1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

04/07/2024, 12:58

240704-p7j83szakh 3

04/07/2024, 12:53

240704-p41fwsxbnk 3

Analysis

max time kernel
1792s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
04/07/2024, 12:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1780	AnyDesk.exe
1780	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
912	AnyDesk.exe
912	AnyDesk.exe
912	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
912	AnyDesk.exe
912	AnyDesk.exe
912	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1780	2052	AnyDesk.exe	77
PID 2052 wrote to memory of 1780	2052	AnyDesk.exe	77
PID 2052 wrote to memory of 1780	2052	AnyDesk.exe	77
PID 2052 wrote to memory of 912	2052	AnyDesk.exe	78
PID 2052 wrote to memory of 912	2052	AnyDesk.exe	78
PID 2052 wrote to memory of 912	2052	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
524842f8242b947df40e97782852f076

SHA1
003623623aaa379c2358b7f05164eb98973ea733

SHA256
5992b46b45a0f2e020a4cc33f902da2dfab25209a319b4386e09027a707c3a4b

SHA512
2471d6936d37066bdeae47973c534766dab3a02c53a112ee4789d816379841bbf76b2e8157fb4a0bb51a5a48476bbf11c5bb201556740bbaf9e173fe7c4c4ee7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
e5506a9d79de310e4a36c288c3fd7801

SHA1
c4df49c71b83a994a573c3cba903d5ad422c273b

SHA256
928f1a09e93ae7c8c68e698ffd72a48552ecec5e194941b3abfab89cfea40cf3

SHA512
2f77afcb3fe14f7fc33c642081db4586f970d48e2b2b3be87df60da440dc2d7ef800a18c37db31ae75f76a6395abddd27ba85c0a063b8176ab1c259bef7c86d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3417928560c6d0e6675e0dcf5ac0e8e7

SHA1
e2a55560dbd8358b5be5c85369891078282fe8dc

SHA256
2814157c0dd76981dba861483319d2e465a0acf47021568ed68de384e3725358

SHA512
b146854f2e43b4bb6131964f06cde14cdba81494d19fe98c5164b9f238a9d432d70bbf4ee0e4b26c12811f2649290ee21559d99c6c918f44a04951469227a227

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1af6ac597b2afa34a58a97d93dccbb60

SHA1
88179265d93a759c9b4288bc650e288110f0342a

SHA256
0c966896cbb7dc361e391e0dde0ffc5bcd7386137aa1e1b7753c99876b86346f

SHA512
ef5ae6f41e4f9657f910c1058bcd27f8a6fed5803938401543299bd3220c46d2951e73a0e1dc4f5494ae2321a633c085498dba0012c89f3d7274b5a4c7f7a671

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
700B

MD5
238adf506f49db72604f0d208f731aac

SHA1
2fda99313d427a66c674ef004354c2109e3555d0

SHA256
0ec7722e88894d854358bd3bcea28c729baa061aa71ff5232ed97c9dfe91e6e5

SHA512
f3041f41f2077886decf735d0a0c054c9929d0b391b0398e5d4ea6cf8c87c49d94485956512a42ebfc267ceba3e333ff33230e4884703daee79698d1305e7730

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
757B

MD5
8a9e3bb08b0deec23f0f43006ed8d5e6

SHA1
363800714ad5f2483c66ea76b435fcbaad16e4d6

SHA256
e9c3b58510d21286c66295fd9fa26d5fd5818e579ad8c24613a83a83f2732d18

SHA512
126c70cee309fdffadf7da5798f61bc609e9a78ea283a366559d43270e2d6de14c1e056dff4df097d6b950d7e1f37fa6908291a3a830451dc5dd56923aa533ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b348440f3292ff63bc7dd2df1c3659bc

SHA1
b57a384168c35b9ba47acb91080f2629c1027e07

SHA256
329f1118ba0a7e618f2b3b6c840b4881ecb5b1e4d4cdf0fd2fcf795aa5be7a01

SHA512
de1e4771a00758b9587b01993eb8aa8d5b1c2b5ce3d9df9053afc55be32a9e38add876062c5a919923e6d68ee677602373a8178a823fcebf2f00c13bbf6cd7bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
519559d1495872deebdafda63ceb5d47

SHA1
771619d575990cd727f4629df05d7e988ee9f181

SHA256
80ae87a0e2f6069ac99e025d359beabada6e484103733be467aba649a01f3b6d

SHA512
3518424e3bb1fcced589fd0cba771d74c6a10e6e0431182b045815179cba4238b9e0e3bd1afbd4e6dfc4dc66ddfa04194d9d20c8ddc097bf64ee662595add52b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3af11e8a7f31a49cffb559748d826bb9

SHA1
5112d45f695f40cb965f74929f66694b1af39ee3

SHA256
df0f3873d1dbf27fb0f5983bef7e624cb328373c2c4836c5cad0c313e67d38ed

SHA512
0461b64ac4eacaec22b9c43d91c93db4e2a3135038c4f5af039c38abfc6c36d51386a421c9cec2bc5eb280d74b306be4289354b7a24b51f8a2fde8fbe560643b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f899dce01bdb298bae68c4c471296e46

SHA1
bd2f3d37be6872dea1b535fd1c5eda8382881faa

SHA256
e08fa3fac2da141dd38f2dfbcc262cdac2f2584fde48b2d1c3a02db5249cb163

SHA512
cae1c277e4beb3d06ae03de6105e2ae4e638509d054e497ebad41c8318659507d678540d4ea346d53391881887bc38c94926817e2efafd90ff68f1ca494f073a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8acdb3b489406aeae67161ace4703439

SHA1
92f86fb9754f70245607140c87fab731b3eb8b3e

SHA256
5cbba12a4da37feabdec27d35556d788c2e38eee05600424ff3ba6e3cea97bf3

SHA512
22b27ede3a65cb8763adc2052c18ada95fbc5539e11d0efeeb1410a36b5661d7ce4479e7c4ab13f12d44a57cff81481f00fb303d69b4002016e3038f85dc26ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2884c201e062898a60e6dddbdaf375aa

SHA1
5aa46527335c3a80e0a595f5b30c794bdb2f3fbf

SHA256
4892b29ecab60b5820b53abb14e4c216052cad611b58d9be04255e4f940ce647

SHA512
98181aad5d6174d3c777761a6f7761fc9f02250b3a1740b37f76a8a81f881ac8e17d4680ea7e1f12e7ca8f464821753b1d6b00f498ff5729db4df8934ff7774f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
23b02dcacc042f46ab762bc01a912eef

SHA1
098a253aba1230c39c4b0b477b71cad42ed45d6f

SHA256
4de55363a7c01195bebe9bbeabbb776cb0c3d68e2923e9508dc0649fc6c7c1f3

SHA512
0c1fdc872777b78ed30e960bdd35f446e5be1133eeea81f641eabc4026c281d7a8c8c055b6a44519bb7da4e428f62b589e5a443552cb507716555e4f6eb575e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3906a74cf955f63a3c2f4a433750938e

SHA1
becd87fa04f9c9526a5d622c42c3598cec2761b0

SHA256
f3af36a3eb12c7ad28c78c19d39d265c44c0ab24aaad9f318f26a2eb6cf9bf25

SHA512
362999aba434fcd03b5ef76e5e82f5d5a75722b5f51fd2035168306305dbaee8f4c163225bcb4953ba810cebac6c7c51848a328626c1eba024a9fca47b8e602a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
36831784f00e447c4f0e8e6ac11d1633

SHA1
47c9d3cbcbd909ec46b0b75261c647b811026f5e

SHA256
3246ea02adc8f5ae2faf949438bb33b1a969fb035f65979c1e3d9b2a3cfee64f

SHA512
bca395f84002dfcc525c1703ebe273b4bac63cb52d171b44ed91023faf36a0d36418a99be9e721969f987fc64772406d1c2775f809107c761f1be5e852080911

Download Submit
memory/912-12-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/912-225-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/1780-10-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/1780-224-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/2052-0-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/2052-7-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/2052-2-0x00000000005A4000-0x00000000017DA000-memory.dmp

Filesize
18.2MB

Download
memory/2052-223-0x00000000005A0000-0x0000000001CE9000-memory.dmp

Filesize
23.3MB

Download
memory/2052-229-0x00000000005A4000-0x00000000017DA000-memory.dmp

Filesize
18.2MB

Download