1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1792s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3920	AnyDesk.exe
3920	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1396	AnyDesk.exe
1396	AnyDesk.exe
1396	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1396	AnyDesk.exe
1396	AnyDesk.exe
1396	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3920	3000	AnyDesk.exe	85
PID 3000 wrote to memory of 3920	3000	AnyDesk.exe	85
PID 3000 wrote to memory of 3920	3000	AnyDesk.exe	85
PID 3000 wrote to memory of 1396	3000	AnyDesk.exe	86
PID 3000 wrote to memory of 1396	3000	AnyDesk.exe	86
PID 3000 wrote to memory of 1396	3000	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
a3e657a4f35e5144fbda8c3a389ad338

SHA1
244bccaa9f5767165a968eb4f56490d7aa08bcc8

SHA256
468d48f40219643205588027f7675c4559ae438a27c468ec1d89ec95ab7a138d

SHA512
c4ec7f3e7978e693227a7971784a93980feb7aa4bb169eb7c3c572b82046250b8e5053a96aa580d708d3b7794001e8488eea697a7d839d42a2afec96b604a6c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
6389bab0bd8514d4143f0f76c3c41e0e

SHA1
a9d0cf714fef421668c3355baf984e836a6e08ad

SHA256
979bfcf151f1b6197ed2f471b4ebe6359f62e463466646ffa6e636e2ba8a99f2

SHA512
92f570b3f922f98aa9cc2d3ab49fba84ba36483f50e4f54642afd75585ae48692432ea8c98ab59a22fa643062d6cd4a846419876f9dbc881a6803eb593a916e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1b5afb4c3718b0697a311971d157f23a

SHA1
a8f8f4040c02b48fbebc5eb7e8707dc1a7f6df04

SHA256
b416c9c6e29671087d22e9ee4097dd9bd7bf65c6e0cfa59b5872bf331e7110de

SHA512
218f9ea76e64c760de0b3c9b341c1953a4548ee68197d14cd6d40d693c9a22a6c518e8747444886ea31967bb22c386bf4c1c7a848a3f091a31a27c1d77b1bee9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
634960ea25ca128380db00eb0c05c975

SHA1
f62fdf6eaf6eeaf67f3b5e87e618649594a877fd

SHA256
3def4c957827b5c920c1cb6d53d79f5b3a4c391800fbde0abf22e422bf10519f

SHA512
7603043dd2e90748c46e02528a17524a60197754f0a5fa3ec58b35b34852240f3da8b3f64a808ac045eda04d96f7086d6ad919f419a324602b8629ad24b896c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
c79dec3f5e3b8c54edb3574a1d482e50

SHA1
1163c85fe43f6b2be321b7a2037047320f0ad4db

SHA256
50e1fdf68c67b1e3a198db1f77af6bd179a92ed3524c9cc0c370be574c1c8061

SHA512
81fc84ee5ebcc2f19a06daa963fe95f9bd699a4e09b2ba0d5480f1d9b34c9b3ccf7120560a56843533afa9570896f8cc35ef846f30aec388a795a8b3b5c51945

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
a55568182597b4529310f7baf86d3325

SHA1
3d80481fb73c5febc9fdfe0a8428149c63cc5c27

SHA256
f3946b1afd334a2c8def6829abff3b83d2f8b6edaeacdee508fbfef5b72621c5

SHA512
703e56a94b3144e5c98fa0d6f5473f539c9b1b5a02b79be60e5b6a49dbe3d8f704faa06a30ea81d69e0ee6b1133bd0dc6eeef24e373fcf81bc73f65a7a347d73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
02b6338533e8964c2bfedd2cf01fa0b9

SHA1
fb3112e217acf665b689fc0daef9acea92b723cf

SHA256
d6cefd1ae0fa0edd35dace03313d16faa4229d0048153b210516eefce176cdf9

SHA512
e67e49c03853636f5dd0bcad17388719f888ec1a0cad526bf4fcc64917a1eccaac1a77f5281d4f7d755a9ab175f10763ef6cf65c2b79aeba936bd7f1ef4d30cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a856ec4945f1ead7d7a0e329102a1cad

SHA1
268caf61d371f7772ffb2d40c329e3440446957b

SHA256
95aaffc072616b89c65fc1888666072e65293aa78b20c2f287b53b0f7f1dda03

SHA512
16c696c89b00e6abfcd7658ac9036c9b65310a751c53998d94160b1d9a77a7ae6e3cac2abc7708517f8d88afae45123d0fa18f7a97f67a399ca9e360f48a93ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ea24a03e057ce5365678b7f5a8443ac9

SHA1
4118a1614b753c8136a211cab25f2f6c1ef52cff

SHA256
66dc757ac2248936d25d69fd49b3981e0feffcda3489732302dc1d0f72343b2b

SHA512
544e8a9e934d6d085947ef92e4f68bae5a844b63e7d6bcdf84ec51863055d29cd66f69960ea617928d02c033c831f87c00612376e804126d7a3993201360fbeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4d1565ced54b28486802eefcccff2edc

SHA1
e081f5205336f6c0cf3879a61ad707e7ed90dbed

SHA256
e0be775a4254751d05a486331ab90672d9162a838db8399278604805afbc65b1

SHA512
df5d0179fdebd42bc266acfd1db471157926ffa7974a451b2fdfef94fce4bdc9f79b225d58f089dac44f6ba1f68f1c731bf530e0d1ef670ed506b20189f2773e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bf55346352fd7a812ae94e9ab04e4255

SHA1
06418fed4e39686bc7c78792f71100ed0d42dca0

SHA256
f4005b02376ab0adb24d7b218bf52c552ef94135a72ca160042b7405de17966e

SHA512
39e3af3952a2fdb8b20e666e2d5bd57f41b84d252476e05cb286cf601f8af244aa83343fd08fedb1ff3eb5fe9abd0891c7c48bb413cbc6b7d8086123cf31cb5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
44dc3caf5bfb0b7eeba9550b6fab2116

SHA1
c5d98e39b28b52418ba9421cc8e4c01c2594c825

SHA256
803d61655ab47c778ace1267c439eb28b0b5ce40c272d44b7f5c009fb14bc57c

SHA512
6fdf14c09779455308aece3060edc9035431f6a6eea0558703333d2b272027013a4e4664d1694511d7739d0f19f21ac25abbafb30019ca6913d0f23d6b9eea89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
69409fd32ddb076f9fe2b80ef54014bb

SHA1
7a4e85f58f6da5696f89b65b83d2561e829b7c66

SHA256
69c0e79d29ff2b3279ee6cebf50406bbcd109b1f6bc3051b8f1475628de65fc8

SHA512
328c8a77ee5ffe678f8b42d97136c17ff0a16b9594df3238d3c9500031436fd40665f5d6c32dc5bf756f7b7c37c4f57a41dba46b70a8988ecb5843c2ef905b41

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
17e70e62ca77ef4cd3f18c3796e9a214

SHA1
67fb975f16b992f38b557771466ec273268aa603

SHA256
2109ae2fec5eb81cf6911c66d8bc7116a65f07afaf2cb78afcd4df6b41820590

SHA512
5e19d937fa2e5bb2ab38b9f5ded34d751f77f9f4db7b127aaec3673cc436bc83cbcadfff810d88a0c93f62135d72b3499a8412fa70346417ac58edfe86dcfb0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
18b4a26893b5f39cbea6a265aaeffe13

SHA1
0615a3cc981f7ce6caa2175780763aaba2e8377e

SHA256
72b60c2c34712dcd070f53045e12cdd2275ff52d1713dcd5f6c602b1a91d6d8b

SHA512
2ffa230702b784408d2e00a4d94c4e530549f045654a7e6038eb742dcc4c3055de807c0bddc494835976415b0f51d6e12e383769128ba4540739a19907687311

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1891f4288a3ef98c484dd0c1b86af665

SHA1
990f395350dfc3a9fa9d391e59ff6fc099ad670a

SHA256
9da55a49d37ab886c8c06f564122208450f78facb45608424ad8340cf0fea41b

SHA512
1dca82fd4076032dc8b44c2e87e1e11d4f576e53fd62789082ce01d9594370a7d15afe298866558c9f933f90ce1ba9cbba6854bec021c996fa1c8a50277b3a47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
dd1676b3ade72d70e6e3ff7fe324101e

SHA1
baefa6e7c6f3187d58be3a25425057dc75100b57

SHA256
c8b6cf6eacacd5b7f12871da1a668d4d005b53cdb64a344bb65b3ddf15a9451d

SHA512
9f1ca929c530743a79d894517541bee691f4c07084b90699f8e41120d7ac09a90f94f7d5fab0bb1c0f9809dca395b418d72084c2d077e956d2f26a3ffe96060e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
814cbbfc20d11229703edbcc2398cc4b

SHA1
7c6c909415e5cd0c267f2bcdb9c034281d0ddbd1

SHA256
81ad8f14f718f8b889c819385a8154ddf25004f1917821fb3dc83e810e57c5d6

SHA512
29fe6df542f2b250fa1078f2429aabc838bca9dd67d739aae5213b5119b4ac56e5668b19531fcfd10b70b7688593953e396ac8b2044b001b530e4f91d7a3bab9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9ea09ec59966518c58b0d25b97323688

SHA1
af68074305e815ef8e05062143c7a5c4f8ec1378

SHA256
199f1c5b160bb8139b6bfa7c1108534b724b92273212679f40b9d358af357235

SHA512
5f6f14e682d495a2c8c15bd9b5ba6738ed6a078da1bdcfb54e8113e417e941cceb5abfede775e3607a05ab2b26b38bf6288cdc2557d075a9437e398fc60e179e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
02672cc1d0a69bf23bfa8ba6ded8a9d6

SHA1
d8b299d76053374387ab55654048f1fb4d06e5a4

SHA256
d959450225c6ab24bf7513b0562763684f2567901929f8d9f45dc55ccc7cac9c

SHA512
52f6931704d64d6f7f43ba201a1e6f7a993c21c3401a77cf5242e8f2e7f227b578aaa3e4d08e0af1a00a315660b50c9dbdff86ba76690fdbee9fc41fca498a6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4e0a0c3783dd20c775e829a881b2b104

SHA1
4484237ae5de87e4e58ae4117944f24fdc28e3fa

SHA256
601366e4d971ae51cabba04e9458bf375ee1ee14876ceebadc7c6f6c4d9983dd

SHA512
0f71eaab448fe47e954f5fd84017f166a829773f897e8a310a37d9599cde6f230a1686e53696bc580636bac58b4764500ed27c2058ab71b3e8b6f2f2323ce0b7

Download Submit
memory/1396-20-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/1396-12-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/1396-243-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/3000-0-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/3000-7-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/3000-231-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/3000-2-0x0000000000B54000-0x0000000001D8A000-memory.dmp

Filesize
18.2MB

Download
memory/3000-247-0x0000000000B54000-0x0000000001D8A000-memory.dmp

Filesize
18.2MB

Download
memory/3920-10-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download
memory/3920-242-0x0000000000B50000-0x0000000002299000-memory.dmp

Filesize
23.3MB

Download