1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

30-06-2024 06:46

240630-hjns2axgpk 3

30-06-2024 06:18

240630-g2pydaxfpn 7

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid process

2408 AnyDesk (1).exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid process

2088 AnyDesk (1).exe
2088 AnyDesk (1).exe
2088 AnyDesk (1).exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid process

2088 AnyDesk (1).exe
2088 AnyDesk (1).exe
2088 AnyDesk (1).exe

pid	process
2408	AnyDesk (1).exe

pid	process
2088	AnyDesk (1).exe
2088	AnyDesk (1).exe
2088	AnyDesk (1).exe

pid	process
2088	AnyDesk (1).exe
2088	AnyDesk (1).exe
2088	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	process	target process
PID 2876 wrote to memory of 2408	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2408	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2408	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2408	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2088	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2088	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2088	2876	AnyDesk (1).exe	AnyDesk (1).exe
PID 2876 wrote to memory of 2088	2876	AnyDesk (1).exe	AnyDesk (1).exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" cmd /c %carga paga%
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
f17d3c6b00bf953452e55f1b4fcc92be

SHA1
f0ab7ada0df6e31d7eedf98fb26c07bd64b98235

SHA256
5742eb6a49bce3696a4d2f5640c5a9d13ff59aa20b90bbe7abeefaf6eabd6ea2

SHA512
ce9a5c7ad189c08bfb8d164ef37fe4eabb9cd4e8bd358d9300a5b54deda93f70ad1b675d6b7e8d83077784051d9533a4ef2b79203f19ab3cd57dd79dfcfeea7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
438e10020e0ab8df8ba809d204f167d1

SHA1
788ebba044a0020b0ed62a8e9cc80eb19d0ef465

SHA256
b563f927ef3f970be45a1ec803ffdb038bcbaa0acde866286fefe0253a82ff5e

SHA512
915b01e5c9176c33b86a01b5e11407aeb6424338cc9495ba39503078731408cd483bf92188abc4c5b9872e377f1cabd24903c0dc0cce4829c64853166669623e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b169a8550fd7bb9419c8741538f62be4

SHA1
90bf43653ea55270a0c3683a879751fb13364280

SHA256
0e729f55d69e10e7447a1b2d9a0427ef7f66cc17c34127895dd10bb52052bae1

SHA512
ab51cdf85027c734364444546e48351d292ba8f9ccea05152bf79854becb31e08a784974ddc8361664653beb46286a1f52ee23911077a12841950bbd0180429c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
173c59cceefea52e9466957b700c60b5

SHA1
7ff135b0cb62007bba6b4e64e2effa02721b42dc

SHA256
f1c67a27da349bcbf50f667f043aaf04674204727cf805c3d886b86e647ec777

SHA512
9f3240ce44e4aaab29f1dcd605c54167511852160384b82b22ed7dff54457d5f4309a3d3c850e59540097e00ae065b5d729d7c6b519bb784b6c212077d7b7eea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
d8ca99a28c75914aa492b389d1d97904

SHA1
cc5b51c4bfa0077f243840cbfe2ae8e89d451b13

SHA256
82fdff385a44123f40bc87d456e289eefa290a25ed2c918ec4b24c5bdfdcac36

SHA512
5d38f0756d26a9497c70e1836be358f5266bb140aabe65d1c69630977fe49caf45d70e81c0d3128f939e5b8694b05aaf084c92b8fd9bdc1d233f4f41f8bc77d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
03151adfc601c4732429f69e8823c1fa

SHA1
68525060437fa67a1d9c54bd4a7f211eb8ad6ad2

SHA256
e60e0980a5d49078ecdc9877768befdc66329ca14059062fcbe0a006336c9f61

SHA512
205a468b9865c319c891138e24095cb98ae556c4f4ea7b9cfadf6ebccd8bc3b813ef31470ed350fc3b217e3c6e56d2313bdddf9fe9b2bd2aa91488c3c37d5e4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
556bac173ba6bfc9d232be2808adb896

SHA1
ecf8d762bfedd65f517225b47ede1fb84d9548ac

SHA256
17c84ce49bd805a034ed7b3d0a51f3a0d905f1e91028e919c0b5e658546fc304

SHA512
543e6708831ed0a6adbd11dde912270dfd4fcb91a7634964b10448accdb88b0a605ce99a69686202f39770bdc14c2126a5deff9911f5a64d5b7ab9420618d50d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6528a16214ce39c375ab86d6fe0d41c8

SHA1
1735a294d357d717e7ec996458403fff9a8cefb2

SHA256
d2a4edbf636ac0fcad71a57d7dd7898d852b8396da69dae92df8a80fa98c24fc

SHA512
30c718edc3d4a6cb7a996145e50dcff11e691b2aa205ffa0ae40125c5d84d3377633fe787de7d3d66e1863400b2968b0401849b0688cd4f6f7570beb205fdf75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
92f50af66a26de95934f8de16071d8c4

SHA1
507018728acf9362ee24a5efe2d6819eb0204f19

SHA256
05a743750df5b288f17c29560d9c8a7add668d8b4c9469f8e70469b10c62010b

SHA512
5784bc4488760b3950712748ba3b10a7d43bd1f37a49891f4cfc2c077ca7c136bf90830a9e976598964048d73fcda95dae9e825e662b0cac0797ea23909a5e64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
cc6f6d0c18cce46c55813b32a746ff56

SHA1
fac247fb856897ccb5071da844c2dbf1c678deca

SHA256
56dd71efce162c834cc8158ee22efda5b03d6ef3d136d474d76b0c47a51b9510

SHA512
7952403e255fd6de9bdff482abd9a886c100be4aa8ccd15f10a024a3f57d4378d262c2ec8c8450a0f5097f759b8c66d5a5e87d0489d1a6ba0af5032f2665387e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2d9c02b18d092e6161339ca7cff2376c

SHA1
b89524ef7e66029db73b7cfad007db708af35a1f

SHA256
bb95e64a0560b5e30b39ba8a089729bbe39a3b81c197b38bdecb499b3e958720

SHA512
9d3bda411206209aa7553e499a54b03f84fa637fe44c244bc92bb347b6283cfc4ea15225808fc2b8d503491a7ac30c9a12d7a42a01352c09c7ce797f32f71db6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a8f586b615970814f67bb7a41eed499a

SHA1
d88ba8689d70cec4b41a042e3e196c4f4df0ac37

SHA256
da25a771f7bd13ef1794727e1249888bee1045deb1bffce00f229e11e1f5645b

SHA512
70977d17001cc083008b0916a7cfa4125a97ae20663f7d8e027e96325a705b85dd27a1fcd21f13621bc0f30d491b6a874388eda83bca1d7d68f635741466af56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a131c6968222dfbad61831d014f33387

SHA1
cb79f6a485ab593db6bb91366f662326a9fb5529

SHA256
a4cfda1c6d34647ece8242c738dc553477475c9c229af33cfada2558cd833431

SHA512
1cad2d8c610038356e1e21c473876acf747825e3c2fbb9aa1e6b5626fbe398f1db70abbc4fea76192a3c03031dd520226dd0ee969a9fefe132a8b59141e345dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
98f286559b40ffdff331609153fa9f59

SHA1
ef951176550527fe7bf13d6626565b9a0a5b676d

SHA256
c55a050072248624df0f1fe28472f628ef4edce7eda7cead5a66fac6342e4696

SHA512
1bb31aa90b6ba636750a6b4cde62765d83ff49de393134d4c7edc2d9b438e25b1a8c26713a2116b3fb92c82d233ce86a9412bae7eb186054f09bdaf74d2580ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4beb7245f1e13bf1ae1cb8b0110b2b7f

SHA1
0ec65eac12c6ed39e95966d3d76c89af0cbbdff3

SHA256
eaff2ae3f14c03bd9038503aff08f9f39b53cfc35fcf341c476f992650f71950

SHA512
e23e281758f0bd680199557afe61be2676e43443a1b42fba1db62148c53cbbc7b873a7dbc4e6d55a58f06b303dbb897d61be47c9c5cf70c1aa2988e5b16292d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0c9eb7f6e62800003df3b0626911e18c

SHA1
2b766af0dd88af1157e1e051d49327a9626065a6

SHA256
a81e503265c623d2b9c785f564b244eb35342e5e65c3d1571acd40e9aa7bc507

SHA512
32eff4329d2f85859750acd4c9b7406d7c73ca46cd32c5d3bf2d52e519eef60304926ee74f9bd23a8341621ceb4cfd807a11c8ced2a6bc163d9bf9689f1f9578

Download Submit
memory/2088-10-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2088-242-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2408-13-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2408-241-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2876-4-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2876-2-0x0000000000294000-0x00000000014CA000-memory.dmp

Filesize
18.2MB

Download
memory/2876-1-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2876-240-0x0000000000290000-0x00000000019D9000-memory.dmp

Filesize
23.3MB

Download
memory/2876-246-0x0000000000294000-0x00000000014CA000-memory.dmp

Filesize
18.2MB

Download