fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21/09/2023, 11:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk_6.0.8.exe
Size

3.5MB
MD5

e9fb13875b744fa633d1a7a34b0f6a52
SHA1

f0966985745541ba01800aa213509a89a7fdf716
SHA256

fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e
SHA512

c2feda22e23fda47f0b0ede38f5f432a656a5e7598c7a9d3d4e8babf9ff94189b69f4f4a3894c094260c3b72d21888720f60ed7ee2c018c8aced9d754e03e292
SSDEEP

98304:CR2784xuvNza4gtJkiGPGAccN3JyD5qcDinRKs:CRqKvNWZtJkiG+3cik6cD

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\International\Geo\Nation	AnyDesk_6.0.8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\International\Geo\Nation	AnyDesk_6.0.8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk_6.0.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk_6.0.8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	AnyDesk_6.0.8.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2892	AnyDesk_6.0.8.exe
2892	AnyDesk_6.0.8.exe
2892	AnyDesk_6.0.8.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2892	AnyDesk_6.0.8.exe
2892	AnyDesk_6.0.8.exe
2892	AnyDesk_6.0.8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2792	2984	AnyDesk_6.0.8.exe	28
PID 2984 wrote to memory of 2792	2984	AnyDesk_6.0.8.exe	28
PID 2984 wrote to memory of 2792	2984	AnyDesk_6.0.8.exe	28
PID 2984 wrote to memory of 2792	2984	AnyDesk_6.0.8.exe	28
PID 2984 wrote to memory of 2892	2984	AnyDesk_6.0.8.exe	29
PID 2984 wrote to memory of 2892	2984	AnyDesk_6.0.8.exe	29
PID 2984 wrote to memory of 2892	2984	AnyDesk_6.0.8.exe	29
PID 2984 wrote to memory of 2892	2984	AnyDesk_6.0.8.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk_6.0.8.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk_6.0.8.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\AnyDesk_6.0.8.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk_6.0.8.exe" --local-service
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\AnyDesk_6.0.8.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk_6.0.8.exe" --local-control
  2⤵
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
a0dd5d6721be6e1610a8481c0ea9df59

SHA1
7745b16f026fa2540ad26d12c2e73ec0024eaa3a

SHA256
b645ab7b3aa81aa5b0f2b6e031168aad4c5d1989cc3ab0bfb9426647b2f10421

SHA512
44a7b0feb4f7410fad23cec3721e1ed1087533ef9f0f31a590cc2a50223fc7b00098df31ca42ac9cc2135c1152b0637b79061cbd038e0d48bed246e450065e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
a0dd5d6721be6e1610a8481c0ea9df59

SHA1
7745b16f026fa2540ad26d12c2e73ec0024eaa3a

SHA256
b645ab7b3aa81aa5b0f2b6e031168aad4c5d1989cc3ab0bfb9426647b2f10421

SHA512
44a7b0feb4f7410fad23cec3721e1ed1087533ef9f0f31a590cc2a50223fc7b00098df31ca42ac9cc2135c1152b0637b79061cbd038e0d48bed246e450065e76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
0ebc863def49e97d490aaa96e139bbe5

SHA1
7f7a4c7d2da013f3c7142fc8c30baf79ed555392

SHA256
d8fd7edba9cd6daf269902f22bf43a7c85e95b069856656ceb7415d21ae54b68

SHA512
81234c97ebf5189e940ddda71bb895c459eb65ed251f3d120a96c9a28cfd3c62204b2cdd932f2a5cf127cd4e12eae12703342bf25652d7b0257b10df3f902a62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
0ebc863def49e97d490aaa96e139bbe5

SHA1
7f7a4c7d2da013f3c7142fc8c30baf79ed555392

SHA256
d8fd7edba9cd6daf269902f22bf43a7c85e95b069856656ceb7415d21ae54b68

SHA512
81234c97ebf5189e940ddda71bb895c459eb65ed251f3d120a96c9a28cfd3c62204b2cdd932f2a5cf127cd4e12eae12703342bf25652d7b0257b10df3f902a62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
865d7f4fe4a30831f52eef8aabff9133

SHA1
534316ebebc0263c46d0d0155c54fb19ae52d205

SHA256
d594873744bce0e3032b68e82ee692965281aee96873f02f6f352bb411e9207a

SHA512
d787212222e70221f4c7f6f8578b6988867ec05e2071b7468300e86284e6f7364c3fc1881cfbe52bca5733b0f13dbf73f56fdcd8d70c2e4b576725fd5db1e104

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
327B

MD5
e1b43353684ee8eabe7cdbe4f2eb2d55

SHA1
b2c6a973b101e9cd46fe82cc1b667e3d3c6432a7

SHA256
7db3354ec28a8615a9d79e7e86e525410279f37230a0a01bf20e99cfdf749473

SHA512
f991558cd4cdd0dc5cc1e7f37bec37d620f09ff2e65c251760b861ac69acf56feeee533426bf71dbaff09ed262d8f958da00642d2780ec7a13fb1202f0a90920

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
391B

MD5
6fb235f46e1be7e66000d8e31214d7c9

SHA1
2b1ce5995a0a69c4d82d1f38b8c830311476d199

SHA256
f758dfa1aa8f2e95494a49df9d47097432d163cfe800ac9ea228141cf2ec79d4

SHA512
1100befaa76e645be1af949e044fbd5105a7c0bf093acd272412f77872efa632d244e6b2c2d7d75febbd73399d13c93e74f61a113ef555d7ae276a9cf1761e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
0c5b81510991ef8fe5d29202c2f17855

SHA1
a480da4af16e3f796412e9a9cb385ac1f0fdb5b9

SHA256
b4a36870508bf98cf2cd3844a77eb1433afa2a6c57aa490533ae169a7bb6464f

SHA512
becb18016591487ea74f4ac1b36500a9f2f18fcf93d03098d74b52585eb97b7383d96e0c8f831acbb8f5f3c7f69e15ebf43d9722a9255d7e7e7c876c3adc4ebe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
327B

MD5
e1b43353684ee8eabe7cdbe4f2eb2d55

SHA1
b2c6a973b101e9cd46fe82cc1b667e3d3c6432a7

SHA256
7db3354ec28a8615a9d79e7e86e525410279f37230a0a01bf20e99cfdf749473

SHA512
f991558cd4cdd0dc5cc1e7f37bec37d620f09ff2e65c251760b861ac69acf56feeee533426bf71dbaff09ed262d8f958da00642d2780ec7a13fb1202f0a90920

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/2792-122-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-127-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-133-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-82-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-77-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-68-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-53-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-26-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2792-52-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2892-38-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2892-24-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2892-84-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2892-59-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2984-46-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2984-14-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/2984-32-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2984-33-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2984-30-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2984-29-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2984-0-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2984-13-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2984-25-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2984-27-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2984-23-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2984-21-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2984-22-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2984-3-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2984-1-0x0000000001340000-0x00000000020B5000-memory.dmp

Filesize
13.5MB

Download
memory/2984-20-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2984-19-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/2984-15-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download