1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1791s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3676 AnyDesk.exe
3676 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

372 AnyDesk.exe
372 AnyDesk.exe
372 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

372 AnyDesk.exe
372 AnyDesk.exe
372 AnyDesk.exe

pid	process
3676	AnyDesk.exe
3676	AnyDesk.exe

pid	process
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe

pid	process
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 4472 wrote to memory of 3676	4472	AnyDesk.exe	AnyDesk.exe
PID 4472 wrote to memory of 3676	4472	AnyDesk.exe	AnyDesk.exe
PID 4472 wrote to memory of 3676	4472	AnyDesk.exe	AnyDesk.exe
PID 4472 wrote to memory of 372	4472	AnyDesk.exe	AnyDesk.exe
PID 4472 wrote to memory of 372	4472	AnyDesk.exe	AnyDesk.exe
PID 4472 wrote to memory of 372	4472	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
b6eb67f9c1041c8c6bd8a8c273169a26

SHA1
35fb7279db400baae50d3dac0288ebf15b7f62be

SHA256
3091a2d85d62b6d1570d6ebe955e5999b0df148f7a400944e517ca1f878d9054

SHA512
a09dbb7ab5f80dd3ae5db7e4a4cca92ee0816f20110b0cf903258304910adecbcd8f6354dc2ff09520d1e6d00be50ac95f25949083e5b4097c0d4bebbd308f40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
303cd71855777796c948167391335ac1

SHA1
a6547a83ee47fffa90ca36aa4111a26a376eac1f

SHA256
7822250bef7cfd4bcee3ccce080ad76a090c0538ec4371614974dbdb38434bc6

SHA512
071963093fb3bbc04d9ae9813fbb89bfd3e48ca5209684737df32dbf686f3c8bd4862b22cf21d1b1a0bef47fd0969c9a27d30b81ffb92da495c12d066555a2ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a14a430589fb42ac13dfddfe931a55f0

SHA1
83a0b180099f13e19de2c5b64812e584d38abada

SHA256
5c04e929e427851ecbc0e8111f8697a107d229e7f6573e03639d03b9000d175d

SHA512
5d5c44a6b25db1203dc204a23d70ba69233694365e4a2c4352a44a93aa6c564d9e9c8f2a5b955f63116df2b63c295f9fa5e67495468839be2410df7a638db7df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4810383ee7214500cbdeef0c0ba0ec32

SHA1
2800e86873f88b380cebde18f53893c1959b99b0

SHA256
7ed9df976c2227c2c12527e3d0e84ba93c15da4fe8ca7a16b1e7c2152a19ce4e

SHA512
9fd4e5c7265aaafbb3716d374ac074662b3ed9595bbe2189cef211ac7ac0fa20f724fdd494aff101e2e3777a0dd79b1daee8a60cf7035d7f2e5a31a846a2b319

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
e56873dd95902357f56536af192f9f97

SHA1
44c86a4bf5eaef19fe5751d364803134a0ec98d3

SHA256
065cdb91caaa20bbccf563f81a1258a6e12d62bd3a8e7914d890d646eae85743

SHA512
babd8c62c0f85d7b3fae4c7930f22e286c1b7c1b89c3648e1fcc86a3dc1cd12c7a26eb476c7b41168a6129e7604ef81f969979ca3ba272afe82e5b3f1242392c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
689B

MD5
660d31054fc3c11d78224189fe6f3778

SHA1
95435b719910b694e4c05e54e6b08afcd75fdd39

SHA256
98d79578836649081442a37b8cf25d9d9ae5e7f8508ea3fa91ed4d4e4ade6360

SHA512
867524ec7681c31e32a7aeec9a4cf5c21719fefbece05854efd4025b4bed8fb5cc30033b854f958a0ede7dc29223bceb740bdb36379ec8e3eb06f2f356561590

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
1a58037a66ddca79ff9c75ab6819549b

SHA1
85dbe56a2a25131f6207be5e965d51af0be181d9

SHA256
9dde7d217e0d9843715e868dfc3aab36fa4d9aea8e6f6e7bced667c6276049c0

SHA512
09a9f107bf9b6845cfd4ba96750ec9768f96069221cf394634b82f4b5d4f6713e6bd1179db52a78ca36d51fbb7f3ca6b6b83b03dc99b3301409329fac0c2070c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd8eff5adcf00ea494f41586651188ad

SHA1
a4933575c34cc3a923bd7002843e619a6b0eb58b

SHA256
00f8fcc5532d12bf6dc8628d7833684f32fcd46a7c78c5363cc18b80cc2a5120

SHA512
2e53060838ae9e785c802e417a7448d88e03701fb43c3d9e40335a493a9fbfd35c7b45c83a0c9c30340b6e05d4da172ef82adb27fc372461c9cf01f7fa763fdb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4f5a53271865f81ad6e218e46f266011

SHA1
576d478255421220c213eb846f0ff11697f83edb

SHA256
8d364efe984c741aaf413dd29ec6cabdfcfd59aa5fa33fa492382a7303e2bb23

SHA512
b0326c5ac724667846f97a1c240006da853cc684430c28ed0c4a6d6d053bb63d948f2468bf9fff182ec45bd20c2a915e8ca0b87ea6034619978bf9799db657f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ef1fb408c954169c7b0e88745bebdb1e

SHA1
3d72f1bd7e40e5883429d740e18552283ac8a784

SHA256
87f6109a20fd6cd52ef2929efb393553af3e2402f4c0889375d6759c1dfb9c54

SHA512
656045665cd27760712efdd1a8db7e586d379dab2de3d43d4853d676cc71ff82c5275ec55b55f2fc24c97481e74aacd54aa3a1f13799f070f722a2909338bedc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ffba5d86c0529a40e4e306ebc83db60c

SHA1
b0fb6daefcf6cf380cadc85d05470b729af38c9f

SHA256
bb5ee3c52c8292ed9e13a06c5d820e0f83d187d475233bcc3f0c6f6c22e8b54d

SHA512
310e7f386f37011ef610b482c543bdc2eec04a106128f17fa170d6d4f06862338d625cf74d42413e2ee8ae95eeb94ec32ba74e43e230d0b0905d870a4f9518e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
2a0819c08db9288896cac6b1ac7f522a

SHA1
008decf8488d8c0249760a9f457a8963f8f3f9bb

SHA256
0ab5c0655b28ea16e69e0834be7310769f9f45006aaf366c4120850ae2bd3fec

SHA512
00e57cd5f35e5fb559fea71a2c0e365ad9bee100054e733e735b8f916ee9c6df34e3811f0ec3bb6d35c7719c31f78564cb8851bb53c2cdd15be0fed1c039c24b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
914544c8cfc8e4dc851f3d618d62d41a

SHA1
55ad7ce1ea7f31f4c952c290e4daa2a3f1bc76d8

SHA256
9e2dde7f10a1839fe924a5b5cf1a1a6a22901b8d5c718b35950295c4aabeef74

SHA512
3189789eef4864b66bc7cb873b5a62853df4454a0d0318563373814aa0180dae88e2bd2cdd02d1e73d53af00752b003fe4421efe276c41c70175f8a4ed00251f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
434bcd958004341fac9d254e03701890

SHA1
30754c0144bb9ad2d9865087e6a4892324714894

SHA256
4360c23a58ee236d16c2b11b03094f5df9fe96749a23d614e8e87a4c3ff8118e

SHA512
3b8a3f0e1d7dc6976ad7d34655780dd07867f86b3642781ebdd80bf97ed94c6e973367fefea10ed19453da7fb240fd830088545019acb3e0507eed16c484e397

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ba29692b9cc037c369811989d0b85aa2

SHA1
391f46155b3581a5b2af912c2b2546f4c97fc693

SHA256
ea7b0875ae8a3415f9c1df5fe80c8d04d0b5dd8528bcb33d11e7f0720a719fb3

SHA512
909b449b23ddbbff5828dc0d5ca2a6e41d4742b055cfb24f8d3aa61daa72649c12afba90ff454ffd1c4a3c5028901dc16fcaa9588fbe817bb2137c1481faf8be

Download Submit
memory/372-25-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/372-10-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/372-250-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/3676-19-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/3676-249-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/4472-11-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/4472-0-0x0000000000C34000-0x0000000001E6A000-memory.dmp

Filesize
18.2MB

Download
memory/4472-4-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/4472-1-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/4472-248-0x0000000000C30000-0x0000000002379000-memory.dmp

Filesize
23.3MB

Download
memory/4472-257-0x0000000000C34000-0x0000000001E6A000-memory.dmp

Filesize
18.2MB

Download