1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
601s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

4936 AnyDesk.exe
4936 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

3708 AnyDesk.exe
3708 AnyDesk.exe
3708 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

3708 AnyDesk.exe
3708 AnyDesk.exe
3708 AnyDesk.exe

pid	process
4936	AnyDesk.exe
4936	AnyDesk.exe

pid	process
3708	AnyDesk.exe
3708	AnyDesk.exe
3708	AnyDesk.exe

pid	process
3708	AnyDesk.exe
3708	AnyDesk.exe
3708	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3232 wrote to memory of 4936	3232	AnyDesk.exe	AnyDesk.exe
PID 3232 wrote to memory of 4936	3232	AnyDesk.exe	AnyDesk.exe
PID 3232 wrote to memory of 4936	3232	AnyDesk.exe	AnyDesk.exe
PID 3232 wrote to memory of 3708	3232	AnyDesk.exe	AnyDesk.exe
PID 3232 wrote to memory of 3708	3232	AnyDesk.exe	AnyDesk.exe
PID 3232 wrote to memory of 3708	3232	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5012 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
7b0caca816c536083e0beaa76e0ac106

SHA1
f2adbe5f473f5f3ed85322ccb7d338d69fd8c5b5

SHA256
377a1fcc6199113058355e3ee097aac68d574c2002829b61529bd98cb2a4e751

SHA512
a71e3e6477351915a0f03ee37a7fdbf9296eeb5edb4834f51506cc104ef6e68b969fabc1e4d72c5a7e64925af11e523056051be30b3674a5a7b7c42dabf37bcd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c2fcecdbd8bdca5d0f4cffdc1200d37a

SHA1
28b8718f72104830c29d02fb24ed2a2d894f329d

SHA256
72fa86a9dab834f3a59e8018bacf971eae6dd5d9ede6485c1c4ef2c6d924ce16

SHA512
aabfb99792e8163fb618cf13567d901457ac0ad7b9ca65a0904a61fd7282b3bd76dd5d2be115644aba83c0a9ccbbfe10387b77ab0c0ad137ff17308c91b96557

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
46046fa7396f07238d01612a3e1c5152

SHA1
d55dbeb15694f87f14cb3110eb163d4b5561089a

SHA256
f520695f6c413d88cbdff6a363e2fd661fe981225a00bfbabf6b6551b76279ef

SHA512
ec9e8f10408891e55f81563f9e4196df4f624615e7978e8c0676185d3b087360d80251d1fe7516b53b33c2877b106e0f42ea818d4d3aa3dca50018ffd734b653

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
542edac18adb19aadbccd025c8db6668

SHA1
25040447d3bff5bf87de464123cff17675c0f772

SHA256
86f9f81c94d66d59812b6077631b3d70aa7f786896a24e8651e7a12996040c83

SHA512
6a779a94a24c38543cbe4c042693fb0fee2319fb7f59fbe0a1d51982e9282b6b4421e0770e0ff387ee4c7db414a56063782dcae345d218e70522ec116b060f92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
a396c185bb3e89258dc93ede95d40120

SHA1
86ceaac7f7ef1a4288d9266934aaefddc8231921

SHA256
8ed2f572351b12bbdacef3c80f3ce63f9e43b264b690e6d2b64997db12e9e71d

SHA512
b87c60a1fc6ceadaf40149889f907aec299ce7e8344428d0d4a32c91c0c33172fec1abce20eaaa13698b1ead0533eda8dd0f93a3335134ba8c3d78dc43e50301

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
689B

MD5
6536865c16afdfe4ef0142c4d9a74424

SHA1
b50c8df020bba378ee0858e2585c5f3f03dfddf1

SHA256
bc53b3ed7e2845fada1f04b040721ea3a2e1aabd33b9c0d6d3bd1622fbcf9e1f

SHA512
7f03b39a2d98b458c3318c5c3c3edbfbd58f7aa4a017057698ab85cb7aead9accbd46ad921e82fd845ce8df58ff04c1b3053277de6aaec5950b652637674f768

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
274578f849f6f9eadcf04c9514c77840

SHA1
f2e1cc9bdb6a2293c1fb08e6f00f2ea1b2911354

SHA256
7f43af2d3b7fe92f396e47dfbc102b8654d1e33386bd592acf4f436cc79b3fe2

SHA512
e6713084750e70f4e02867ee71b8b832df4ed5294baa5d958525d2bed3f4fd323e1329c06ffce46800f05f80f51baae43fb7748888ff96f6b5fc5257737e2e78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0e1fc467b56201d0ce9e4785d0427be8

SHA1
d0b367c80950f00fdca7ba18ce4879299a6d78d5

SHA256
a68b7517adca39c9bfdb01a54fa7dab0d0d9da04bc0faf880eef9ed0c6d2e5ad

SHA512
0aaec51589a811397dab190dcaee1cadc8e2055192266448f79be4aea2b32fdb0d837e57feff8633bcdb8fc515b0b1b1d77559e3b2cc9e5ddbdf3ea5cf4a843f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b7276a469f3a825fddaa6f1f930c3933

SHA1
0eaad4f4148db9d8d408d9804c01588ce9339422

SHA256
0b8ddd400d62729e7e28348eb8c9ce32c05b41d58b4e508175772352c8a11938

SHA512
9ff431f2a34d4455541ebd8595c0b6db4ef7eb7de6adcc27827f4479832051b12b17cef3260ead1aba4e03b9462ee63c4fd8ad2a9cbe73ec1767025303fe3d27

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
80b11967ecb857e8a32383c093bac866

SHA1
c4c3b90baa7042c10ae10d987bf36edec97a356d

SHA256
173a0b703fa77f08cb8e19631b8c1c022a91e4c0733812a6ab431c8f2173668b

SHA512
e73ea7ebcba1c261bc05ce2379a02af8369539ea130fa4a6ebe28a73e4260115b6b74cddda5b331fe42633fefad3ef8c2be6face516ec77bb4c9c8491952a171

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
369723b6c6eb7bf844ad49b2f2b0e000

SHA1
0d319092a92a85c1b9e998ddd8bb78c0847a10c1

SHA256
27035a1088feb409e660f3a77d8639f9d9c4407cd6502bb43a93163e2b915e01

SHA512
242833b47d36b45c28b9f6d5c168e84fca899f2e04d7196d577f305602286d3c1a62023c0dfccfdf78f8fc379cf63d1880ec3992773d19ef33f2725308f76a26

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b01e131d2eebe318c1aa3f6e889e6ccb

SHA1
6e7a38763902e67ec5549519194d1f43c9038aa9

SHA256
852c1e12fa9e1b2c69ba73ec0e3ffbd3c2f40595d93250e780f648ac762c44e0

SHA512
31b76b9d89abab8ab67ad046b3f8f29ce3b58fac9b375e477d8ebb5720dcbd0d4594273968976d1ad89d814c5bdc983cb494a2b9bf22947bf8aa3076b61f1d9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bc318f3668505447fa27390482b9835c

SHA1
bec75b33412367b2080e20d9abfaefc923561254

SHA256
ea35dd8dbaeb7cc942132772682dbee69468ec44b0751dd3f9531e7fb4111a21

SHA512
27c4378879c4b743aa02cdf8da7c3879fb28a8da03d51e235ad2ea1ce2c397d2ff6214b557cf922e9c535ad6514d2d188096fad392684719bba8f15a44457269

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0edf68681c549ece58be2b9fea3eae53

SHA1
435a67513d23420edf71dd72c470019dd4adfca5

SHA256
c28c1bdbaa06b49c231a19047cc620a1d3197e8edf931924bfdb9f9ae3e98942

SHA512
ad001605bf07b1cfd8eeaee6aea53c2d8efe0ef4173ff66b2f12ab9a2f54e9a9bbe594dcd8cbb2f4a7a6a2394ebc0f47eaac8f5df7ce2d2b93f50c4f20835b01

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f2bab7ea1c1a33833538351e92142061

SHA1
536aaac3c6dc7b3274bdfb6596cc3a8118ce2b26

SHA256
fb0dcb6967f1b7824c44e1d088046725a2d20c935f092dc2efe6cc0d169abf9a

SHA512
c4c85ca6564a6c157afe60701411940489f2592215e38f239709894fc824503045fec590e45e73f3ebb2c684d7f084557d3fffe52cd6455d67db45925c3cb61b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
635682b0b4819cf64c0e5479c0571783

SHA1
4784f4074aee4a85facca12dd91e8dbbe2621527

SHA256
bbb532f2110614755ca7e667634415809f12caf9b25a2bbe465af9fd01647b06

SHA512
51f553aa1df134759ae3ed01e3ec210c6ff544c92164f559f09095fb11df04ea1bcdac4c8766718625e9049711d7240f8daee21acb182be71b2ce1773416ca23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ba57de607f6b927dcefc08a45bcd1903

SHA1
12bd78aa1fa0a48f18da37b171ccb2d967405fa7

SHA256
857c9e530818bee46ff7d66b45ff00d5b38a816cd783547b95ab28bddc9412be

SHA512
f78779d47951f0eaaf55ef89d29a4d193b34df5efad5676e1b1735004466296a6c4b5d1cfc2d17cb39e96295430cb67329b63d64f9493546d894527a5ccdb0bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f81d561e0dbdac1eb586242e5b2b58ad

SHA1
7de45f96e743b9d756664705663b7f4ababa12ca

SHA256
ccac44f4c04ff1490602adbfa770353188176eb82d69dc5f075bdabe859175a9

SHA512
5620c982a4637dfa109fc19ced082a2e10139e24e7816dd5064edc0aaa8dcf6f7d648dcc1d642147cc347380c17db7f445ed1f0f64cf9e1e75322b10e7d77aa5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5f1fd84cd026e99adee4ff8bf08a3445

SHA1
80de605f802566399369f7d21ec96425eee3b964

SHA256
0618adbdc2ffdf152576efe5e26eb1bf1f9b4f3c0246049462db17d6d0e54633

SHA512
8303338eb65fa135ada9cc1570c34816c0015f7f42ff1a975e55762b5c96f60fa32e7a108b28b1ad7a1f315dc19e3cf10d90fce0064504263defb407564a77db

Download Submit
memory/3232-0-0x0000000000DD4000-0x000000000200A000-memory.dmp

Filesize
18.2MB

Download
memory/3232-310-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-199-0x0000000000DD4000-0x000000000200A000-memory.dmp

Filesize
18.2MB

Download
memory/3232-196-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-21-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-192-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-4-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-259-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-25-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3232-1-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3708-312-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3708-198-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/3708-18-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/4936-16-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/4936-67-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/4936-311-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download
memory/4936-197-0x0000000000DD0000-0x0000000002519000-memory.dmp

Filesize
23.3MB

Download