1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

30-06-2024 06:46

240630-hjns2axgpk 3

30-06-2024 06:18

240630-g2pydaxfpn 7

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk (1).exe

pid process

4804 AnyDesk (1).exe
4804 AnyDesk (1).exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid process

5076 AnyDesk (1).exe
5076 AnyDesk (1).exe
5076 AnyDesk (1).exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid process

5076 AnyDesk (1).exe
5076 AnyDesk (1).exe
5076 AnyDesk (1).exe

pid	process
4804	AnyDesk (1).exe
4804	AnyDesk (1).exe

pid	process
5076	AnyDesk (1).exe
5076	AnyDesk (1).exe
5076	AnyDesk (1).exe

pid	process
5076	AnyDesk (1).exe
5076	AnyDesk (1).exe
5076	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk (1).exe

description	pid	process	target process
PID 4712 wrote to memory of 4804	4712	AnyDesk (1).exe	AnyDesk (1).exe
PID 4712 wrote to memory of 4804	4712	AnyDesk (1).exe	AnyDesk (1).exe
PID 4712 wrote to memory of 4804	4712	AnyDesk (1).exe	AnyDesk (1).exe
PID 4712 wrote to memory of 5076	4712	AnyDesk (1).exe	AnyDesk (1).exe
PID 4712 wrote to memory of 5076	4712	AnyDesk (1).exe	AnyDesk (1).exe
PID 4712 wrote to memory of 5076	4712	AnyDesk (1).exe	AnyDesk (1).exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" cmd /c %carga paga%
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
f818d5bf1c97b4699f18b1fe9f335955

SHA1
90f65cfff1159e873751ff7273f0ee1d4b69cf41

SHA256
749c4de9a079ba1393988cb46f8d774bb24d29aa9b415d933ab61e27444e7da7

SHA512
1555b1b790152d602e46db7c9ee9824610e169d74724d8170109837eb939a272533c070c1dfb5bff32a1f636942c6536e77bf0fe07b19cf66afb16c694850fe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a49b24717a6c40d504236b866f214d97

SHA1
193fef27ef0b8c0a6072ec975c752b43523cb4b3

SHA256
c5d3d0fb1bafb12074d5ea1997f561e9506cea4c54bf5e3602c1e11b7e7802d4

SHA512
e8dfcd6e2deadedb2383926513bcf764de98d9c5fa9798c84d8b801c70b41dff0b4720a8c4e2fc168341b2ca0827ccedc28afce2598441491f8639c6c4c6da2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2ec3906e16154741ba803fb79e71eecf

SHA1
d95211c2d7100daa06af55b96898e06157d95da3

SHA256
03f1cf0b507b7ab7ae73892c451d962ea7991de19d28a098476151b5ca6e0a42

SHA512
ff7aa48bb8485da1e594aab5628c413522f08926162541b71e7cc48e63232c993a27416c748d7a6002444112ffad94df25e7a73ab37bf44e3274b5324b789a72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
edf613a33de21140bda38c70832062b7

SHA1
46dfec164affd106640c7d6bcc491dedfa2c1479

SHA256
b2d03d0959f014ced0f85bfa99c7a16f78c02af1110760ef03fed9ef7fbe7400

SHA512
bb05b6e2848a50eb0eee730c3fe931e8a29f4e5efef9ce92784565cc13853f1ad02c44f4a21e9b362f660318b1555618d895697a1943345d05561b6cd0e5c74d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
2287f85a69201f325dfa4cdb498e1580

SHA1
0fc07bbe8d09ca615ce4193a5389156ffea27fc2

SHA256
ecef25ce9fc6acdf31ab25ccbff68b0bc9a48ed41baf0236c686c0da97dd1fa0

SHA512
7d2e616b85a40e89d4d3b925c6ad01617a26e7fa5984419d2b42c26dd116995ab985b9aad26d5d18033bcf4dadc7f0d7b40f48e92337cb5be28ca58313ac33c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
762eb9c1396bf9ca66b41ef861368640

SHA1
b29c254d38aae544a22910127292f48e969128fc

SHA256
0d6bdae3cdb9ad18f4b8940514aad577c3aab15060c4d0cb34cd54ebed39ba1c

SHA512
fb98517ceb54e4d351c284a5667b0e9a1b2c38ac7deb60621afd629b9597ff7d619312bf9b0aff2eeb7ac1d33937224c549ba0995b5f6f2e670a1d0b6c668134

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fb7e54b2da5f2e398c200a5caa1c57c3

SHA1
e3258f70f84aa1ded7b99b41ff2b1f530882c33a

SHA256
2d403ac2c3145393a4ac3faf2a0fdc9c10f60254bbe6f44831b1250009b2afdc

SHA512
73474bf56f40d6167aa8975be767b981b2f2b3cf418520cc6df6521770875f88b642751c83c2065321e89891e0a0309b59db89fbbf6fd9ad5a6553dc1e03afa6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6fbad3bc72688cd3f9443e3236d279b4

SHA1
665b3679e1e19c97da07280af5e7f536c0a7306e

SHA256
ff71959f11b5216bbd9760aa9213cfdbdd0eed981cc00570988f2b7173aa3522

SHA512
5882cc2dfaff54f1365fde3f3fb1eb71da1528f60325de9fe2d80491bb13216a2bbd9cdba8f72e95aa672e620571e03f52e7c037a586a75b9840f92f66cabdd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0d909a3fade3da95f9c06f046b7c785d

SHA1
0efab3eb791bde8131c70db22ddd0d6a1128c8a3

SHA256
d8f7f8a79b2450b6ae53719bfdd668d6532b249f5ea8841844b21843a31ed5e3

SHA512
22260a02b14861665c4f9ad652da84831a897190448bca37e295db55af81727dcef4263f9c67dd3498c826f51f45a4761db24e8fa933876a02a80c75c2c99cd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c6d5d7d1e7ff04f3aca314529ab9c417

SHA1
4c71c233639104fe58c8f956641b7955d004cec0

SHA256
94422797fcfde8fe0375b129d2ef680bcfe6a6a725394a7f708ca0218fd81d60

SHA512
08e1385a0329213bb6b1e2da3f452fcddd8a144dd4bf2ad394df07f8fec52f3a3aad6bbb26ca91a6c429062a4c19b68569a43ce537bab1c2e5006b2c00b230fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
59bfa4793d532616c6ebc83bb759ef75

SHA1
865a28fb644ba9efa271949635afb603d41c9ad0

SHA256
9849361c965705f5052f9763afb7fa41e38d9c6d34bb70db9f32c86ffb0351e6

SHA512
cb7119df2137e30acde7e0304fb39b30f018ef55324e26427698ea0dd26593b7bd8433b9e0fc23cb68674430e5e81e46c4a12ce184083111928eb253ca0f6d8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3b5158fef64d4a182c59f59cabe6138b

SHA1
cc15732aa3d2b8b8f62e9c51f0b8ead778afec61

SHA256
6597a4bb6d5aa1f7b7b5f66dd07435a41912ee6df0a33c94e7355d044d425339

SHA512
3fcad7e5827339425bc7ae396453ef04141e90a5ef41a534b2feac9dd7e1f879eee874018709acaba90e15b3674d8c6923e9e3d63a558c4d95ca16d6b18cb3a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fe0b30ec922be23eeaecac0b77179e1a

SHA1
167a0c1f7613e0cf7adc2a26e72c74201d297086

SHA256
12164f3e9a2fe8eb502a7002eb47c7b86e8cc8c0f807742944b317521aeff142

SHA512
66e0a750d250f7e516f6a8f1c827ce3ffe3a7d48fad40b445dacf415017fb2b800be9650846104f595443e30cfd2d8a00607fb56aa99d43b5dcaf0c8f2cd094a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3736ec2579a28ebcbe844da4beb8eba8

SHA1
4c7bf1b2470a5bf1738b9fe29405170bf6742068

SHA256
64c2f8f8e66ced851aa9f4677532359c175b562d81e0c06a648d6da0630670c7

SHA512
22e12840626332042fed22e336e307fac19d1790bf523902318eb0b055d09c84ff73b2aff0e28428628c3527907da35b7e7a3278fc0ab1e79e50d69e462ea480

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0d4bfa52e99c73622452438660c116b0

SHA1
58ce514ab4e51dd831dddad3bfb5c29067ae037e

SHA256
0a47d8659136b746eac99a92b6599b7301a5cffc70c8cf9a71aaa95c444122e6

SHA512
484d27eed852cf434e775e416531ccba8796f807fd1ea7a1c67ec2f28af6f462260378ff55f50f4e330f4c62efed4ecd650825b6863f1037788e1ee503e1cf62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5b8cf4ad7f7d1bf8a5888d9949a2f572

SHA1
ecab0da94694c62959b1c149ba752749cf2a4e96

SHA256
438661b4ab295224775ab616b5eea4a47c8b960cba716991620b23cfc3dfb432

SHA512
9f5a1871fd279bc3e2c8dbb9826426e67b63250c1ddf5cdd63b690779a974d927e133dd3be7ea91cecb903ca75e8ee1207e2719bc9ad47b4188371a127575d24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
619095db965a4e87a35ef1c371aa7e39

SHA1
181a8be6112cdd6f2f82d9460a1b73e067380888

SHA256
dc2ce7d3ee301a4d4da7bb14a82ad825e94b35b3b334467565d0bf65bf1f48d4

SHA512
dfc615c9e8e3dfc2968f21f10dd69d7a47896b30ecd740596d7c7c56095817953aa258b35910032b1834f9cab086b17ba48faf5e7a4412430024e0efd8339f2b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5bbf7b89faaff7f91646837f6be24087

SHA1
aa26b72234e0b73e05d54fbca8d2c657a22d346a

SHA256
1a12238dda51551323cc55dd258e7142448ab47ad4e3151da1b3d54e852e9eb6

SHA512
e6f95738cb9827dda3a88a8ca439456b7b19d1c46f3767463fa86930481c3f8f922900d3be56ea4eec265bf96a712de0fe1d99b65ce5470948b4f38e2ce5ee96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e48c0f96d0049e5647ee3103449d1a9

SHA1
c4001064936651a64b4592fa7bdc1165d8ba6a51

SHA256
2685257fbd77c98977d91ccb1605ef207a206d235a9f18c23f8bc20db19c4f22

SHA512
8bf0cf4b34d6e0db1ed4d2968aacb31e7751d84bf8b7d0a3a361e1dae056213b565b6c8b989c8e75d3e3b82a31cc20868164f8d6e9965951f99e86d55476dae9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
25fda9d65c3410637cf99194e4776847

SHA1
ef6f2445f0282be1448466f2ec6204ba60dd717c

SHA256
6ed8e316aff63cbba3ea1b40205af7b4ee20b3659f5e43ebab69df2852002dcb

SHA512
26c8bfb74741e8073c125b7093b03bba9cfad184657a68cb9c915721dc1534b783b2fa01dfe10d384be22a680e1e6425cbbe541b70644f75983efdd08ff4ddf1

Download Submit
memory/4712-231-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/4712-4-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/4712-0-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/4712-2-0x0000000000DB4000-0x0000000001FEA000-memory.dmp

Filesize
18.2MB

Download
memory/4712-235-0x0000000000DB4000-0x0000000001FEA000-memory.dmp

Filesize
18.2MB

Download
memory/4804-11-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/4804-232-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/5076-20-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/5076-10-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download
memory/5076-233-0x0000000000DB0000-0x00000000024F9000-memory.dmp

Filesize
23.3MB

Download