1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
2691s
max time network
2703s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

2964 AnyDesk.exe
2964 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

4380 AnyDesk.exe
4380 AnyDesk.exe
4380 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

4380 AnyDesk.exe
4380 AnyDesk.exe
4380 AnyDesk.exe

pid	process
2964	AnyDesk.exe
2964	AnyDesk.exe

pid	process
4380	AnyDesk.exe
4380	AnyDesk.exe
4380	AnyDesk.exe

pid	process
4380	AnyDesk.exe
4380	AnyDesk.exe
4380	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3812 wrote to memory of 2964	3812	AnyDesk.exe	AnyDesk.exe
PID 3812 wrote to memory of 2964	3812	AnyDesk.exe	AnyDesk.exe
PID 3812 wrote to memory of 2964	3812	AnyDesk.exe	AnyDesk.exe
PID 3812 wrote to memory of 4380	3812	AnyDesk.exe	AnyDesk.exe
PID 3812 wrote to memory of 4380	3812	AnyDesk.exe	AnyDesk.exe
PID 3812 wrote to memory of 4380	3812	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0e6e0938c5de25aa4db09ef3d3240c6b

SHA1
72fce2c57ffd2126a1be9e5c6a2972b26f04a2e4

SHA256
6bbdb7f3bfa79c379431f6254de97fe3fe5646949e59625f5fbc0102cb838985

SHA512
f187d1648a6036e2d40c20a084982703c109cc4536cff5c280ab6f0b411ff5045be3cd886a92895bb53ed2226b335f0f9b136e7be07298648fdbc372cd324645

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
ce74a7a85c9f97a56afe1e582041e836

SHA1
9b7b65ad988f1d123a7f475dd358192086a2a7a1

SHA256
505b0346ca5ce5f4eff5e72f1d6e801d8fe0ecbe2bfb213d928fec713604fff7

SHA512
4b4950fc7cc87604a63c8071fa27f01a7394556393c28ae6e55dfc6c2eecf2031b15c6b9ea515bd1c1c9f9809aab0cab25dab5097614a2797678820e34ab3639

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3657da1c74a66d14c044cf44454b831d

SHA1
7618869d5d2a2bd07d23478103af03e5baf37dba

SHA256
81dfea6d4e6691cc055f101a4353afef97015a8721e97f802c57f8b6ad895a4b

SHA512
8df4fa7a38ec689411dde268bb0419b1cf2be5b35dd4d30e68c20c5e7539c6685625124f3076db4e3d56d3c409dd7e5f822fcbdc631ccbb87baf83953e54ab0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
40a0837f14a7b5b2a1eeaa366109f59a

SHA1
3f72c3bb7dcd08042f5f4bde499c523999964a3b

SHA256
fc9f4c53819d570a1800f6fe8b65616371a77ec2dc7e8ddacd253c2864322348

SHA512
e61a34bb9813bcd5fac166fca94382b1dc9f61d897ac990111ffc7e2e4506d287141b8363a96f381acb283381e554f840d9772bbbae30d0697288b49bfce2ced

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
b42f6758da1562cac62c2e4aaac2bef0

SHA1
8a1c6a8469c2fe9f6f512b1a49a678ff5bee616d

SHA256
033ee9d77bae694e7590f4c85f606ab88c46d9266f9a4f3e41f219fb16a61ec7

SHA512
7c5d403b22bb75954393556e1bdfc130c1529a61d4129d3297e51bbcdc2a738edd97f262e6f175a068e256d4cc02c8a54cbc75c13642a561c7828805f7175f46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
58c0915f721dd659578ceef59c318a75

SHA1
906d7024321f7752802d5bc278da18200403c82a

SHA256
74bd86642ae3fdc534a1b465e770612fbb63a56353dc0088b219db8fd8cc3d76

SHA512
8744373a37bd7ae72a51938cce55225bc72ab611b1de0f56daa049b8311d3bca66f33af40a39a7f32822e0fdb8c8bd0dfe7cc795fe80acaf1c30c1d988a035a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6c62f1817a8e15baa977724336a8b51

SHA1
201182f52b3e7ad1aa3c63ba3cb16e1ab036d604

SHA256
789eb2c73ccfe3b6a67585222de6fd1b7386659fc6e4f35b146179e795ac230e

SHA512
dcbaa90ef1c36b736cde1ed03b94935b287b92e7726049b912039aa622585619a445bd6ff77e094a246989b9d44ef380847641c806a73578770b9b86f0093d93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9bfb23ae1ba97534a1a6e7dbed34b25d

SHA1
d74db246e82852e7c4275a1132634fade995f95b

SHA256
76dad6613aa30094f07dfe5ec3d9b8b5cb5a0a160748924683cee358f8073cc1

SHA512
67cb6d9fb25691d0403833161f540b83cb51fe6d36a00cbe9b1c4ab3d74f47f4b7a6d7b2eac47fcb3f7f18a48f93e25a108ac740c35b3350d73c3d061586fe3f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0d3993046076eb6efc9670a995e8acf7

SHA1
1b9b8a6c629003238d37d99b08f5ee0786337fed

SHA256
b595e87f10339e42ef8389e414bb1f533b99c717ad31cee8f27b4150fe617c19

SHA512
fca090293e5724314b5f34276a0ec3884b9fd1750c606a93fc9a5934e1257b3e8ec976f0bba421c2521cb331dcf35dbdaeb07e081e1670561b9faafebc669757

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5ceb7c1c4d89d9c465f422738357a0e5

SHA1
5d24116e627a83f81bd9c7b1f263728200de2808

SHA256
c1254b94ad0f1366442d70b39139aba48be5be1391b27217712e4c4a08212f74

SHA512
9352326c288439d0af9f3c6b81a5679a9d4abf09405229c507c59500fd519fc646610e03bad2941b37ea8a080f5c890e8788c29491da246f65dba9334a1a0ae9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4b064247c6aedf1aefd5e2eeba29b1ec

SHA1
a763f1d332b66ec1962f928cbe3f19a9201aba51

SHA256
7cbeb1f11ac300947597a3f004bf002ea58bb1b7678e8d9352adb6f69b34c43b

SHA512
68a6571a4cc6682a7349ac9a5ce8e43eee94cc6ff089fd4d238e10edbedf6e76ec5cad66f8eac036a18e7e2935683f51401fbb0d244b9a58d29f03e0e8a729f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4549a8ca82a42784676771471a21e811

SHA1
9fdc66cd99e7adeff646caecb8bcdae9d99d3adb

SHA256
ca799df5346a302b7b2146906a73fd032dfbfb0317f603222c788b9fe5326fe3

SHA512
21acc8cdd672ef30eb4c802634c5816e7cd4caae0e9d6e86c6a675083b1ad226f6badd968057e4bb38b5be82aa0f9b58b42777409eb22c342183fd2ad9cdf405

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f81d20a8c79fb1cceb4681af5d273420

SHA1
b645cb6bbe0659a49d93bfe15ffa1606c08251bd

SHA256
ef572d515556ddee210fe1a630ff77a9cec7a1e19772770066b97229aa708b81

SHA512
04136a820865e7e1eb16cdbc6e7002cae4864d964351f089ada9d49e891c13c326bec2b8af6c7fac427e5694887730f4ea2fc13e91b832490c6b805c1e603aec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bde21860c225b1d290555de1d7343bd6

SHA1
d7269e5c0a71baae2a599553e05bfd0828a04059

SHA256
8616c707ca6d59d0af93b11503daefd655cd62fc74386d2d882ffecedf0174c7

SHA512
58f1fbdac0c482d969990ed503b7cf0ffd3d0e53271bfebc07ed44d515f2c810e0f1a6cbb642ae09dd24f013ac97b16ce9d20fb978be93e775e691de2305cadd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d7cb9418658259871629180252f43cc4

SHA1
4e6096c50b7211308700c1818b92d9f4391af475

SHA256
6dca6e6d75932c4c00b438d93a25068bcbea8efaa8d3ac0ccd0754e3f2901a53

SHA512
265df08c4c5ec6c9635fd131a1dbf4dd90e92bf157f2de483b783b315262dd1af7720eb8666dd98c6afc5d70dabe93a5ca7a74a24cf32cc519ea9687687e0119

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
40830313212d1a099e93a5f8118a9388

SHA1
afe3f4e3f7026d7996577c397099680bca9929eb

SHA256
ebdecb2c8db3c0d34d4e6473288d3fbc060e4bf3ec267b486bf62fbafd72fa8d

SHA512
39548196832009c4792de8c1252cb121347eb367065397259a070c694a97a966e966c2fd02acadd8ce4f42ae7e6d0b319e1c943b9c0d5337a65fdb7070d0a9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
78d5a1dc8e260dcd9f2b527974b46b46

SHA1
ee83035ff9a6fc4a079c5ddc538d57e6a6146deb

SHA256
b8b6e47bde5f55bdeb24cd3ad9b693b59a8d95674d3fbc301e66f415f0c0a393

SHA512
47f21eb6604285e20cb859c401b9ca295f8a1ca48967b6bbdf3a0b31b7d0efdf7bf0b5e23203ef963c47c5eeb6e7bec033c287ea4cb39f0d79827603105e84dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7bd863ca4bc6f59000861278cf8ea8e1

SHA1
b08519422ec89b65c4917ccf146f53703679bd8d

SHA256
1a85a9340f594cc65644ac4ea3bbd06823e04ef96e87a43d912df94a67e3cd11

SHA512
07952ae03398507a00ea1f0dcbcbecf803f22d5bfec1e54128fbb249ec35a1440eea1aa61fe2241a124b13332af8b33e191286fbdd5bb0e40e8a4371baed1b0a

Download Submit
memory/2964-17-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/2964-227-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/3812-2-0x0000000000A64000-0x0000000001C9A000-memory.dmp

Filesize
18.2MB

Download
memory/3812-79-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/3812-7-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/3812-0-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/3812-225-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/3812-16-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/3812-229-0x0000000000A64000-0x0000000001C9A000-memory.dmp

Filesize
18.2MB

Download
memory/4380-19-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download
memory/4380-228-0x0000000000A60000-0x00000000021A9000-memory.dmp

Filesize
23.3MB

Download