Analysis Overview
SHA256
fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
Threat Level: Likely benign
The file anydesk(6.2.1) (1).exe was found to be: Likely benign.
Malicious Activity Summary
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 06:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 06:37
Reported
2024-06-13 06:39
Platform
win7-20240611-en
Max time kernel
52s
Max time network
48s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe"
C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-service
C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-control
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | boot-01.net.anydesk.com | udp |
| FR | 57.128.64.30:443 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-0135ac48.net.anydesk.com | udp |
| GB | 57.128.141.165:80 | relay-0135ac48.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| FR | 3.162.38.61:80 | api.playanext.com | tcp |
Files
memory/2484-0-0x0000000000080000-0x0000000000DF5000-memory.dmp
memory/2484-2-0x0000000000080000-0x0000000000DF5000-memory.dmp
memory/2484-3-0x0000000000080000-0x0000000000DF5000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f25e48e1d9e1e1398bc5fbc6885570b8 |
| SHA1 | 46557c8ebb9236af6c28c9bdd317d1d25749e710 |
| SHA256 | 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db |
| SHA512 | 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7 |
memory/2640-16-0x0000000000080000-0x0000000000DF5000-memory.dmp
memory/2360-19-0x0000000000080000-0x0000000000DF5000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | b46ffc3bca8eb9b3d878f46924e98c08 |
| SHA1 | ad7949195d71f09f86058a3840e875877f58da20 |
| SHA256 | 3c9f6e14522e2360a01a1f78840a1badebfbeaf07136ff0a1c5546aab46054e9 |
| SHA512 | ff5e66edee7664049aeff7ffa8998f2a0b157e150424bc6491e4cd3904e85e3699b6dfebc1c6741adb3a1487cd495599610f35e7e3e9c9ca59bc631fef7ac0ae |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 59352c2b0c590c5fd96365d3168d723b |
| SHA1 | 53ab571639cc3e3a38032c1095985f7f4278d8fc |
| SHA256 | 079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286 |
| SHA512 | 2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 8271f4d0da790e62cb8d14f63b062523 |
| SHA1 | 4eec5c8db7edfcdaf0195eb5ee7b66cf159ee89d |
| SHA256 | 4b099d0ada2cc6838c3967d28f0faef8a5b450daede6cfd0798c260a3dd8e59d |
| SHA512 | 17cfcbca528fc6d95ddd3c8871fc10078e0a5fbf482a73d4a87a087b2fba0b3f6514a29aa3531d07226b7fae6400d53065435b696a2c71b0438c0134024b5896 |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | ef8b51a98214300e8f3acfae3141b94a |
| SHA1 | fbcfd6dcd47f58566beab3628831b693fe71db22 |
| SHA256 | 060d34209ed8f55a5dbb7b7a55a0d45fb4267e67b93794fd0a64ec8ff6c27049 |
| SHA512 | 3f09fa079bf787c1eeb06b1faa732a53ba646842542f6e7e4ce7001a79bd4d3c71d587322360487581eeef6187776ebcbcae98a895e86e5eca10ca3adfd0f86d |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | b92ea1b03a0d4ca9cf67fd9b32432d4f |
| SHA1 | e5496d51137c869d08561026557c54fc62754984 |
| SHA256 | dec21a33b9eb4cfba141bd2aa897e2e628bca20608a66c6504c7a3827f877da0 |
| SHA512 | 11f95984191b6ecfbfa8d2e8d2dbaf11f84700d48418da86d2f5e99691fc99bc9c03520b15095447b9d0dcadbcc1cb30236be13aeacd5f653aa9d634c3b6ab71 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 617867fd0413789075dedf8b8c0a9f59 |
| SHA1 | daf4554ff228f76efd82ab42efc281a9c8ad004a |
| SHA256 | d1da4fec588fd63c3a0fb0d967bc40f4bf84c7f3d71bde26ad7153ab44202d70 |
| SHA512 | 79466e1c45a9fb371ba7a67300fb652c863c678b12bfe0211e78d2c63148cadfa35a10e47532302d015afbe807bf42f4540d8c6a40ad6a5847872274914a4fed |
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
memory/2484-82-0x0000000000080000-0x0000000000DF5000-memory.dmp
memory/2360-83-0x0000000000080000-0x0000000000DF5000-memory.dmp
memory/2640-84-0x0000000000080000-0x0000000000DF5000-memory.dmp
memory/2360-89-0x0000000000080000-0x0000000000DF5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 06:37
Reported
2024-06-13 06:40
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe |
| PID 5036 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe |
| PID 5036 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe |
| PID 5036 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe |
| PID 5036 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe |
| PID 5036 wrote to memory of 3564 | N/A | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe | C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe |
Processes
C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe"
C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-service
C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe
"C:\Users\Admin\AppData\Local\Temp\anydesk(6.2.1) (1).exe" --local-control
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | boot-01.net.anydesk.com | udp |
| FR | 57.128.64.30:443 | boot-01.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-79bdf984.net.anydesk.com | udp |
| GB | 195.181.165.153:80 | relay-79bdf984.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 30.64.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| FR | 3.162.38.61:80 | api.playanext.com | tcp |
| US | 8.8.8.8:53 | 153.165.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 23.62.61.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.38.162.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/5036-0-0x0000000000410000-0x0000000001185000-memory.dmp
memory/5036-2-0x0000000000414000-0x0000000000E08000-memory.dmp
memory/5036-12-0x0000000000410000-0x0000000001185000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f25e48e1d9e1e1398bc5fbc6885570b8 |
| SHA1 | 46557c8ebb9236af6c28c9bdd317d1d25749e710 |
| SHA256 | 0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db |
| SHA512 | 41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7 |
memory/5036-13-0x0000000000410000-0x0000000001185000-memory.dmp
memory/5036-17-0x0000000000410000-0x0000000001185000-memory.dmp
memory/3564-18-0x0000000000410000-0x0000000001185000-memory.dmp
memory/5084-21-0x0000000000410000-0x0000000001185000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 520764b0a3993b11e2dcd0a12eb032b2 |
| SHA1 | 3098f08263b837855c593d4a6d3b323eb6ec27df |
| SHA256 | d602066a212c975d3c54bc9c018ed7e280108ef125f3404c3cbc53589a7493e6 |
| SHA512 | 9eb64824ac6a084abd7d561a2115b5ee6dffa7a20d576f669503dc1ffadeb3505802fcedf1be390db873e1a87230e0ba9341a1d1c9823ccef5b4e93c14e3af3c |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 8a2e83f69a5d0bf91e858e8812b6ba3d |
| SHA1 | 10695cd4fcb067c2b937d87a3faa347a9fa11e36 |
| SHA256 | 0d50a7f0afc74dc825a3930734984ea82fb856eb5e67031e285656fdf9d33b84 |
| SHA512 | 7ea2f915e62d786d061e67846e8c8bb68e2f5bbaa812ba8fc1ff8c0a5a0c82c95b8d42455f51d2e7b3337d05486fa56f90170066a5386b541b11d6ca8bd435d5 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 59352c2b0c590c5fd96365d3168d723b |
| SHA1 | 53ab571639cc3e3a38032c1095985f7f4278d8fc |
| SHA256 | 079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286 |
| SHA512 | 2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828 |
memory/3564-25-0x0000000000410000-0x0000000001185000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | cf2d30257bbb054086dd8e926bf34d23 |
| SHA1 | 20aded5857f3037cad09cbaf7b4aabb1f5572a20 |
| SHA256 | 7b59a6c36c9e592570c18e4ef9f91b053307d93da4d9f94c9b47ed4a2bbb4995 |
| SHA512 | 8ce44a67d8b48701b96e5743c9c9197b62fe44fb6a232c7de1b4a711aae39e6af70e8060d25442186c8487116e30051a2d3894375ee5deaee3647bc537261ecb |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | 5d3bfd6cc2e75975d8e9feef631c12a2 |
| SHA1 | 0acedb2d0c53d1359d05c8089fe8e64261fb080d |
| SHA256 | 4fec682f7432e64250b652ced7b89109f17ad08e19fb9e033e820ca53e8182f6 |
| SHA512 | d588ae49393816fd21b07b25e0ada9d4d9728591d9e5c3273e799df0bb8f2be12bb9fa04166b6a55ed0886f3bf91bc4f31e8eaafe8e561d6c784bfe4cc978c27 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 173f292175ef8c3ca4d6ff78560bc8de |
| SHA1 | fd11778384ca3ddf86c08f4a40be47945c795f33 |
| SHA256 | f478e1c3e09526e0e95f2484781832db53d2e17df3c77222c0327a7312210cdc |
| SHA512 | d064d5c5655f02546a1f62189e6152e09e6fb3cd1fc11c31e69a398f29b3d9cd11067e832f597c62b958428d1908eb4ec0dc10a7159599ecf571b982e848c453 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 326c570926119c3aee441529fc1d3cd1 |
| SHA1 | dcbb4efd811ee0fe6365c1c9f9aa71ed6cd68fbf |
| SHA256 | 697cc00f960fcf9e48d86a3415f5cae7b772b5867d350c41f0a27021a620d374 |
| SHA512 | f5957243d713bbbbaeacdd4162be0322e2c13af46fd48c795fdb10d8e95f72955dbeb0870d6738cf1a7a472732d3e55203b1af93e0d2d66f161cb2ea91ec48e9 |
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
memory/5084-72-0x0000000000410000-0x0000000001185000-memory.dmp
memory/5036-73-0x0000000000410000-0x0000000001185000-memory.dmp
memory/5084-74-0x0000000000410000-0x0000000001185000-memory.dmp
memory/5036-79-0x0000000000414000-0x0000000000E08000-memory.dmp
memory/5084-84-0x0000000000410000-0x0000000001185000-memory.dmp