1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1793s
max time network
1794s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3288 AnyDesk.exe
3288 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2464 AnyDesk.exe
2464 AnyDesk.exe
2464 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2464 AnyDesk.exe
2464 AnyDesk.exe
2464 AnyDesk.exe

pid	process
3288	AnyDesk.exe
3288	AnyDesk.exe

pid	process
2464	AnyDesk.exe
2464	AnyDesk.exe
2464	AnyDesk.exe

pid	process
2464	AnyDesk.exe
2464	AnyDesk.exe
2464	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 672 wrote to memory of 3288	672	AnyDesk.exe	AnyDesk.exe
PID 672 wrote to memory of 3288	672	AnyDesk.exe	AnyDesk.exe
PID 672 wrote to memory of 3288	672	AnyDesk.exe	AnyDesk.exe
PID 672 wrote to memory of 2464	672	AnyDesk.exe	AnyDesk.exe
PID 672 wrote to memory of 2464	672	AnyDesk.exe	AnyDesk.exe
PID 672 wrote to memory of 2464	672	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
fc8059f5451037779633efb1c93b7113

SHA1
2e1203f44aabc999c4b95f18bf82489655efcfef

SHA256
3729b7d100e9143ffab6cdd2562455738de89fc264efeb3b15a63e60a0859b1a

SHA512
2b6aa560b5558a41cb1fd522b2e17aab1852eb3596dea1cec18bcaa785f47b19d7d6039cc2fd92b23daa08e481a13d2005b0ef2d948ca324288128ca78771161

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
0b9ca0f0a25787fbe7f150a22db8301d

SHA1
ab7226cd40e1c490851dab32ea4d56fa8242bda9

SHA256
dcce493749a58e9dc11936b61fe4ff656ed0379d894dad1aaceb3cb7b21762a3

SHA512
538e66b4f9c8b233ef8cb65e5b1a1e07809eb531c1253b8e8ac9ffaf6c5eafa5e84318491f267e968137f866529567df37af5d6400476e6fba51b4c7dce0e020

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d6d9c9932300aaae227416cafce7dab8

SHA1
cf08a43792eda8c52f1dbeaa669ed83e02d61117

SHA256
564fb26810423caffca9f31fddfcad7491da6335b04db2eb67478b7ffbb06779

SHA512
b1159caeb616ed1dbdf1a772ab73ef4bf9ae7492a77740c8866d9e334887cc7a2fdec0093b3a577d771528e9682e4ffe3c173a6d06c4c95a1d1867422d50c359

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
64d60b6b0c606b3faf22e5acbff48a68

SHA1
000102e29e914287795c8d8ffef72d69ed72cac3

SHA256
9f13ddcd2da9f751ac1997e5c37d40220c7a23a7b67598da3f601dce1a975b8d

SHA512
8ee5cbf112995e4a1cd36a0dafb29cc4ec8e984280ae2dbfb0097a43a25238063c57bf2eb28696683c9b7be9ef94a16f8a56ceb743a05949153f9fe41b6bcd8e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
555B

MD5
e566ab9bd502797a9be31f0552ce044e

SHA1
08936758a63d12a3f6234614fe49f33d3dadd999

SHA256
2c4810ddab3d8046732fc004ea24a3a654ad073e8bdaa946b75f224dc5fb5d31

SHA512
9e5cff7b89a1d99006c82e88b69ee1cc38cf3225d74663506ebdfff2b64dfe08588614b9bfbdfc316b8480f6530d74c7c4dad2a2aca0791defb3a6fb1a120e06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
e7bb4c35a31c19ba7acdb04ee4ea67a0

SHA1
4c5a81c11f558fdad0f6539937a2d56e80b93af1

SHA256
54e904ca3b83644f929f34f5164126f005b7309669cd13a88c35fd83e83a3ee8

SHA512
f8ca44fac9264474f3f27c6365a5b3f1a3648d15d2bdb9c17a8ec941874e6e129677a1d2bb0174bfe95d5d9f27073b5f50408754eb62772cbf4a013b412c8d3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
0a2c1a93b7c22d53f3864865ca48f3d2

SHA1
bf3d35753aa26390e3f7953058299a8f65bfd644

SHA256
e67ee58ada0c8e235d6ce6b6e9c8edde24c4653fc9e09751c2540c8e3a29737e

SHA512
cbfe5cd7f48adeaf2f8491f7252f3ae62e92058e23b7bfabf12369ffc32ccc479c70e9c090cf025dc783467ae7b1560b4f0074f45b261228c89fc02f99e26c76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
78d07a6fdc9263e3c66e426375434fbd

SHA1
897f89c7a336952ef9fb23925320b3fdaab0a95f

SHA256
414afb60c83226faa121249bba6b36d400994a87042a232215e137d22d1bb1d5

SHA512
77cf2da08ad35f4ddb784f422da65b55ea7aa872b0c5f8a6a81cb20559f2fdafe6bf4a5ee78eae15547895ac0bc665fb21de54fe3930a25716a3ac9588e2a30d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
84726ed2e269a701bdc82b5b0376e0f0

SHA1
16c3659575a24225cc7e8576a2743edae012cbf4

SHA256
ef070c78e0bab313083a12bb3355205ef49c537dcf75684820ae5f07d17c441b

SHA512
e47cd9d45b81d87efd4706182c4dba52d723c7aafb2a5163cf90550280d11f368ca9b16394b0bb5998337f056f5242e78b0aed28c0b6462975dd92f0a0c09034

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
abeae150d07844d4e752170eae628d22

SHA1
343f89b4eda6bfc4f038c313457fb91978e50026

SHA256
65e5c6a449988a77a725671a4cf6d8464c255a2e5cf95b35adcc33b4ce3f5802

SHA512
13d94bb3c3a6dd6c550e0fd30f259eb9fe4715396a008fafecf969447929a26678034ec66e996ad2a238573447acf0b46b03b81e6809d9ac71fc855e44c2eb28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
48fafa3b20908b8fe303703d8f976bd6

SHA1
b2ca3bd0b50f85c633374e80c57d480456185032

SHA256
1f4a814249198b144658e76c922e7cf035c9f7a34830a7c763d542f75e6403de

SHA512
cc1655e45b2e59ba83133b85e20ef5d0b305b6d0700bee27dfe1668090655657999549309bb2a5cb007968848b3c0dec8e16c8e950e6edeec6fb92550e9f8600

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb1b19b0faf6510553a152e30e124707

SHA1
cd61256eda0174b18074b7d847eacd18c5c25aec

SHA256
01cafda6f53ff23971f430bc0e95b8aa89311112ce12e0cb0254fea0a9f40bf7

SHA512
895253a95c7580dd523faf4544e6ec343aa250de50e8c89ac6a4321debf506b013f3b2e9622d208f9c487ccac5b0162f9a2f66add844505fa976b80541fab020

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
72c43094470c81d4bed4bd35fcbb690c

SHA1
2c203832b0b47b5193cfe779b9b289396a737904

SHA256
904fa6a8d61b4b683a9d12c19ed3acc63978d576c8bf48660db2ef9ada1c317e

SHA512
ec70e658fe2e40e6e6095a2dab49dc1539751f15dee1b07ad95c78e3914d643283887bfd6d9294ad8ae2b4661fd10e6f8bedf914fb238356ca907fa9a8f16925

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
325b0437edadaba413b23886fe4a046f

SHA1
53a9d850d0f912eef0f95cb4c76675318cc306da

SHA256
a1eb611b7795d7d3388dbb788f657564773c6e5762bb5b0ca064a5207c560eaf

SHA512
0786a16bb5cb922e9a4d9c1f6b14b5b2853286399b01bde8a20ac7556263c46ae4a965df25083bd772cff0709d63908cd81eec44880096e3e837030cee1ffdaa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
22c54571d9f0d5cd5455e5a0fb08ce52

SHA1
04e17d80e3c0a18f5dba10e92b81dcb50ca52bd0

SHA256
0375f6e1a3335dbe4eca0356102e38ce3458d2ddb1df8bace7a41c7b42eaf41f

SHA512
ba58de549e1deda797f60df842c028444c1d66572fa86078900a41f13992510ec8b49845bea4d3a0ab1133e8269c567a4a4db644f141c5048d2aa61340047e64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5a184e46b5ae0770ceb51d9f9db196e8

SHA1
0d58d4c006eba718e55f094bb32fcd996576540b

SHA256
702c2444b29f4ee49977cf2da7014ad57bb3c1f808cfa0c99ab0d714fdda7ee7

SHA512
2c640235b508ee227daae287a0693cc97d7bdc2881518902166ad68a67a9db55fa3afaee7486d5847917bde2587c4827c39c7ddec603f721608f898ccb55d617

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7baa59c9d7897b770316f66c81828b99

SHA1
079200b9d8442cfe1490fff574b3fb031f39dcbe

SHA256
8d74d08018aaaacc681abfdda6c4d13d7c40ab988d78060a1f8c59feffd6595a

SHA512
59718b0542e95985b58caf2cb5d509b0dffacc5ea376553615921710aa3801e26399c7623011ec338adabeb4a32084067fc61ec59aa92970a3c9da8d0b8ffa0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f5d03c23da7e49e6bda692286e7350c1

SHA1
488f92ff00556252bca81edb6203fecd36eca968

SHA256
9696717840934d3fac22dd27d991a0e835ca3c6f1b62798916217274785b1404

SHA512
bb2bc65ff8396326f1babd19b2956a37f9594ea27fdcd368830f9cd630eee6f59855b75d85eb72d1b0815f4bb457b7e3eca4326d017b43e1835f9d33c29d81b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
02173ac38410c6ec92ba09b3886169bf

SHA1
776ff593853f7a0b31c174a0a8c26ab562dc3077

SHA256
3f7b2cbf5ed5bedc5df3c8fd21b1fc9e7b217e000acc79dee100bafe361df74f

SHA512
3376e9a777df2243f5cac5ee6d48914eaa891271314f75eca35d2c6c467a5b1927bfee3a014d18effd3567f487b4c5e5a7408a918e97692a242793cfa3aa29be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f59833ae761c1b4f2d9e606721fe0a88

SHA1
96d7fb28b7f90de24308f12d0bb532330e2e86dc

SHA256
bbb5ec612e137a8f4ba1dc192ea19a4b22c8d7bc1897fdc2a3b1460ed34e47bc

SHA512
739fcc5bdc909f86c3eb7a50c7cdaa464a1d106a9ca91f4a979a4235b1750844634cba1a57f6599fd08fc65dc37bcd0e1f3227ec215c84c37c56713b93b4eb9d

Download Submit
memory/672-116-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/672-0-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/672-7-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/672-266-0x0000000000E14000-0x000000000204A000-memory.dmp

Filesize
18.2MB

Download
memory/672-2-0x0000000000E14000-0x000000000204A000-memory.dmp

Filesize
18.2MB

Download
memory/672-263-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/2464-265-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/2464-14-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/2464-10-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/2464-118-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/3288-117-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/3288-264-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download
memory/3288-12-0x0000000000E10000-0x0000000002559000-memory.dmp

Filesize
23.3MB

Download