1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

29-06-2024 16:56

240629-vfpbls1frh 8

29-06-2024 16:55

240629-vfbqhsvbpl 3

29-06-2024 16:54

240629-ve2wbavbnr 3

29-06-2024 16:54

240629-vesmmsvbnn 3

Analysis

max time kernel
1792s
max time network
1794s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3184 AnyDesk.exe
3184 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

4360 AnyDesk.exe
4360 AnyDesk.exe
4360 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

4360 AnyDesk.exe
4360 AnyDesk.exe
4360 AnyDesk.exe

pid	process
3184	AnyDesk.exe
3184	AnyDesk.exe

pid	process
4360	AnyDesk.exe
4360	AnyDesk.exe
4360	AnyDesk.exe

pid	process
4360	AnyDesk.exe
4360	AnyDesk.exe
4360	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3928 wrote to memory of 3184	3928	AnyDesk.exe	AnyDesk.exe
PID 3928 wrote to memory of 3184	3928	AnyDesk.exe	AnyDesk.exe
PID 3928 wrote to memory of 3184	3928	AnyDesk.exe	AnyDesk.exe
PID 3928 wrote to memory of 4360	3928	AnyDesk.exe	AnyDesk.exe
PID 3928 wrote to memory of 4360	3928	AnyDesk.exe	AnyDesk.exe
PID 3928 wrote to memory of 4360	3928	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll
Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
5KB

MD5
82387e0a3c44cc3d6a56d50c96f2903a

SHA1
c42ce4f7b87925bbb797fc368fd8c8013dd40761

SHA256
a0f97d08878220eae6e92f1dc3cd3d64c6f5adcd3e5a9cb95f96bdcfaa2510bd

SHA512
cdc26e516b72b414cb1506adf60e4b09a4135faf8f095cd470ade80cec77a21dea65880c8084da7165a3e9f97bdeefec38e4327e207b5d495720433be4fed7d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
10KB

MD5
15d0858f2fdf5c8944d5ebeaed358d76

SHA1
97b3f74bbe175d23e6cfa789f8f24a9917ae40ea

SHA256
d53756667fa50834d69298250544338d0fbb0cc96846641ded9ebcd43715d3ce

SHA512
c6fb8f00f785688d295e4ae3596f2d9e388eeb7f681c61bff7ad0268018acf5f59578064626296b286af504fa3573b63da9fa14c8af18e2b03424e22dc35779b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
099102b762eb266c00039ea1da86bbcd

SHA1
71d2ae9a3b96311670bf3966e28f8071ab681e84

SHA256
4b33104ebe4ba8d1620602f36f61fc5c4005662991200e8c2b27144a46a0de0a

SHA512
f8203b49be8cbc61c2f85fd6b04a27e3111cfda644d9e183dd626368ad69b3e80bf4b8a9b68fb7a21099b5122ca58d08088ce3f70e661241a3b8d51798fa90e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
58c36b76a826fbbed995bab9b8c29550

SHA1
11e747086a3cb817d884f115248752acba5a6095

SHA256
d85c5f176f6559ee0f3a9dbb76613cb5ab55f6bf9db1cf16c83a3191019db0bb

SHA512
59a707927955a727a0e120ff6275ca5d0511de6f9c97a6febb44fbe6e4ae844b11e619fc7c90e0c2fb032b75ac551d1aa20edb4c4406e1c0014d7f2dbbcc9dc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
701B

MD5
96652ee70e31b785d9152dd962b6c24c

SHA1
9a9f0feb3b2a6019c3fad9c41d882beac99488aa

SHA256
725fc578c8a6759c57269cb081d42f44151bb1ee25dacd002019680cffa59a7f

SHA512
e4805b325025a2a5ea9d4f8a222879231953be108feb5be675754ead8085d9f46af9635d4f02cb788905c40ac2b09d3c423e8b3d9c570ce2e54c52e32df7856a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
4c619a3b9054deb58c5328d1473a3a20

SHA1
11d8ca51c0b2b3dc0e6e57754e8d5c00adb515b0

SHA256
14bbb70d3d84e016bcc12c8c7201f216e0eb0cb26b7e17ffc404dee66a6ee07b

SHA512
d0f5925e0f364a2b4a748d67d2206b16492abc6942c6516435e4805886baf0ebb40280858b38f67673dbafb93c5a30eba210430ba47d1d020b6edc62d18fc35d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
7b68dd282d64cd8e65c2fc73602c176d

SHA1
bce73d8497ba675b014aaad32d9e632565fd75a7

SHA256
b82d5563a68a9ca2a99311ac9e07dcdbbeb370ff8dd0a97ba99fd565b4dea7fd

SHA512
2b1cbd97df335ff3e35a0a63ca8df79f5714fc2722539e9cbd166272ba5b30cbeb63dc7637f0ea47381bea5ea7394074553a8fe09e1e927c79adb7700d210b6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
6f97b0467acfd6a02600e6716887dc1a

SHA1
cb571ef559287af5396885418a1c37b83bad2bdc

SHA256
631c9bd66f6bd6a96eeeb03f986e0769c7d57af1a05ecf551dd6ac56f7917e39

SHA512
af929153803d543da7a946bbe0908f2ad4d2ab0ebd1f51f0df74602ce103345b6f21884ff092e50c07dafe7072e55f547fc17e19e747c4b1481330493ead58f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
1694f36e92a4d066435a5518b973c7b5

SHA1
74f715c1a7989bb762922b13019263801e18388d

SHA256
bf6a4539f01f14a69702f11f66e4c54aa5d2cbdca8dfdee7f6b715657a158688

SHA512
178fd9abcc2400000b75efa98eb1697e588d4aa343cde621d7c114ec0255114ccc85a916b5b32bd13c522d57da7bbafe6720620d7b8fc7abd0752cb6ff0c6301

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
25d48471070e4629797554c4ebae463a

SHA1
f3d25f5942c34c9004401200cc00fcf8ef0b2d2a

SHA256
504214cfc711f03bbad8d85df61e7738014c83ba28ba2f2a4506ad0e729d3204

SHA512
78f08eb27a206d546053be06ab0acc0b5c0a967c095a0d0780fa93803898ae865e771d8feb6bf1dfff955794893048df009da3209b5dafeb63b0cbb62c8f4495

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
f84313bbe697767610b642531a613b0e

SHA1
6ebca77a5122d8f8b377b3ab0bf529073206128d

SHA256
30095e99205dbdb5c7df9fc07de1f4c19ed73c6d74de745ce57ad0822c8dee27

SHA512
2cc4c5d281156e51a18ccd2b7369cb829f38168335b944c2901f7c52f5f6f18258b86660dde3a195e543f2fbe0a62b4b4bc601d8f5ff7c76560a313a881765fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
33ec0e88fe71203ba16251b44c523675

SHA1
e599868d20e42c3172045aef79c9d9e0b951fbb1

SHA256
b10335c03bed83b098e2432cdeb3ac005c0e3d2a076646b53a50c627742eed77

SHA512
004fc85665d858a1dc28c58f870614d003424705ba377875c5fdbe0f131c7a74947e008b525db7b633d7ccbdd60ec8a67b4f571effa93cadae99d889328e67e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
c23d3acf2639cf623ae4c13c34f0e01b

SHA1
b467543265a47ea74ef1750ab465deb3b23738eb

SHA256
4e675fadc369cdda8a8e05ab7a0197c77d549fc8adb1ed20ba794c367d5333ee

SHA512
e56e41e080188c555d616fdfc7031df0e7ff3c0d7f569e07e09d649b05b777d4c9392d87bc800a2604da5bd781e83261ee2ec1bf434e3abbe2be055bb22b803c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
15778d64d7e6f625664a6d1c4b7afaa7

SHA1
2d790011476d78d76c5172fd22ec088422acf813

SHA256
9e304fe7563ce794eba37be76582c926e26783f6d73a5ecadd4d1b422ed19036

SHA512
c1d279e7548d1e43547ce7060b196e9adf045c523b31a66028aabcad0de95e75b17dc899c337b546fe757efa919bfdfc73852511f3a34fb87f6eb507a2aff513

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
cc0bd47ff4ed9e26b83c6e8ab95a0fba

SHA1
46ec462262c483c2ee172af5312752f8cb62e219

SHA256
76947004def9d835afcbd484eea3d86fb8469c5832d338c068328f64482422a3

SHA512
9b0e22b4c5bc1a77ddec62bfd03cadbdc13606cb0214c2138d1fd80cc9c9c63a5bc09b9462de58359d6d9a00499d7d41f9a549ec6e62eb880e6cd000f0726fba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
394b52ca54a7724dbb6b6b19aa8eb9e0

SHA1
4cc642747bcc4a07bc02c3b360f84933f677cd2d

SHA256
61d0eb25dc86df59d397d6eff7e93e45babfe1096a915dade8220112d709b434

SHA512
ee103a142d3dcb6bbce900acf5b558354660baf609d974cf1e7100fce0d6f48c4b88823ad4887837d1fdbde38f96543a72e9a7587ec225ff4a0953d9c31aac05

Download Submit
memory/3184-12-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-138-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-395-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-160-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-169-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-177-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-188-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-250-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-88-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-253-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3184-113-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3928-134-0x00000000003F4000-0x000000000162A000-memory.dmp

Filesize
18.2MB

Download
memory/3928-87-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3928-0-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3928-7-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3928-2-0x00000000003F4000-0x000000000162A000-memory.dmp

Filesize
18.2MB

Download
memory/3928-394-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/3928-106-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/4360-251-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/4360-396-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/4360-10-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download
memory/4360-89-0x00000000003F0000-0x0000000001B39000-memory.dmp

Filesize
23.3MB

Download