1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

30-06-2024 10:18

240630-mb6fbszbjk 7

30-06-2024 10:18

240630-mb16lszbjj 3

Analysis

max time kernel
1791s
max time network
1794s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

752 AnyDesk.exe
752 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

1052 AnyDesk.exe
1052 AnyDesk.exe
1052 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

1052 AnyDesk.exe
1052 AnyDesk.exe
1052 AnyDesk.exe

pid	process
752	AnyDesk.exe
752	AnyDesk.exe

pid	process
1052	AnyDesk.exe
1052	AnyDesk.exe
1052	AnyDesk.exe

pid	process
1052	AnyDesk.exe
1052	AnyDesk.exe
1052	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3540 wrote to memory of 752	3540	AnyDesk.exe	AnyDesk.exe
PID 3540 wrote to memory of 752	3540	AnyDesk.exe	AnyDesk.exe
PID 3540 wrote to memory of 752	3540	AnyDesk.exe	AnyDesk.exe
PID 3540 wrote to memory of 1052	3540	AnyDesk.exe	AnyDesk.exe
PID 3540 wrote to memory of 1052	3540	AnyDesk.exe	AnyDesk.exe
PID 3540 wrote to memory of 1052	3540	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
56b0cb054e26466a6144aef5ad234d96

SHA1
355b66524f75115851d853bee6b7a8a913350604

SHA256
a9070027373d7f0d22837274cb1260aded2d154b24ba20af7dc3e9084551dc13

SHA512
8a0356b6006c7fc0eccef7a274945d29e7f0f2ca25dd935d04551fd5fb977371864ce1ced33328116e6015c6763b0ae36c90373cbe8080e0f3cf533a3b0a58bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
8df22c8d4e08f13f055e7419330ad178

SHA1
ab69d4d800e790d28a39904ae2e71713d6dce9a0

SHA256
94d35100c34bf75f1502bfe052cf4771ad173a5d9e244f0b2a2af9bacd4089b4

SHA512
a39b81ec6584d4e4fd278f83a1b78c7310e46e537ff418e038f13384057f874907e02310536f5740ce11ca72c7aae46b5fd6dcb5825e5fffc83e4fd6d58dd524

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b79d969485d63268877c565849e3b5e4

SHA1
5ba652114e9b712e4350cd9cad04ac9165967706

SHA256
1b2b2606352a2b1e311646434e8c4f646654fb15080b175c4ac7dda521903b3d

SHA512
f13d9e3b92e3b8c2d2a5f7f663080120e6ea3f202bdf742e8583347653a92e378d2f87450ea6e440179fa52a2ca2db9b13cfab4997f05854ad2c0389ac76d4ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c8a5cde51c3eb4b04b7cc0453ed406f2

SHA1
7c9dd1beaf85a58ef71b928f336f07faa4927b3b

SHA256
8c3c9bdc002b7cef4cf75e42d50873e16b0a36bf4f157ba25971ee77054f3e00

SHA512
eda972cec22297d14515d4481b5efa2919d1c902ec47a206ed88c5c5492d475250f991ee5e800829a9af5c634e44aa88ad74b060292bd4723d94b1ae0615664f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
8f1270ce023ac0c10d54b23b380bccdb

SHA1
6cc9185f81c1f4bcfa4162a9048a84fb6fa84a80

SHA256
e3999bb51a869400c611ce563bea488c9c75fbde6eb26fc3ea756a98d13c3bd5

SHA512
0fa836b63cddd83ea55712a50f9e1fa56d5945d3278f6fbe3d7c94e7f04c210bc127bdb5e1913187b69c1bedbe56c12701db9df6443c3ad4e0103612073320f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
1378931aaf33a6f47e6aecbf207486c5

SHA1
9c2e9a01cd4e4a0b872ed279f6920ae57521ec1d

SHA256
55f794a687360532b93c34566b4e8e513d7ee192efe068181a699986f34c0318

SHA512
6be7b535cf207a7108e4d4a7069cf13cd4a3d0ed3c2a440c4088d5cd32650f4a0cb51e2f092bfd354047e2955b238e9d14189d050d5461e4d44188e4a1638201

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
611e4794e233914ef6cb800ceb435302

SHA1
c6e9d0db370a63ac20536ad5509fbbb75186491f

SHA256
f086ef1096443c838c135b0e819a6a55408af24ffe1791dde76e2939717a883b

SHA512
1a82d3c9409e5a462142f13684fd34329e85813edd7405e759af7512a35c7de6aa66b56088b231c16bffc3ff5f6de4628da3c33cdd8c6956295cbb8f3bd8a1fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6e535209f84153b6affaa1ab5d06fed

SHA1
e453b6e602bb114ac740c3ca12e1427729f0e820

SHA256
5dea17b862f21b4d212f9ab5b406fb269bf4424e4ca638ea6c451d9a3db909ca

SHA512
bf3f11925fa6a4cd93edbc87170a85d7b656495f7e927563d7419ce3540ecf17a47759ad1f1d5e0237fe8156ea0533e786119385cbaf7e7333cf8bc035933fcf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5e4e81e1afa6210afb801c235d853061

SHA1
36f6f4aa394242a7bb8a54904b5344c3511b1c89

SHA256
a14f709f8ea4ac665cd95f5787128cf8ba286034a5030edac23dc16b587dc3e6

SHA512
2d47763c8cb4676b3005e1a66a5df45870c4ff48570c8bde1264625dd07de8335956a06ffdb9e7502d47babcbe92178f49ef53aad3fdd8ef5e9b1260cd2edaa1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5436333a02ba4129f034835899febfff

SHA1
622536c3cbe6f49f3d2cc969e93b7da2fcf13c54

SHA256
da781c1864b2b57ce842bbbfc361268af6b825a23e337834062c07ec7383baa9

SHA512
cb2da257ff96122e110aa3163a1881718253a391912f4354991639a55c2c00cc654abee01a04eb033ff57b6c61c5baa9fc44b74781fbb56df05ca022175cb190

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
24bc62213b31e8780192c78e151c7f53

SHA1
1ca371ae06cd6bd222d708b439d584d12121ba3f

SHA256
b045ec9cba98112a8694ed12731da3e4a6771823c15bcf57d912bea38b8b9ea2

SHA512
d8ece87519bdc199db7da07a05f0fd7273673a271ee3582ee91f3d001faab6880d1e3e2a684cff2fe7a608af1bbd40e790c329cbad0a9875eb3cba33a7987ba2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ae9c44390139bca6409b5efef2f81945

SHA1
43833b1960791cd59f3d01472b6a6d8e10788183

SHA256
800eb752e936c7ecfd88d5b6a01af21300e0cb63b8d07584f9cc2e8c75bf0e1a

SHA512
95346b2a162b2d5ec254d9583cb54c0668044b3fe5195bff70d53cb55d55c1115eac881e9caa8030a1273709eb4b7fdbc9fa3fa246ffd9714289d3c400f92225

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3d0988c541add1edfccce005447acd32

SHA1
c2bc70784be8c1fba49a2913d2af7ad509251bfe

SHA256
94ae1fc5e5aa073b67f077c532b5373f300ce45d4a94f9bedc3c3d934b3adcee

SHA512
74beff2d8f0cf2a82b39642bd9d1c264e217b0b276e89f4f1f022df89eefe02699673b1cffa9730dc920c840f390cab0961a094b4cae4a5a3c9cdbcaaf6073f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
99ef00f0961e6610b10103f2024b91ff

SHA1
c0b3f9e747d63cae793d496a91b44b18bf35e9d8

SHA256
31058ef7255371438e95a43126ccc98e9ac00519d45332df23a66a5cda4e2152

SHA512
8c0d217d18bc2a46f4d15ea1a232af4c13f707cdb1f93c5d925301e2e6e88a82098ff9b791d3ff9e88468efe5db131bd081ed7fa1f6ffd9e64580967c8274315

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3d05bf32c6cc7402e02bfdb1ecdac5b2

SHA1
746df9f7febcf850b23810cc121af6ca386b22f9

SHA256
906e736fe891ac199d550ef9cee370a6d5a975652de7050f36964567ead54a8d

SHA512
2275d3e22d3cb4b79e5ad883dc338760941cdb3d7ccc01f5aac19074b12b7283d1fb96342cdc3625fac515c764069dcfd913f61a7b94ee697de192683fcdd29d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9d0a53775ddaa299111d6ffd455ff943

SHA1
faf26b3c04b496a02e4f4d827aad30126410012b

SHA256
3b95553eb6c20222cca07ea038f25018cbf96a7fa4c610f342d869568c5d4350

SHA512
f8d54db90dd6aeca209b7940b39e3461b036314b3375e661318fdc3bf81dda6cd4fcdcbb2deaae667a043c70fef0eb2cfdcab39315863d9134688b6fbfbfa936

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c0e1601b36d5d27b88959c2f3d6fbc4d

SHA1
fd0109b2e1a1f8f4c868aaad21eafa42b41e1b05

SHA256
fae8e60cc0832f0f31880165d393dcbb83c77ba2f4b1ee44940ba2d35b716bde

SHA512
05481dfd8d4fb3223dbcd7ced1c8920118733816515e985fcd433831713d1d754eccfb9a18bb477dadac39113faa28aea21f60300c72a612a547682ff1885a17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
741ed0b3a8625023a0cd7c2f0db9a924

SHA1
911ec870fe4eecef7638eb772cbedbee81aa221b

SHA256
1f99d13e797e99ef193139be4cdd5d0b9ebc13cb199cebcdddffafc52f43a51e

SHA512
bdd507dd45f5d48075cbb54efad902a209c777581afb980f5708d89268c4c965ede5437572954b5e486112a73975187fb0fd33033840a191daf0279d29d70227

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
20b1b7acd191a28e079716d1ff86906d

SHA1
88d02706fbd812ce5178350f655c3644429cf9b0

SHA256
7760761df0942837ac901208fdd6823554ba899a967f916dc0086b80814b5088

SHA512
1261705465e1cd0019620f933a38af8ae4699765f5e809b97d109cbab17a7cac369f56bd18a26d6fcd60c38a17ceaf3ae57162e2f7dfd716453470bd183ecba8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
21873f541cf344fd0d28c6ea9b565c62

SHA1
9ecf776c261c10a8d1e77a3a12d9f5d701b5a835

SHA256
f796111871e05e9e3346f85fffcbcdb0e0d2a2ba3cd21ef59b17cd77de4b5f93

SHA512
7c562c0c570d54f7eb404fcf5dd364251c5ded22edd3abf39f6974966f7f1aa9b1537fba078f2e4a7bc43c761ef56771d25b56622f073f0b31917975a9c2969a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
967d66c0fb00d46c97ef70b84f535ebb

SHA1
06acdd37bc53bcb75d152ae19452854ffd0719e7

SHA256
d39b9897c6380edb3f704a1e514c7a844eea5b7a9f8cb74b312ae5acbe1a49bd

SHA512
12c3c6629206fc99c8af15404398d6541784914e53f6f9097176b38ea8a6b2f3a96f98c433441bf1065621a436ea1bf22baad2d0368b454127a9eafaff086313

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
afcabf087ec68c3d405aa8fbb5fa6efb

SHA1
41eb7f5aff0fd009e33ef983a7c5d619e1c7a513

SHA256
1302a115048c138278636bb2dffc66959216ba543e66d9ae03205657741468ea

SHA512
9f944afee5e6b4a020c7eb6d76abf7eef2c98b33adc0dc0025a760922ede6c39be6f0f88ad5b8be1845f3a4ce1561b7b18aa014c4db08b78d36357ca219faa4e

Download Submit
memory/752-10-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/752-221-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/1052-12-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/1052-222-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/3540-2-0x0000000000714000-0x000000000194A000-memory.dmp

Filesize
18.2MB

Download
memory/3540-0-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/3540-220-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/3540-7-0x0000000000710000-0x0000000001E59000-memory.dmp

Filesize
23.3MB

Download
memory/3540-226-0x0000000000714000-0x000000000194A000-memory.dmp

Filesize
18.2MB

Download