1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1793s
max time network
1791s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

540 AnyDesk.exe
540 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2432 AnyDesk.exe
2432 AnyDesk.exe
2432 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2432 AnyDesk.exe
2432 AnyDesk.exe
2432 AnyDesk.exe

pid	process
540	AnyDesk.exe
540	AnyDesk.exe

pid	process
2432	AnyDesk.exe
2432	AnyDesk.exe
2432	AnyDesk.exe

pid	process
2432	AnyDesk.exe
2432	AnyDesk.exe
2432	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2560 wrote to memory of 540	2560	AnyDesk.exe	AnyDesk.exe
PID 2560 wrote to memory of 540	2560	AnyDesk.exe	AnyDesk.exe
PID 2560 wrote to memory of 540	2560	AnyDesk.exe	AnyDesk.exe
PID 2560 wrote to memory of 2432	2560	AnyDesk.exe	AnyDesk.exe
PID 2560 wrote to memory of 2432	2560	AnyDesk.exe	AnyDesk.exe
PID 2560 wrote to memory of 2432	2560	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d4bcf96c2a9771225a41032d651d0bcd

SHA1
045249b124b7f3a4709e8f46d381f6634fdfe348

SHA256
9409d76bca77a5d1de3efa6d2270369fca745cf4b3e1d33881fbced88942904e

SHA512
ecae49c3b4ee48845f0b0b3fbdb940b14ca321b8f4ed22681092ae1ab04cd36fc70dd320c613cf9191bbbaf4197d67eb0d5dde6037b0ab2f1bcbe1f3de9e9049

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
a713d82867fd4938153113bad0c223b7

SHA1
48e30f01ac67b4d4dcfe7a060c8f63938891ded2

SHA256
ebebc90f564bee3464d59df23567a0882d8053663c5600d40c1272493e1be5ea

SHA512
82854f557e15a9cad05c74fae1218a57838d4040e109587ff6bfe232dda5302051a278fb8a5f0f89b6606f0ec44020e96c886baf46ca4b1725c4b1b0136cbb6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d04b6148a46048e7fce87780b4ed8c8e

SHA1
814cb7a5f55b4e4329b4d691023a5f8bab860fde

SHA256
1b4e9072eae004792d0a22bc50def400d727172aca8c81d8cce493c805f804ce

SHA512
0a2207023380bcc3b8aab6414f6b169aeb67742850aecfec7225ffc4e8822af803e0eee90502d14cebd7a061db07491079be31c32338d07796cf0e1aa0884a12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
29f9402ecdce584e5b3376d1e5e475a4

SHA1
838e4ab7352f343c5ae121154826cff78d138880

SHA256
796966fbda25e42d9a9c982385ae1fc732afb872dc1363c783ac811ffe87f713

SHA512
c0b2ce02fd79f7745d42bb591bd847418d71e1e2b0d44ce28d3907f55226f9f2af239bbeaf66af3b5c537cec66ea2fe761b5d5146ca28ba110088f06ac79346a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
e4d6d466aba6f2d7ee3fc6c1caa278b7

SHA1
4918bda8e64c528c482c6dfe1275e9efac4a44d0

SHA256
4fa077263cc4ff238538d932f46b04842c6cf07eafab6eb08012d03b0767254c

SHA512
71aad1abc155446bda4a6091fbfc76365b6811029583d289759160a0d41457fbd4edbab5343be7af2c4c02ac781d109d6d5686f1c319e288c08521212f6570f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
557a390f3aa1b37655385abe3d7995ca

SHA1
23bb63217bdf323f078660eff5e1f54787308a7e

SHA256
dcb8f910756ee270c0809c2f847de62b3840d3ebe1d96f622ef44db73cf56f5c

SHA512
c260a6e6f3c5b176109af7916264ebcdede14847a54d1308c2c770a3160e10c94e095422097e20cbdf06a197c914eda39516e906632bb23594b73bbb7a672af0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9a8c8f74a218b450615143036fb65828

SHA1
0b2d48235945f294a8f5c93a7795570918c7c2ad

SHA256
9412fc70eec5068a1363050c9f0a36e7bf56c443aef893c41e067b149572d160

SHA512
7d6241e5fa3b017096d1f976f294ecf5543fdefdb48c773b065e0d7ec574ecd1353c09205587015bc1bd4ff00aec7a1840b41537a56ca66427dbbf0043648ed8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
bed69dd3c01f9a20037084bf862f9481

SHA1
08ab950f6cd12f0a5cded6bc7e74de87dcffcba5

SHA256
23bc8422eba9efa89dadb0d373a09c1a306eb7144930ec967a0f888e3ed37dd0

SHA512
46bde2c14f67d063329c9f4142d72daac7e4d83deefb82aa37834c07eb0bf80f585aa687773fc156c7a3d72a2811cdb9606b232cd90bd05dd168314cfaa7b9b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5b799303719a5f47bdbee0c1c18d8265

SHA1
353318fa00237a5dcadb99ccf6fbab984850a809

SHA256
e2f2af6226b67f77dd901356cbb9ab20013488fc368d0415f6e8871116f9e2a1

SHA512
f2da0efd0821192824b98f5bccccf7366b307fd8b95ada4f4e9be847947002ba326263d68a48a416df922418b3d25d5674589b0c403c23fa7731b5bfafa588c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
61b786236148bcaf77af5ea509b110a2

SHA1
435bca2a9128bdf47ec1106e0e23636a99d80c45

SHA256
11668f5bceedb867d5d7967977f544a65bcf874309d024d6d283349ef4e8bb5e

SHA512
633ebf494390505b405a8cdd5ca038045184cb0d39f13e70f00b2cc1322723b2c7639033f4fef454bd58cef13a760a117ab7c7b57a198d2c64bc23e57997192a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8f011a71b93117d5452d84b3709aae44

SHA1
4133c99b4beb3e3c2b002c74c95e158c735dbbb3

SHA256
fda3510f54010e9de070f303ff2af7929033c4d7328c949cd51f5b9eb1a327bc

SHA512
0a89f4582bd6904cb85d93ac0dba31ac49d877ba141c5d4cdb416a9700b7c784fe8786c87dbe64db10310e476f6f0bde2bfa9ef6d5d4c3656f25cb15f3fd898a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
dd449ee0a721097bfcfa85685ff20dec

SHA1
2e3e5401bb7335c8949a99846e007ff11f2cb0d4

SHA256
b450ff2c6cf375602120476d94b3672bf124636191dbe3bd0d0005513c774346

SHA512
7ddf2cd2b66c70b9b16713232de097d1423fef55ab671f06e766f862891f8e3d931d5c0cf8936eca8e9bfe239027ab36e0c11b48d1ab92c383e9cb1dcce8f969

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5074546676fd858bfb6108ffd1267a6b

SHA1
b1f63d0e1ee7e2e73578eff1abaa0adc8b8146c6

SHA256
dbe7181f6950373ae0c47a918193e8eecc1a3d29b7e9107b2df80d71c4da6ea1

SHA512
52c4a396b0c18dde20e4015795dae774ee7e6e53629a0af9f7978d11419344a38cc2ecd90e202c9cfdecca36b24bbf76a939d3cb1db00e8397c93c63a43b8de4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
245e1f92c15ce13d5828be7cf526249e

SHA1
dadf85735259ecccbd808760b89fa585a0c84249

SHA256
bdd68a4c5ae6896bd059ab5c4f4880d70575fffdc853a9fd7c0d78ea8bea728e

SHA512
c15f8321cae248b38eb6a185555dae6466404728c3cc005fabaceefe7bb8b9a6752086030db444bf780bcd2d1ec46067edabaa3002a547a12901d5c250be57e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b17a4f4c553d7506f53f03f0bb6b7439

SHA1
de76a610e90af47896b59e22225380144c6d0e67

SHA256
cd4b6a0e0f5bbafacf66483570cbdace09175b542bb3343565d924480199b830

SHA512
b0278762bd03ed6a69cda64a6a759b5d3cd541feb02c0c9a4e0ac154b16cc178ea7c8174871be98dc843300eac33aa37fa19d3cc9d45344518dac00426cfa8df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
efa956127fe799225b50a9d7c7a5996d

SHA1
d9eb067db961aa57bae084091495227965730801

SHA256
9d5ce69251294db2c17a5e3849b1e6afa6e9e9707d02154ef2b8fd74c2c363e5

SHA512
ac4965f6426e548720aa0e707f56c07f8685e01e323e65332007e08d67a5a00a98a26924d4f9b377d0d40c11ad5042f264fcc5a758dfd9468db2c3b1560b978c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d29f43ad393105ddd4bab86ed4aecb2b

SHA1
53aad3e51154ebc44df96b072913a630427631c6

SHA256
fe67f60c7d90f88f5306277477fd2c3a80bce24a4627c130f56032bdd6d40107

SHA512
75086cc9b847211d5aad5341053e7013b089830bfb1326fa979ac3295a290f7ff0d6e51a44a226c88029234b988a58773771f80af48bc64c220f3869cfc61a30

Download Submit
memory/540-236-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/540-13-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2432-22-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2432-10-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2432-237-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2560-2-0x0000000000D14000-0x0000000001F4A000-memory.dmp

Filesize
18.2MB

Download
memory/2560-0-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2560-7-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2560-235-0x0000000000D10000-0x0000000002459000-memory.dmp

Filesize
23.3MB

Download
memory/2560-241-0x0000000000D14000-0x0000000001F4A000-memory.dmp

Filesize
18.2MB

Download