1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1792s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

4920 AnyDesk.exe
4920 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

644 AnyDesk.exe
644 AnyDesk.exe
644 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

644 AnyDesk.exe
644 AnyDesk.exe
644 AnyDesk.exe

pid	process
4920	AnyDesk.exe
4920	AnyDesk.exe

pid	process
644	AnyDesk.exe
644	AnyDesk.exe
644	AnyDesk.exe

pid	process
644	AnyDesk.exe
644	AnyDesk.exe
644	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 1124 wrote to memory of 4920	1124	AnyDesk.exe	AnyDesk.exe
PID 1124 wrote to memory of 4920	1124	AnyDesk.exe	AnyDesk.exe
PID 1124 wrote to memory of 4920	1124	AnyDesk.exe	AnyDesk.exe
PID 1124 wrote to memory of 644	1124	AnyDesk.exe	AnyDesk.exe
PID 1124 wrote to memory of 644	1124	AnyDesk.exe	AnyDesk.exe
PID 1124 wrote to memory of 644	1124	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
241d84427274c4bde7411967812f28a3

SHA1
7f4de845bdbfbce1784a17cdb3a37dee0645c9fc

SHA256
d62212baa17d469d7acadb1a2a4bc5deee8053487300fa67a2ebe56a0ec90814

SHA512
ef1ade809de69a20a4ca119a688b7e77cd97bdb2bc81bf244d7cd850e7973452246e4715967143fa8bad812373db76828762a1217bdc9c9a773856a5e83b5ab7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
04d0888fc3e43e8ae2e09f8e1b81b8ee

SHA1
74ce18b1bb09f88f639cf05b5242d09fd686ec9b

SHA256
34aa48f53d18b943a8251ee65a7d253576213929027b69d09c856066492f8924

SHA512
5401c288b819f3fcf76034cca95cfe70d9febb601bdb04a9993ccb4fd0ac4ed9cc893fcb6def74d219e9af196405546defb881de41748d657d52fc724ff47910

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
70dbea172e510d62426fb1bb05d02279

SHA1
995e22e85ab316c45e202fb3ae2a3114245d6450

SHA256
1aa0ac60a77f320f34e7fff1d51c6c1e54cacac6f64ec75dd352d4c3f5f901f0

SHA512
b90c28ce69a7114346a1df244e96a79d9a75d441f371cbc85c93eb50ea7782df746571e7074a91023807143f33c7c5793538428978411035ecdd369140285779

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1a8a0c925ed0938f0a7a7d87809c85f4

SHA1
c16b5e918c1f68a79cb1a2b957f0812d7bf4a798

SHA256
fc7afe5fb49f969b4d66efffcdff22cda45a4bd015855aa1da9dbd476124681a

SHA512
d5544750c4dc21f0648f30494d384306b77994834f89107c8e23a0aefec242743e160d9a9b5393baa0540e23f23dd2b22c1746dc7e2ac120a1cbb186ffed5c09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
8d0ad77db74f866be9f08d861bb097a4

SHA1
70172f94b69373a8cdb18ad85e3dff31dbb4bb65

SHA256
d8efabfe6fdaa471cc6765eaee983d455a9ace47ab7ca11c200177d7e5edbef6

SHA512
d34d8c65677ea93c2c46e82cc45cf311bab9681e5e248668d49307c991d4153612cbbe09863404b6d3f64afd92690a65a638c4de063ca99293ce8815f13394cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
6450c55d3e3ec65a2261766974d3be06

SHA1
202610b38db196075d58049332c37613e21b38d3

SHA256
32e77fdc44a08e8416d06a7eb000da0c939ae2fad8e380e64cdf19fef2aae571

SHA512
1c9eec8c3339e8d146e1848ce9e5a714a6304d763ab9b581bb8969fb1297c45f70e9e9f25a2d2bed9c8758a4aa0932d75f0921e2ec200b9a43140d484b61c3fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ffb886106fe8d69466df9f7444d9bd01

SHA1
99047747dbdafc5f9f3bc710f54d5e3e32569042

SHA256
9359a21d1c6d822bc6200d9c31ffb82f8c8ae585a48cf0f725d55ba558994c39

SHA512
883a2d3ac4f8868def0304f0d11dcdb27001b9b9211a518807bc1138d6effc147af3adcea6037bfa5a2e35d313949da24ec8cd517dbdab4415652d280ae83d13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
984266553f2f118987a7433cd359158e

SHA1
6a68facd73235b52ad70d1a73de651549df8506d

SHA256
29695b463b8e9e7d075067a0262df8a9bd3bdfa46b12a7a201d7d164cd48e4c0

SHA512
f87879b69816e9c1c890a7aba3766ba4b15765a0c1ca5817d075fec8ace3eacd3b1b41b598eb3529b69954d0209dcc0c7d9150ec19305e3df613c16a01e3a4c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fa367f531cf8d1354ca21d431721d6f8

SHA1
cb6401105a99c6a8c188abfbd2cc636e0969f73f

SHA256
1f78adb0c401a2ea0fb5c4508e93204f88800ecfcbe74fbfe7e641a4fe69cdcd

SHA512
5c18adc6203a9bbf566a95b88647079b1266c2acb27d19bf0020827939f363c2142a345d61ce682e2d69ee173877daa02786a322e2e7ced172adafa32021cedd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
711625ec35942a0125092df3176e36d2

SHA1
b3ef36445f755fda315b97470b6b3900369c58f0

SHA256
fb33e65bc0123e38e4305898faea2d2965fb436f0b8f39d6ceaceff1e7a09e1c

SHA512
1d3dd99dc7c5c655c39f15a5131bf8a5963f5b04f9634792bd1c65e61c81d50284338647ffc59e9ed654d13a75f988c967b05cc5fc582f886aa1bc260a6caef4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a66724124061da988ac1fc976efc92e2

SHA1
c72bbcbdbadb8fe0f27dc8ffeea91e79adc58ef1

SHA256
f8b634ba7f77406dd47b662ea4e19b89059f610de0a75a9ac3cb3186dded18e4

SHA512
bb50baa639caf9c98f4811e526c959c525b355576a49bc28945c77f26612e6447267b6d3806b494695aff46d15214c2386c687b2afdf1941a0ea29118ba7c626

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
27fd07a8ea5cbfa9122000e495f4056b

SHA1
14a28aa1eb2943abf85bb7b1e560713be75b0210

SHA256
8d9e2f9f133507c95dc4e8878c44bb1c4776caa82a03c527c813b5bdab8294aa

SHA512
80fdea3d86079a6f23d898a52060682f8c962ada8cd107cd5be1c0f31b3cdd3f615e35798c0cf0957ddb17d759de5e0e08d1a94f428ced7b7bd5c072491ae7bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7a5d13eff39cde1e2877bd4bc06bc286

SHA1
3110c9147713b794f7d6ff8dc11a851096c1e475

SHA256
a2e8f4da91153608702236119744d3e9ded4dd7b1f87b56c5bd5ca74a36b0f37

SHA512
1a0664fdc8d1eff9d456c6b46dd443d4a623f9d0a4beec7b0e931ea6301e50463fb847dc1f9c64cdd9f1772de237ecd020899af7b1b84eacd9576bea743f3d46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6350b314d65627b9b0a847dee7d76d41

SHA1
47952b584ec1432b778c146b43d0b3634486dc08

SHA256
1fb7e9dd9048575533a7821d66f0eb0e85521a8c3652d9c649d9100de5e22de3

SHA512
96b24876cfad42aee728126cec05902f9fe5525a1ccdbbb241a351656cc35b91a78b1439811c07f07802ee3c0119f1bed7c0c7d8cc9b56a65a1e6d97ed7ed84b

Download Submit
memory/644-10-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download
memory/644-224-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download
memory/1124-9-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download
memory/1124-2-0x0000000000FB4000-0x00000000021EA000-memory.dmp

Filesize
18.2MB

Download
memory/1124-1-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download
memory/1124-222-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download
memory/1124-228-0x0000000000FB4000-0x00000000021EA000-memory.dmp

Filesize
18.2MB

Download
memory/4920-12-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download
memory/4920-223-0x0000000000FB0000-0x00000000026F9000-memory.dmp

Filesize
23.3MB

Download