1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1793s
max time network
1810s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4100	AnyDesk.exe
4100	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2992	AnyDesk.exe
2992	AnyDesk.exe
2992	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2992	AnyDesk.exe
2992	AnyDesk.exe
2992	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 4100	5116	AnyDesk.exe	84
PID 5116 wrote to memory of 4100	5116	AnyDesk.exe	84
PID 5116 wrote to memory of 4100	5116	AnyDesk.exe	84
PID 5116 wrote to memory of 2992	5116	AnyDesk.exe	85
PID 5116 wrote to memory of 2992	5116	AnyDesk.exe	85
PID 5116 wrote to memory of 2992	5116	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
5d3647d185e7232c3e26e65ccd1e97d0

SHA1
6455b2c9c55ff745ea14e6bdc1c399f65cc52d17

SHA256
b6e2f7275d128ee75d12175bcce3ce81ea930ba901f9d3cc14d5dd394418a2a6

SHA512
292fa0592350df46685c6d17c0dbb02cbbe7e22e8e857f23a38144c1139142066db4ccc6dde1ebc25a30422ab08b14e4369b6d1c3c39e6853ec61b14d3cefdb9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0749e38f985f7a40f1b180648f078254

SHA1
132262cd40593c5d96fdfc0eb8e9832414d8c506

SHA256
1d5cf915b66a5e2e800e39096907c629fa345936b64c5cf12809fc733aa168ed

SHA512
303d73020ae73b919ac72934164bc4c732dc1808985446b6030598bbf506a95f517f4b406707610c5d95f475222d6c1da8ca70d39fa23bca5454046471c8d9f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
62398de2ec5dd64377024884e4ed2668

SHA1
70a74e051e21fcc3abaa8e45870bc98cfb7c797e

SHA256
7172c1e4df67af51b512f65aec9c49fbc5d951bdf0fdad8f5307982c5c8b7feb

SHA512
1640f3b16cff1ef357f70a3f0168f3304d23fbe43a73bb2c89ae4de076f29ddc13f745003f67361aebeb9dd74aa147e1adfec3496d786d9f5d2e5b4b78b65260

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3f3cfbd0b7695f3feca96fa18c926fed

SHA1
7469906cf459c8b25ece18d8364391901db7e463

SHA256
e861ba4290cb989838bd431eff0413914295dbaf31526f6d582fb1e6ed1e5c83

SHA512
a28375afd9b9d3b75e4523c4d366cc8da05c80a8669fa7807eadde858ed8e605c6e73d8a9f2c0d98ebeb5a2baab66992f9c3dae49296c2aa14d9b09aff38dc4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
841a411ba4a43288e80d02517fb13d67

SHA1
77e6bc684c8fd258aa1d5c87caa40e6ec23ef07c

SHA256
7842cca65af44dabb7748a14dd4f45bf4160b653d4bbfd2c7d42c80e156353c8

SHA512
611b361659c3282eaebf345c006b9e2cb1836f638582f08968aa24c19851b696487ed0c72d10fd5aed391935496c50752f17b7cdf39cf9277c353ba05148869a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
689B

MD5
e55200010bb98a2c9eee60e6bc1f2201

SHA1
cf2aec3c3065c2255931a0619e165fe00e9fc387

SHA256
b6f2cbe3d1de8ce7dc7fea4252a10d7a91dddcff1589c96fa468b08c46bf34c5

SHA512
c7188b06b68f16bb102e475fa7de396e3c6fa43649fe56af8736ced69eb7241b581593514b09163c6574fc80432b8d11950510a372c3f4e98b23e9ee4cef7972

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
2cb1f3c81dbc9f9ca4b2488c86fc3d41

SHA1
c199d46a1df3068b946b71be242607fe04037749

SHA256
b6bfe8f79156bca1796e50e6e0626d2667725624d4e09fd221309ec343b44662

SHA512
5688ba5cf3ea9023f3d2231c3ccaffac1767a7028f5c87cb9a955205085a0edf8f61106d716ca61c41dae6adc2daca6baf31f5016eb1d9a3eea922737b7cdc96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a3c8350fa0efc9c48a001f9eff5d99c5

SHA1
134d418a957847a1bf6f393f9125517dd5b259f1

SHA256
715402c92e48f07e487e6be776d3a5d1c52718d5355f2d361e951b2d5fdabbbf

SHA512
cc83371a5b942f4c47f0b64fc19c903c6ce5a8d89270089344ca959e63d586d6d17d27b8283623860ed3b5a45a0a35f04af5d3cbbdd7738f58cd79ae03dce311

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
570e780909f4b98786f71ea68c335646

SHA1
95705dbf0d780e000fc0ebd57f460ec8c211ef42

SHA256
108926fa021ff92d046b98517a62c352be6492052ceab9de06bc1c74e8ef3ec5

SHA512
18f0fa1d38c2f4800bb3458bac235fd124552385ab53af121769d09791b4714ff6bb5cd4e8fa01e7183f14ba69711092175ed436c35c3c3188dd9b71531abbb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ff29fe295cdb8c6751c594d4cfea47a3

SHA1
2763de7a3e7096e412a04a239bf8a1f949731c3f

SHA256
e33b79141bef2398a48953c764ec9769347a17717349c516c845917828dc6962

SHA512
cf849912b088c102467ec6cc5c49497552dce828b881e204e23f43f69b0b006d2da812a54ae4d359d87ad67492f1ae1357a13cc13a3da205fce516c0e24880ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
6eccd0f2121c30da65464946e2c8d8fc

SHA1
c242682c780c9eb73b30b50b41f74416fa07afcb

SHA256
50fc58c2cb53077b17743e681206478a60b9b1cebf9fb79a4ab054b16d7e67ae

SHA512
a1a69f4bdc1ed83d5a742df4b84a20489d7f5a59dbb525001e2a11fa7bb1bf8ff2782dfcfa4f8adc95b266af3425ba66c717e6b7a4a98187bdd5e1ea9224d218

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
f879745e35e8976b2a8b506a2a23f879

SHA1
435d7b10b22949a1cabdb184bfda19bc99c45879

SHA256
b6b176a2728f4e770bf24ef214aed4982cab303a14b255199875a7357373e163

SHA512
57240315ed2edd1eb3a9026458701c1959e17ee8610be9a172eb46c53ddcdc5b8a151e24dc453f4aa6bf8fb9aa2614f264aae2e0fcf0e8387249748dbb236487

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
303364713b87c3b7b4f9a29d8e76856a

SHA1
7dc1e898051ed7f5ece508b02e821a0e0de40a28

SHA256
649cee1f8bb42160002f972f8245299e0a2d53e8063693af2a7b69f50e10d5a6

SHA512
50069e7dfbfe524142d41d8cea1593d0954f459ad080ffe8f81f5b0a7893c7816211a49515833266a44a2ac34fb947a8d7f3dcbed01472e6fb87f055d1ab9b8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
07f2c51b7c7107064cac7f6f4060813a

SHA1
dee3bc958fcf962629b62abb5560bb2c319158f3

SHA256
ced5a9ac326bd623d64148709dcf35d185338bd208348464296ff65a9cc8ebd1

SHA512
816f2ab4d22580841181a2f04667fbdb75764b9c92c1886136078f46e42a2eb9edff5aafb70bdfa5195614d54fdef85483899e8711fa74b7b8a593cce27a111f

Download Submit
memory/2992-17-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/2992-236-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/4100-19-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/4100-235-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/5116-104-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/5116-0-0x0000000000E34000-0x000000000206A000-memory.dmp

Filesize
18.2MB

Download
memory/5116-16-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/5116-4-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/5116-1-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/5116-233-0x0000000000E30000-0x0000000002579000-memory.dmp

Filesize
23.3MB

Download
memory/5116-240-0x0000000000E34000-0x000000000206A000-memory.dmp

Filesize
18.2MB

Download