Malware Analysis Report

2025-01-18 01:17

Sample ID 240613-hdqensxfqf
Target anydesk(6.2.1) (1).exe
SHA256 fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

Threat Level: Likely benign

The file anydesk(6.2.1) (1).exe was found to be: Likely benign.

Malicious Activity Summary


Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:37

Reported

2024-06-13 06:39

Platform

win7-20240611-en

Max time kernel

52s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe"

C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-service

C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-control

Network

Country Destination Domain Proto
US 8.8.8.8:53 boot-01.net.anydesk.com udp
FR 57.128.64.30:443 boot-01.net.anydesk.com tcp
US 8.8.8.8:53 relay-0135ac48.net.anydesk.com udp
GB 57.128.141.165:80 relay-0135ac48.net.anydesk.com tcp
US 8.8.8.8:53 api.playanext.com udp
FR 3.162.38.61:80 api.playanext.com tcp

Files

memory/2484-0-0x0000000000080000-0x0000000000DF5000-memory.dmp

memory/2484-2-0x0000000000080000-0x0000000000DF5000-memory.dmp

memory/2484-3-0x0000000000080000-0x0000000000DF5000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 f25e48e1d9e1e1398bc5fbc6885570b8
SHA1 46557c8ebb9236af6c28c9bdd317d1d25749e710
SHA256 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA512 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

memory/2640-16-0x0000000000080000-0x0000000000DF5000-memory.dmp

memory/2360-19-0x0000000000080000-0x0000000000DF5000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 b46ffc3bca8eb9b3d878f46924e98c08
SHA1 ad7949195d71f09f86058a3840e875877f58da20
SHA256 3c9f6e14522e2360a01a1f78840a1badebfbeaf07136ff0a1c5546aab46054e9
SHA512 ff5e66edee7664049aeff7ffa8998f2a0b157e150424bc6491e4cd3904e85e3699b6dfebc1c6741adb3a1487cd495599610f35e7e3e9c9ca59bc631fef7ac0ae

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 59352c2b0c590c5fd96365d3168d723b
SHA1 53ab571639cc3e3a38032c1095985f7f4278d8fc
SHA256 079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286
SHA512 2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 8271f4d0da790e62cb8d14f63b062523
SHA1 4eec5c8db7edfcdaf0195eb5ee7b66cf159ee89d
SHA256 4b099d0ada2cc6838c3967d28f0faef8a5b450daede6cfd0798c260a3dd8e59d
SHA512 17cfcbca528fc6d95ddd3c8871fc10078e0a5fbf482a73d4a87a087b2fba0b3f6514a29aa3531d07226b7fae6400d53065435b696a2c71b0438c0134024b5896

C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5 ef8b51a98214300e8f3acfae3141b94a
SHA1 fbcfd6dcd47f58566beab3628831b693fe71db22
SHA256 060d34209ed8f55a5dbb7b7a55a0d45fb4267e67b93794fd0a64ec8ff6c27049
SHA512 3f09fa079bf787c1eeb06b1faa732a53ba646842542f6e7e4ce7001a79bd4d3c71d587322360487581eeef6187776ebcbcae98a895e86e5eca10ca3adfd0f86d

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 b92ea1b03a0d4ca9cf67fd9b32432d4f
SHA1 e5496d51137c869d08561026557c54fc62754984
SHA256 dec21a33b9eb4cfba141bd2aa897e2e628bca20608a66c6504c7a3827f877da0
SHA512 11f95984191b6ecfbfa8d2e8d2dbaf11f84700d48418da86d2f5e99691fc99bc9c03520b15095447b9d0dcadbcc1cb30236be13aeacd5f653aa9d634c3b6ab71

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 617867fd0413789075dedf8b8c0a9f59
SHA1 daf4554ff228f76efd82ab42efc281a9c8ad004a
SHA256 d1da4fec588fd63c3a0fb0d967bc40f4bf84c7f3d71bde26ad7153ab44202d70
SHA512 79466e1c45a9fb371ba7a67300fb652c863c678b12bfe0211e78d2c63148cadfa35a10e47532302d015afbe807bf42f4540d8c6a40ad6a5847872274914a4fed

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

MD5 1ce7d5a1566c8c449d0f6772a8c27900
SHA1 60854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA256 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA512 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

memory/2484-82-0x0000000000080000-0x0000000000DF5000-memory.dmp

memory/2360-83-0x0000000000080000-0x0000000000DF5000-memory.dmp

memory/2640-84-0x0000000000080000-0x0000000000DF5000-memory.dmp

memory/2360-89-0x0000000000080000-0x0000000000DF5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:37

Reported

2024-06-13 06:40

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe"

C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-service

C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe

"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-control

Network

Country Destination Domain Proto
US 8.8.8.8:53 boot-01.net.anydesk.com udp
FR 57.128.64.30:443 boot-01.net.anydesk.com tcp
US 8.8.8.8:53 relay-79bdf984.net.anydesk.com udp
GB 195.181.165.153:80 relay-79bdf984.net.anydesk.com tcp
US 8.8.8.8:53 30.64.128.57.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 api.playanext.com udp
FR 3.162.38.61:80 api.playanext.com tcp
US 8.8.8.8:53 153.165.181.195.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 61.38.162.3.in-addr.arpa udp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/5036-0-0x0000000000410000-0x0000000001185000-memory.dmp

memory/5036-2-0x0000000000414000-0x0000000000E08000-memory.dmp

memory/5036-12-0x0000000000410000-0x0000000001185000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 f25e48e1d9e1e1398bc5fbc6885570b8
SHA1 46557c8ebb9236af6c28c9bdd317d1d25749e710
SHA256 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA512 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

memory/5036-13-0x0000000000410000-0x0000000001185000-memory.dmp

memory/5036-17-0x0000000000410000-0x0000000001185000-memory.dmp

memory/3564-18-0x0000000000410000-0x0000000001185000-memory.dmp

memory/5084-21-0x0000000000410000-0x0000000001185000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 520764b0a3993b11e2dcd0a12eb032b2
SHA1 3098f08263b837855c593d4a6d3b323eb6ec27df
SHA256 d602066a212c975d3c54bc9c018ed7e280108ef125f3404c3cbc53589a7493e6
SHA512 9eb64824ac6a084abd7d561a2115b5ee6dffa7a20d576f669503dc1ffadeb3505802fcedf1be390db873e1a87230e0ba9341a1d1c9823ccef5b4e93c14e3af3c

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 8a2e83f69a5d0bf91e858e8812b6ba3d
SHA1 10695cd4fcb067c2b937d87a3faa347a9fa11e36
SHA256 0d50a7f0afc74dc825a3930734984ea82fb856eb5e67031e285656fdf9d33b84
SHA512 7ea2f915e62d786d061e67846e8c8bb68e2f5bbaa812ba8fc1ff8c0a5a0c82c95b8d42455f51d2e7b3337d05486fa56f90170066a5386b541b11d6ca8bd435d5

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 59352c2b0c590c5fd96365d3168d723b
SHA1 53ab571639cc3e3a38032c1095985f7f4278d8fc
SHA256 079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286
SHA512 2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

memory/3564-25-0x0000000000410000-0x0000000001185000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 cf2d30257bbb054086dd8e926bf34d23
SHA1 20aded5857f3037cad09cbaf7b4aabb1f5572a20
SHA256 7b59a6c36c9e592570c18e4ef9f91b053307d93da4d9f94c9b47ed4a2bbb4995
SHA512 8ce44a67d8b48701b96e5743c9c9197b62fe44fb6a232c7de1b4a711aae39e6af70e8060d25442186c8487116e30051a2d3894375ee5deaee3647bc537261ecb

C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5 5d3bfd6cc2e75975d8e9feef631c12a2
SHA1 0acedb2d0c53d1359d05c8089fe8e64261fb080d
SHA256 4fec682f7432e64250b652ced7b89109f17ad08e19fb9e033e820ca53e8182f6
SHA512 d588ae49393816fd21b07b25e0ada9d4d9728591d9e5c3273e799df0bb8f2be12bb9fa04166b6a55ed0886f3bf91bc4f31e8eaafe8e561d6c784bfe4cc978c27

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 173f292175ef8c3ca4d6ff78560bc8de
SHA1 fd11778384ca3ddf86c08f4a40be47945c795f33
SHA256 f478e1c3e09526e0e95f2484781832db53d2e17df3c77222c0327a7312210cdc
SHA512 d064d5c5655f02546a1f62189e6152e09e6fb3cd1fc11c31e69a398f29b3d9cd11067e832f597c62b958428d1908eb4ec0dc10a7159599ecf571b982e848c453

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 326c570926119c3aee441529fc1d3cd1
SHA1 dcbb4efd811ee0fe6365c1c9f9aa71ed6cd68fbf
SHA256 697cc00f960fcf9e48d86a3415f5cae7b772b5867d350c41f0a27021a620d374
SHA512 f5957243d713bbbbaeacdd4162be0322e2c13af46fd48c795fdb10d8e95f72955dbeb0870d6738cf1a7a472732d3e55203b1af93e0d2d66f161cb2ea91ec48e9

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

MD5 1ce7d5a1566c8c449d0f6772a8c27900
SHA1 60854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA256 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA512 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

memory/5084-72-0x0000000000410000-0x0000000001185000-memory.dmp

memory/5036-73-0x0000000000410000-0x0000000001185000-memory.dmp

memory/5084-74-0x0000000000410000-0x0000000001185000-memory.dmp

memory/5036-79-0x0000000000414000-0x0000000000E08000-memory.dmp

memory/5084-84-0x0000000000410000-0x0000000001185000-memory.dmp