1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
143s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-07-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

1292 AnyDesk.exe
1292 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2316 AnyDesk.exe
2316 AnyDesk.exe
2316 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2316 AnyDesk.exe
2316 AnyDesk.exe
2316 AnyDesk.exe

pid	process
1292	AnyDesk.exe
1292	AnyDesk.exe

pid	process
2316	AnyDesk.exe
2316	AnyDesk.exe
2316	AnyDesk.exe

pid	process
2316	AnyDesk.exe
2316	AnyDesk.exe
2316	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 524 wrote to memory of 1292	524	AnyDesk.exe	AnyDesk.exe
PID 524 wrote to memory of 1292	524	AnyDesk.exe	AnyDesk.exe
PID 524 wrote to memory of 1292	524	AnyDesk.exe	AnyDesk.exe
PID 524 wrote to memory of 2316	524	AnyDesk.exe	AnyDesk.exe
PID 524 wrote to memory of 2316	524	AnyDesk.exe	AnyDesk.exe
PID 524 wrote to memory of 2316	524	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2316

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
6593d25afdc756df48c3f6e81560152b

SHA1
c9a8f7cae9273022e86ca35469b670b8183f9dca

SHA256
e6509db49d2aede649782e332e09c2bfc2647c9536f1eb25c367e3db2ec43e46

SHA512
0d0c443fec1b2b103c90122d9eec244770df59f950ae6c26250b1f36726f8d3477d331fe755f6757565922f6d721a9c361fcd00cfb126a29abd6388d9ab44ee3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
cc2c67ac7dc16dae4bcf3b4e65c3c9a1

SHA1
59cd0e6f11a2b8be5baf867ed1b52ac067e15f1c

SHA256
dacf49f8df1e025c5f66899c191bfc849cb0e3cbf0387c2cd8320f68eacc40fa

SHA512
7d14b9648c51f7c583a6eca2eae40ed48c0f3f23e9064ed053d3a969c500d2279fa09669756e0824c0c9d03c570f6bcbbe9a42eb7b9d4a158eb2400cace8eb2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
266f227d1c6400dd52741915b84bb1df

SHA1
96b2042eaa58f73801e02a8431c0baf33531f42f

SHA256
6e7673ff0c9faf33de3dd1d1ee24a7ba33be227067c85c7ee2a213bb64f21a45

SHA512
8f44cbc32c6dd3d158c868fe31ad256259f7947a5c9b83a6358a5ed137f0e627d99fafda806b61ed38be32cf84f24ddfd2dea9d4e8272aa6d203a6d530fe0ed0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4eac542ee3a306dea1b5445926a6e628

SHA1
f9985821b592ad41029658eb2c2de321e48edb7b

SHA256
2909012bfe3ea764b39d175892121564e53a51ea3fc2bead00d0229d873e5024

SHA512
279c7764c457d4cd9bcaec1bd99f5256291997919a97d2612610e9d96c2970e3c4bab8bd292e8ad08eb2c5ef2bf701d387f9b58770d872242737c5f5586230ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
8c1f9155d9e8f4050c018b2aea62a42b

SHA1
85b6f24e83c355e940e73b31567135a3eb4c4268

SHA256
8b06cc964ea4ef6f23a0e452d19911b8bdbddd9392300aa32972f5c450a71b78

SHA512
6bdebeea9022daa3e83a8f01c03ca27254d210affba236781c745cd3645a8961253fe35d05500e7cdecc741ebd51e38fd7038cb9b82e2de233b5d787a170c85e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
e4a024223ec6046601278f6e83122a22

SHA1
1d7d43c85a4ce6eff91b50eea88274a944f09957

SHA256
0aac5c0978ca575fadb027261206acb6eaf9392921452517e4bbea14dd6a99c5

SHA512
00d014cd2d72fc7cd5ab324e69331d5dd6c5c3aaf73257ba67d718776efea6e5efb01f14e57c02c464523332946bf5cfe11e6e9b5d78baff74bf7e7ad36f38a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d2b9f034d0367ae8a0a05a3b4b52441e

SHA1
fc55b2b0a42d23eb515de532af8b56f92c023da4

SHA256
163d0aa327fa0dd687fb4e7a85f945773d4afcc02eca82a4fe67d94d06a3827f

SHA512
f33b27c2e38d879976457c3a980afde6d8353e2db3f3a23090aa6a999882c34f0e53b7b42b031a3a4ec82730a7e07cc8daefd999313103ab64f0332ea53150c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f87f2a4d12b0def86415d3e4857d4848

SHA1
ab53bdcfd79be381ce7b529241a607a304d42a55

SHA256
1949451e5f249bd1bccdfa348cdda0afae2255c463bc365de92c15698190f553

SHA512
5700632070a04316afa4e83e64901e41a8212c7586fe838192a99c049f7f56e3e3ff68f221b3805b3842db4fd4d33eb0dedefe2a98cd64541ed48dc67eec0cdb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cc1eb0b611c3edf2139ba5fa14b0bc70

SHA1
60f1f68a4cebf8d7057048d523251892347b87f7

SHA256
03bfc8ce5d8ed03cfe07fb6f9ba4a7244d0fe61a5c8a0173a0b1ebf7f310224e

SHA512
e49f4808909cf463c2cbff3a7dc07520f0c64f513312b64291f0f35fd755368260c5b270becb6872dd8b285d8b1ed460e6f346d55726ca1b9c5bf80420d611c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4f829e423635b98fe04b06812ec1b900

SHA1
33460cfb69bac3d2563b5d1ee221d970646ccb26

SHA256
305b0cbf5c90e6f00c03dec2c752c57f8927274f647c38b0df7a5638d2699f52

SHA512
063e48c3776767d3506310372971e8f46a6b6e9c6e672e62755490ad9a53af8abfab0fce4d40613d3dbb8dc54222915bfef4ea3b07a24fe82a6f4dfe29da8d22

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
431dc24c220be08d421f76bfaf46ad45

SHA1
59d0878cb42c8e9e5a32a396d142bc3597e3efd4

SHA256
e2a117217662a68e753e7c817c1d7a2c64bee36749c8aea636c7573bcb00f77b

SHA512
f40404afaa5b4a60c55c2f33e4ea2fb7f7a4e6f82e514017506415f1ad8f925fdc68a598279bf49aa7206aa83ea3f30aa08a06cbc087e7391ad103e0be0ebe8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
561dd1fd197c5856f2427a1943566e27

SHA1
7ef97ab318a80da91de63becebc098aaab7a4e7d

SHA256
5513406d57db874391ca11f1439f6c4e3c41e2ae6ff5fcc39a6c1f10ded9c22b

SHA512
5f0b9e7af703684adb4a13eabd33ef9b96e982e4b0b0f1695b93e6b9727d6203314ff1beb22edbf00eb748be2a3a5d586b6a99da1ca97511571484d6a2e7f763

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
19d09c6897d394e33fe241403ac01a00

SHA1
f18f7939c73b49c06073aba64ce2eae04cbe01d3

SHA256
07f287f3417da0c1706bb91a5af0204c5ac8b3ff546454b812a12bb93e55a2a1

SHA512
653be5ad22fa0cf302357bcb37ff65b42569c726ea55622afb1df71965f1ccf0a3552bc9cbd40e522cccf52eb03fbd358f9758e141edc7034d35a971025f3190

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
148aa7c66d07b4c2d8c24536fddf16fa

SHA1
60348e10bc15773932834e40f7f3bc4ebd9d39d4

SHA256
a256a21d29f6c8a49f1fb1db661ccb8e319bba58e35fbc8625ec2543474d665e

SHA512
493dac5f52da1f29344fdd4e73f2bb14b7072ad7035b55f322483a597025433bac7901c26ab3a34b673ac69d17e4d426465430212c181e0e7b6cdcca7ea5cc9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cf18645c654d5990acb0f750a2d5b0d7

SHA1
196decf5ecb3ce7864553ca715f8d3d5413c7e8f

SHA256
b8f0e9c9a2f533c83b3d67102fd8385a11e3654321437c84d41deba3c8ac6c92

SHA512
c0c4eda6033a8e301c1728aa4e21e620c826e7ffeb8e3c4c617adf46af3f1b6bc8437152ea3ee8273af5838404daf2cdff02b2332e91fb2b12ad8a8e7d4afd75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
115086d41168602b7b1890e0cba5186c

SHA1
3db1e7a889baf788d560f512d5c72163eb494849

SHA256
f0c224bb164a6544b43bb67973d3dd05822fd00f23ffb379f702f563943489b2

SHA512
00d6cd768e4ccc25c5aaf5d094013dc0c6a8a121a74c4410c2a2b0e9a051dcf2dfb6c9a8730c68d67fde699d0ae0573f2fbd2d78df216ea25fb77f3415b4ece4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
23a031c727b48a44220f8a055e0acdcb

SHA1
6ab87ac450405419083bba9f7cc7ea650341dade

SHA256
556eb4b5d8f8c5443ce87708043711d087e20196eb6bf37a20ac38189ed87e49

SHA512
aa04dc185e2b06c67fb42c197a2d0268634d2fde00208fe50397e3f055cf024bd4d145a5f9a9a794acd19a262a10f63343caa98b0751e25a68feee9038d31e9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b18312731c8318e15c45315a9b61a3d7

SHA1
64db10f6055aff3af7e2ebbba5c910bc082c239b

SHA256
74374f30f68afb1e06b4389effff44cbb3d88fb1d937545dc6b5d27ccc2e7dd9

SHA512
6cc51220b84d3e62b8e6696425a14d3ded19499541dbac1c0ef01f9ed7e710e801293314cf68a1184a93ae50fb2c0adfc101b194177ea771ede6eeb2f91a3f34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7bc576f097032aff425460af687e2421

SHA1
ab04b6d8f7d29ce2ab2c0e1f7b8f9ed8c2966e54

SHA256
b766c299010f12e36446e0fe7940c440bdbd653e4a35e148f6ba915f702f3d70

SHA512
0de87f391dc8b405ff2c6c9d09713d1167479d26d3c9254a4f043ffee44539c2fe71a8f8d9bb53fdf4d90d0768bcf2188e9be1d58160552bd798031da8f1344c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ddeb3b2cc4af459153141c4f87c3a08a

SHA1
af5d0745eca642201dd0d77124d09ee32fd308c5

SHA256
a9751cc1aece2764636ef8cb34d0a0e8e6e33f23e1a7ae72df80e1b85695e735

SHA512
58229c66c96d1842be969739d1142ce5d5ff4542a8743c735c2c2a8e9fa584fb34cb9fa46e15cb28f549e7606d5d4348370c55de21854f7f27407897637867d0

Download Submit
memory/524-2-0x0000000000904000-0x0000000001B3A000-memory.dmp

Filesize
18.2MB

Download
memory/524-5-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download
memory/524-0-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download
memory/524-224-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download
memory/524-230-0x0000000000904000-0x0000000001B3A000-memory.dmp

Filesize
18.2MB

Download
memory/1292-12-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download
memory/1292-225-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download
memory/2316-11-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download
memory/2316-226-0x0000000000900000-0x0000000002049000-memory.dmp

Filesize
23.3MB

Download