1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

02/06/2024, 01:17

240602-bnvzksdh3s 4

Analysis

max time kernel
1791s
max time network
1802s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/06/2024, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2952	AnyDesk.exe
2952	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3568	AnyDesk.exe
3568	AnyDesk.exe
3568	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3568	AnyDesk.exe
3568	AnyDesk.exe
3568	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 2952	612	AnyDesk.exe	74
PID 612 wrote to memory of 2952	612	AnyDesk.exe	74
PID 612 wrote to memory of 2952	612	AnyDesk.exe	74
PID 612 wrote to memory of 3568	612	AnyDesk.exe	75
PID 612 wrote to memory of 3568	612	AnyDesk.exe	75
PID 612 wrote to memory of 3568	612	AnyDesk.exe	75

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:612
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
ac83f91a19c779c0435d3d1a124c81a5

SHA1
c1585ff74ee3e54d5262c5896ba2df1758c9af97

SHA256
8d06189df2c608ea17e8ed0b8523923a68796f28b7190537fe671134b705089f

SHA512
70bd2a58fcb9803fb8381f1f2892d9200d24c4628fdb7acc8503b091c47a9160e71537570148b2f42dc2b7a627c95df9326e28b290b4c02ca76e6a89f71bd6db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8fef13ac5a5cdbd9324bd197ba077c37

SHA1
258a37ad365d4bc64c4fb79664ce8d9f08357196

SHA256
d8abb43fab7dcf50b81d15ef9607766cf7a22c23514168334db183423cdfe244

SHA512
dfc375c9a1914079bf3eef47b063504af06b31337ef0f543a3c7acf13deb0eed02d61d154c2c2495d723334884bb36b86568d2378bf68760b7d7a0d850a29ad2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fb6092c693ce42c47dbc75e0a7fece13

SHA1
a292fe843d854d577d1512dc490b8413707fb53e

SHA256
c87f02c75cb6fea7694730f8133e5710de05ac793bc21d85a4072c58b478cabb

SHA512
f7c828f7e89529f52c0331b26bbdcb787725d69b80cb6a2c6d953a31f1602a0f36271c1bcc6dab96aaced6c92394a1f43ec495b3660fe94dc7eb9f8966ce9e8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
306d19644283d288ff1b35e5c17bf918

SHA1
b9d32ae961873ec5988c9e8c56445560ef67684d

SHA256
01d02877df00a7d8d257610eb1999a4d5536adff9d0695a1ae0e90d3ea1469c1

SHA512
721897e8139b7bdcdb364b3c32996827ce501f63eda45f4adb6ecc648c16f74d163b0407f38c6ea1586bd89d2c3ee28c8f3c8a74c8e50b706b8f393658f7cf63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
c33006f807ef4b205c0bf0e27937f259

SHA1
3d758cb3cc2e324bb862a25c26f88549740c2bd1

SHA256
d436b5098a9c173e96254ef7973c0e8d732dfe1a0fb45e40c39b721387f7f9e4

SHA512
0ed381ceb5a27a2176ebb8c5d8376ff936f8df03cf16953b16070f7819b75dba9a154de40ad0b64c27b31be817586112cbb105f412c77fbaa2cdee7c4b1d397a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f3d3dd152fdc2aeb843037520ad7eb53

SHA1
e0ae91087d22c1e07c2314dc1f8c7b915a1c1a79

SHA256
a6da299b0de4f8e8c3f9957cf1487c7744ed0b48eac7539ec5a49e9ae2660fc2

SHA512
6fb5080fa9a2f74110bc49e51ec7f6886921991e82242b2d924765d043a4e6bb0c0afaaf815bfa99e46d8caf61c857bb950f8f30b3461f4100d0b0f267b67497

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f9ff73869ecdb16caa296a3c4ce56856

SHA1
c302d8833336057591f48fe06df7326df22b44c7

SHA256
5ea6df4b24cca202b3f7e39238471bcacaa0e0497d0470082d0b78567e795cb5

SHA512
957ad069f5803f948263ab7dfc8fa2e245117838311b5bdc642fd0ae2a23c32d528c3b90f899c648b718972ecf6e5e457e6639447addaa3ffedcaa3259ffd7bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9b8b59a637c7c4b5e46c1a546310f7c8

SHA1
e02e7efc743802bdb45201c41ac094eba8555304

SHA256
41facce2570b6a3577274ea53e98500bba41c00e17bd357c06a5b33cff04690c

SHA512
486a99308733e02945a416940106fad24fe221b227aae82ff37b0c8330262ff2c3d1b74cca1f606d253ad71592eafd344e107079658380c08be8b94574d87c36

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4a81840a6e05d193f2b0d082acea3588

SHA1
2771e52846a5d3f0bb3af041931e88770102b6c7

SHA256
27f8d269b23b7de630e4e18ab6f62e698c2ec5d461e79d1a2bbf48f9102ec722

SHA512
040d4ff7a3ff956012a9cd7b24e08d24ed9144c21efced1138f9babb92befecd8ba707f432ac3f0e2d6b16c17e5fc868ed59fb67e9ee20b27ca9807ab9378595

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0bb45dc1840ff6e7bc3c6260ccf11898

SHA1
2b31d408032203f06667c50a8e115741954f5d02

SHA256
6392c5453724ce864de2da1e1473a78feb1fdb070ef3f776667eea74890c4477

SHA512
9fd6fc2409519213a680299e5e47a5cdf6d417261919fb0d05bbc239c7f7dbcc37a095f5553d3857246a3bbb261995b6d33479ed18f2c2b5ce902173c8ae41bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
acb94cddb13dee7f0c8ae8f0c9eed341

SHA1
412ad0b63ac215deac3a5d4cb5d13eb3155f4be3

SHA256
a6528036eaba62520fc6986c3438e8184bab53cf8276d537e7d1314bbdb1330a

SHA512
448228a89cda52eeeeecfff0c3f63c4904792aaafacb94c150e47f557a7144916c677bc906d58c407eb0fee754fdf3bccc1a7f5b0f7c919e0900e966e393d1d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a369b938f9fddb2e892f6649283c7132

SHA1
98a363faf95731ffe5f8ed750d197bec54163193

SHA256
8c06e979c37b52dcdb52358df1edaa09349851893aac81a9a5068ff9fe516cc9

SHA512
5bc4f0f042c9a1d0e45cb69e3b54fec474ba59482fd0219cb61d4b7845f3b619c3c27e456df7dcd708c845b1c705264c64585a8c512386f3a78c6339354c4749

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8c43c93445d4c93ef873d46f4b4973db

SHA1
9ee1618e4f8e1d0c10d46cbadaf98e9c6eafcb90

SHA256
ad230783a07f3f5d08618db8ba1cc3782cf8783f561cd1fb406153fd749a2418

SHA512
fa45f0e86b3f7984e9612593f51cb15a7a8a6e18ffb526501c5a58f5ccb70731715a4e7c913a0a44a6ae87b946fdeaa9408991cc5e8008dbd8f76b4bda3e42d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10c87292298fad97d6f664eca12f1b8a

SHA1
ff6f4847bae9dcc630e6f702ff762008648d7a9b

SHA256
1dcf7037ee5582803865c52dc5d31f0ef317af36066c33113dd96ac392edf728

SHA512
29c135f906109fd87d0903571f04dba2ebff1bd0fd03eb5b590c37e524861b6c208f52f8deb3fd4f463400afdfc88a9ffe488ba8abdc4729b9ed8d6847b86d5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a2cb777c09fe54d1a8d6cf84c5f83bef

SHA1
324f628a7bfe57d9a52a6e192c8c40576efdfa16

SHA256
a375437822f030474a08122f9157c140e6124259ca375409f0400ee8efc7a481

SHA512
2347e1af5c2efbd261df8799ac814a0058b7cebfe11fe6c8119862818ef8e8a3bae03a8dfb818d2e5031fa838300faaf709957280b85da3db51119421814f3d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c1229b862f8270aa4e027cb53aec93df

SHA1
8fbd218a90db72bac15151770b962a4458df378f

SHA256
fe1a3b25a5ad1f5b7d0bea27f41449937b11a15744dd2b23115178c2c373e002

SHA512
4739658da53d10a862274538627da1eb1dcff8e78c0fc26bd75ed0c67889f98acee739838b5e0ce4453dd7f456eb3b66d7be29e375d367da55cc13ed85394a59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ceffd40c27a1d0397e8a36b2c324ddf5

SHA1
c2f529549a6c0526cab75c2e05612b17ff945b45

SHA256
1e0152c51ccfdd54584e24499d63afb48d8c2b3922f1db63eb890b3a704197f8

SHA512
cb09d898d3b5314c45c514f90e7dfc1834efb43e0020ce9b773433f03a11c0975079bfe41ac587213b15bb3414c408fd5708a4d3b162a8e5b0a093654d634ddd

Download Submit
memory/612-212-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download
memory/612-218-0x00000000012D4000-0x000000000250A000-memory.dmp

Filesize
18.2MB

Download
memory/612-2-0x00000000012D4000-0x000000000250A000-memory.dmp

Filesize
18.2MB

Download
memory/612-7-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download
memory/612-0-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download
memory/2952-12-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download
memory/2952-213-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download
memory/3568-214-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download
memory/3568-10-0x00000000012D0000-0x0000000002A19000-memory.dmp

Filesize
23.3MB

Download