1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1792s
max time network
1800s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid process

2676 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2748 AnyDesk.exe
2748 AnyDesk.exe
2748 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2748 AnyDesk.exe
2748 AnyDesk.exe
2748 AnyDesk.exe

pid	process
2676	AnyDesk.exe

pid	process
2748	AnyDesk.exe
2748	AnyDesk.exe
2748	AnyDesk.exe

pid	process
2748	AnyDesk.exe
2748	AnyDesk.exe
2748	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3008 wrote to memory of 2676	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2676	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2676	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2676	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2748	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2748	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2748	3008	AnyDesk.exe	AnyDesk.exe
PID 3008 wrote to memory of 2748	3008	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll
Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
89527b98e3873a15d014adeddb74e135

SHA1
1d1473aefeb70adc51bc54aa73d72e9e00f35cf0

SHA256
4a83f63b2136d5689f933c98e8ffea808e9e0def380b00db4f20198574e5999b

SHA512
5bc7800779319cf62eae00731e619a2a23e77429134735401a7e06a990be6fb63c8fef1d89bb0aba680fe8e5f9c5c28ffec943eff43fe6bdfa08d8883a08dabc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
10KB

MD5
df57f8f3429afc0b89569a247f0569e6

SHA1
62197cd65c3df45f791a314c54c0f4b00317b1d1

SHA256
3e548303e52fbb6710752d80a99938a97060c29eed99ecf481bd6582af062f21

SHA512
5d1b50ce6b4155f4b05c6c43790b4d387d1fd566eb38053fc200a10899587db8523022628d58e4c2cd19a347aa9d9341f0850b15d4890338b652ef64c9f0d00f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
7ab83510fd89f66a57e0184fdebd4fe3

SHA1
bc1658ef6a35d355403f58e4709d5403064a04fd

SHA256
c0450009d199468de28fab3f812a857ccd16382eaa63d33e47fe9c0cc1268b48

SHA512
f0ae2b0cb9476424484881470ef0a4b1a46a248fa10383986b4ad82a94723b66053f644bdbda9c49927e38ad502c7438bc38fbce51699472e3d766de77398b4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
a8779512e2a599bad6ad93959b07dded

SHA1
6ce02119396892243746717174728fae378a0024

SHA256
8283fae27abd0bac55cb6ce3b127a3f9f2ea11a12ffb7e6d41e390bb069983cc

SHA512
93295de4d513d67c1e4d536c9bf3c776161631d36ec5712a7130082579ab9f15886d9f397233c3f36dacdceeb445877955bba497a0450d964ec15ceb9287e86d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
701B

MD5
0c491077180379e578d3606e2b4b3485

SHA1
033d47be10c955658654c206297d1a96855922ff

SHA256
b680195e9756ec7061cec96c16b8c205d9c887435333b88d8929b00f9860a503

SHA512
3c2831271012184cdbf8c69298a40cea2dac8e3dd087cc97806a5c7e9ce3f0c496ab939d2f4924b083f28c90d40336a5fea113e7067b93d3bb214f6d65db48b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
758B

MD5
f3a77c80d11254f42e932adcec658ad9

SHA1
21f422a35a6a030b220d9134903b1187076539da

SHA256
ed2dd8c54a157d67ff170e888065df54c0687b7b24de00f80a66a452f2b705b8

SHA512
67cd901ea8ca5e995354a664ef813c0058440eb2dd22fde8dd9183b688507abf0a115a4771f4b26effc1d30fa5fa8f46084d4ac27ca7a3a1aecc3c93ee03115c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
428c791a5f8b8f310de441dbcf4d3d38

SHA1
87f6597179602f3672ff0c540cd5fe752b450e3a

SHA256
11c002e74d496c83ce8c643a28d335e50d074e99df900a833617b3711b8607d6

SHA512
0a2f56ea8ac421ab1518ef6bbb6b0fda07db4f221cb69ec4bb0ea83e9e19aea2706488d05a70c74430e4b3f80ee9e51b7716f8f64a774d30ebbe45b0d8aa7447

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
3e2357c66196673c8c1964f1f84feb1d

SHA1
5790e322fbe767ed34f90193b70e79636faccf66

SHA256
8dfd7d529a7ca762465ae6aaeee6fae425296eb4a3b730fdf84576dc7c072a57

SHA512
cf702663f135f8b9dbe57a73962c00c49e31b9f4c84d85063c84178c5f869111f6a7c3fcfdb8f219eeb9b0a08024348a42c437be4b66cf5ae32ab71bf941ca3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
456d7334a054014a66eec70056c73c5c

SHA1
ee36e22831cf9baafebe276fdee3d0152fc55c6e

SHA256
7e231621c46d3f6ca65b396a3b92901c0e20d0ca43d84e2748547691a6a48f69

SHA512
1b68e76465fec0c569ecba9e10b9f67f58a9f79a93e419c6b6d253c97f6cc85f9b3ce2a720ef91b775a539f194bdba245d8b896ae8e6aad4df5920280ceae3cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
4f766aa8ecf300952deb80db5ce37439

SHA1
2f3ab66ecb8f495f21eeee1babbfd25c53573017

SHA256
94a3fb0cb73674ea24ec76eb8ca3996ec012fb39b09795d3c7fc951d7b668e0c

SHA512
cccea2b60baf90eda5b514c21d0b3d3c1a227b88e7d3b3250c83ac66613ce51f46e9333c992275c6444591bbf7bcfc8cca9b5cbc418dc9913ad35e7e7fb4df03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
5f3754d9c1d52f6f9d2d98647bb31b33

SHA1
6a5f965e184265bd41c46f5d2e9b5d5d1ba284c8

SHA256
ea0fd4a90efd4b75653653899a9da204e84362403edadbb545ddf68cb2354d1c

SHA512
9c235445bba2fb3a5a00f9fc78914ae0aebb8590000c7f335867eeb20c969e306c00e5ba8b301fab3991c3392bd046a003652dc2055d1d8fd9d688d1a7a6b8c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
3KB

MD5
1959aa48172f7df6392a9a61a348e14f

SHA1
f71da749d45898e1a2dd03c31834f0e658e52e50

SHA256
b5bb255738d3dd9488c96c9c3218bbc89e5aeb0b2314c2e13d29df641260ae0b

SHA512
67c0e8ada138dfd9c13aac446d54dc512d7ab93807ae2aba522fcf7d48308707673ec7eb7c7ebc613aede424fe207722df648174af4ed172f45f3d39cc92fb89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
92d586ddc412c5019217d2a50f78b059

SHA1
6144edfd1fe6755a6d1db6171cb19159d1819f8d

SHA256
7bd1ebab825e6033521d091646fedcba0c9f93f105d4722af8feb0276fe185ab

SHA512
95fe1372bc243cb6f1af07a8b872caa762972268f274b140b2fae54c3270205aef3f30048fe570a0d8298b934522a666d5254b6281474564471fefdef80c4a79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
6f5d39222fa64f7763d27fe174c02796

SHA1
1dc5e0b51caa70ca4fb277ef86ede1a7c564e296

SHA256
7cda3b3a287419a564fecc287b59f405766215c8a40a6b9a0354daafbe89c2e8

SHA512
aa62dc15680c83d1fc0f37b2c3a868fe3cc3b6c7bc469101a6cc8422ed5084fe050cc3cfc89bf9d075e9264d16ef68b1065fe92b4a9650cf7b500c6bbff2906c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
9db55d678c8ac41308c1d3448f437fad

SHA1
a09f4b5a03d469a71e15eb0c994975a11ec1174a

SHA256
43f07cd81494787b204031a8b8e1498856bd12b9b169f1af6cadb6251f6c955b

SHA512
9991c0aa9e67957c998775d9877ace3763f2fb25764a0c1ad3a4ac6e139a7431f7e548f21b225d43aafd0cdf3ae391c05d100cdc5cd4058bbdb5ede1ba26c393

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
393cf37122c0bf97f4cffcb462db1a14

SHA1
80a1a8b8a827c435b506b4bc2b92c68414e16937

SHA256
00569006c1593727ad22137ce6839fd623bb16ca0283c774d585a86611cc2cd6

SHA512
ed4ad7566fe59efc649bd88054105b91d1bbd26756122c0cce152dd0eda38b120cda472030fff0d128508a6112d608e95297d60551f03a8b130b9ba367e96aeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
40d56a8b274884d99928ebad94333c24

SHA1
37e001b0b3cee9722d5fe20689f011d570bb9f2a

SHA256
71941963cec331578831cbac147a4c2de4da90552776cc8c4fe42bf07b4c3e30

SHA512
efd05682d2318aec037eccd18262a0c0a524a7f489dbf90b47d2ba180e39ede9d42eb84e8bf1e17777de1f882db15e23c54374010eba1fbea3b05fb0be64a8d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
b2637b9bb84dd90bf41c735365461459

SHA1
86d6cb32bb990a7a7db6486295c016599abd43c9

SHA256
9178c9f5f6284eba431438c1bc40e45245c4ced8e67f85e324f4239dd774b287

SHA512
395bcc612318e5f26668997a0bed43d8c0251d2de1562c94bfc3cf53488312b467931b2729fb9138b6323f01ba8c5fcaa76012548da39f215f027a7bdced981d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
0ecd4f335fdfbc4f9057e3bfd1fed7d2

SHA1
bbdbfc0969574890362a6b34a3ceff646afd1ad9

SHA256
6e96a2e99950e331bf4d2044e98a01f9b384e8da091d9e7d0a15ed83d2cda03d

SHA512
20ca559c1629fef2846dfe00165cf8c557156d2de4d41ba71eebe02224d2962bca613edac6ffaa67c7bd605fc2c56cf9634dcc2e4c04532485c441752b29458d

Download Submit
memory/2676-12-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/2676-260-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/2748-10-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/2748-261-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/3008-5-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/3008-2-0x0000000000134000-0x000000000136A000-memory.dmp

Filesize
18.2MB

Download
memory/3008-0-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/3008-259-0x0000000000130000-0x0000000001879000-memory.dmp

Filesize
23.3MB

Download
memory/3008-265-0x0000000000134000-0x000000000136A000-memory.dmp

Filesize
18.2MB

Download