512
5a430e30c716364e7fe5e85330529bb628b5bfbbd088c02f9f0afd2fcf70aa357bb8bced12065af868a0097490bec3a3dbbfb56254ae23edb507646027b3290f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a3a503c9b34350c57766cd4739e65215

SHA1
c2ea2af80adbf761bd8c3a51dee06b72ebd3c49f

SHA256
cae9d1504cc31ed3893e16ab5307fb827d6a5cbc5d6453df6799229c9c9b4264

SHA512
f5585eb7c3e77cbcc3af5a9a5bcde661ae343d7fdbd449b64d47b373cf70b4fbf6331b82fa00a3296d66d34a4787d2cb2c3e97ff080a6e4bdab2bf3074eb1b03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
1c4106c828e9e7a4e7c2ce4cacfa3d31

SHA1
4fe0e6b49593352b0a2eba8f6355a3043c42c4e8

SHA256
35c8efa045a5fb67c2143c74177774a91e433456c0435a3599d7f65934720580

SHA512
97bc0d12cf16aa17bdc34aa345f1fc46e2f75341a727ddc37ec49a44bb098cf8fb291c11e4c51ba368fd902c8e96497b47609485f26764d5f27e07614fe8e463

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e7c9f47dcb5347c2de73b6ec53e28edb

SHA1
361075004df3b18dac935c94382fa1f3c05a8400

SHA256
6cab1dcf2ace38d8295d93deb3b1c1909b6e105102436169e7a7462c1c998597

SHA512
1594daff26ef3df09624dcfd28aa259eb91f0194db12555dcdf1e30395ccaed3f2c1e53786f57722995c294ec6216b42d52c3559d815dd02a27be4a6c067545b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7dae242deb5a1d1dc8012601983725e8

SHA1
86810d9aaa489f37ab7942096157b97ad295a046

SHA256
10aa5ed1045d590cf517dda69d66ec8b69e239d3c460d90a92666b71d79d543c

SHA512
d9d283dfb7269a36ca66afd63045955d9df975da24cd8ae633dc6110a522b8ec1a3d280a8b7979e173f53a1fa2a56bb662bf9e46992ecd21b83224b9a7e7016e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7cc88af93e2ac5a01aedd912ce3f0ebc

SHA1
e40915688cc56ccab3ef00212c2eb10acccecd57

SHA256
582e5cd750c45bddc2c6603563b83f9a31cb26027974ae8ab3c48a7beb10f8aa

SHA512
cc5c3aa5f3f287e2992486a14f60f0b1cf2c762a38fb25b164a6e01ad085ae03bfa5d25ad9722b9c67a0731f487ad9df2ff12db86dd94c69958370da86481b97

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
910f18125fc0c1062a74be5ba9b04350

SHA1
cdb575da5e967241582702030c372bb6fad7ac0d

SHA256
6ca2f5e037b599e2159f9634956fa6bc85ae63a84008288152c542dde1a39837

SHA512
41df9947868a8d3ff0182ef11dddcd96dbd9ab67fc7ee9c71b9d12175313be5465d328657fa4671afda0f0540b7cac2d1ccddfc02c5698c019a7e812725a9c96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0ea431a419d8830b3593ef3d65be0d5e

SHA1
5785ff333da1121f2601d58fe1f6c5587f6e9761

SHA256
e9eb8d655fae755709628e52356b660997fa3cf489c460011ed1632679dcbb80

SHA512
ee357e0b42a8d234914edca9ddbfba86b8653733b29396e0446397c25e53504f130ed03ad1e08bbbe47907d0e154754a7f2e0025dc5eb2956828e239d762ab03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5eda9fc9911c60cd8afb5ee80b14889c

SHA1
79ccb5a6c2717df0035c3d18cdaa773fdaf1340b

SHA256
d04bb31993c760c1ecd0566c7cb6774da9e67a92a6b7bc36df3840e0ff505add

SHA512
5f1951b088980d91f45a41e66750d94b490f9436da66f754d9f5d27a7bae55734eecf07bea147e98dfcd4f6e83376b1e20ce2dbe528fca5cd5fc90f6f5dc767e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fe9d8d5f2daa1ff59147773ba9611389

SHA1
893196154160436cdea8357ffb5c483e5cbd27aa

SHA256
509014299bbf0ccfff4d89fe83085631c147efa7953aebcbc19815f86b36a06c

SHA512
2037a4fd00d8fb4719959762fb1313291d7d0ca7267e1badb320832bb6e4ac139f6e16823fe3218e20334da67f2cbc8f1a8f173f35de5f7a0a71076df604e58d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bb7ae0fb8a4b37397e1ba57ff9257c8f

SHA1
fe86fe5775219a10f58b041f75c025151cf4961b

SHA256
ebc27b0c5e925ef08dcace15fb166f297a51412206c464b63ad0381b033924c5

SHA512
208565692aa0a4fed5ff06a9ce4c19deabe86975ef7dce02bef9deae77f51b072e752d4ec893daee82d6bdcb440cca771c77de5f8ce3308ced1ed2665648b110

Download Submit
memory/1144-244-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/1144-12-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/2480-10-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/2480-243-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/3404-0-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/3404-9-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/3404-242-0x0000000000AC0000-0x0000000002209000-memory.dmp

Filesize
23.3MB

Download
memory/3404-2-0x0000000000AC4000-0x0000000001CFA000-memory.dmp

Filesize
18.2MB

Download
memory/3404-248-0x0000000000AC4000-0x0000000001CFA000-memory.dmp

Filesize
18.2MB

Download