e55752ce0e4bdc9426430bf580efd1559864d24c3c0f118d58ff513e6d618fd1

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/debug/AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2740	AnyDesk.exe
2736	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2736	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2740	AnyDesk.exe
2740	AnyDesk.exe
2740	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2740	AnyDesk.exe
2740	AnyDesk.exe
2740	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2736	2436	AnyDesk.exe	30
PID 2436 wrote to memory of 2736	2436	AnyDesk.exe	30
PID 2436 wrote to memory of 2736	2436	AnyDesk.exe	30
PID 2436 wrote to memory of 2736	2436	AnyDesk.exe	30
PID 2436 wrote to memory of 2740	2436	AnyDesk.exe	31
PID 2436 wrote to memory of 2740	2436	AnyDesk.exe	31
PID 2436 wrote to memory of 2740	2436	AnyDesk.exe	31
PID 2436 wrote to memory of 2740	2436	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7943cff491d8ec50dce922431b3ed38b

SHA1
12d2f34c05ce46d6eef0dec433e0184f5d979651

SHA256
aa411cb2fc39c85c8a0f6e789d3ca8ed4a85453521e4718a63ddc198d79d8625

SHA512
86f8f8980a42995447f61389f917a48c5c4e1613d21de775d66b843cf12ea74ebdbc6f4e684597fa749b885370cce4ccd092f9600e7e9e881456f19c753f9dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8d56874defedf514958cb37674c74915

SHA1
dd22186040546e1a542e1887a0613fa7127c7f98

SHA256
a5058b629d827dd54249e389fd4e3dd15c1299fc0139a3a111970d7c1e7cdf27

SHA512
1b791e6eb95364a7e1e399b34ca7a7c94b5d53bac2b7d7e0f527a2dab34279aa42ae67347c25e5bb003eeac6bf2e68bff43363119052ed64c34ea45b7ddb406e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
902f2ade8192cc590be8e94143aa3c5a

SHA1
daee45176e747aedb20b3117751fd5a5f361060b

SHA256
a73569da40c3cb8792eaed9f8e481f1978cd2391ef0d401d12ce7f28d663595f

SHA512
d4e2b50d31c0694b49355756e2275e317639d735680e63320aeb33d4f7847a97fbd83b98db6ab8ce11533f6b4a53cb9b2946cbb4942ce598d5e760d29858adcc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
268f61b928154c4cffc1367d75a8f59e

SHA1
ca46406f5d7fecd8af237d146923932abb1ffc35

SHA256
8e8ddea00e16557f3c67532f3d443e938a6e92465a354aa4f69d19724197621d

SHA512
ad8f33bbba60b09931c123c8104ee7ec91aa957a50755ed6ec590deddabd2fed233af80440800fc2896102b57efe567db0700f0925ff4dbdeb768716d3c80a80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
689B

MD5
ddd54453040b4c494456d9e410cd7cb1

SHA1
eed8b22b82849a32767f283386bf8653d4ca116c

SHA256
9cc4fec0bf03b8e8ecc5eecd23332bd341befd4280aa2677c230cbf56acacbb7

SHA512
661c3b52dd8aa95563a30d93935bd3bcc4611e010d88ca4f655c5fe5f474b717b42f6158eb131834420b1fcc01714366b42adcd7473103f6e12d063373a92861

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
d74510768fb4b625f5da0282a68c440b

SHA1
ed5166782d662d19076b52164ebe5a29f0e9972b

SHA256
536ee353d31d48e93e9c7dfcb32db30354dc2c7de4aae3602dae967644bb8ddb

SHA512
7652bb61faf39f09802576c123c456f8b6e160a2e6658ce8f7486466444b128ed33204c31de90bf4991e9e416c2f02cb1e29a7d8d3277344b9a792c026424305

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
29ac00fe39f21d673b2c6db88abfc534

SHA1
bf3f0b0a9f17ada024828e2c89707a1f992766c8

SHA256
22e5a618c2e4196addf9f5a0a0571319e522d168320ff0ae6fbb97c495a679c3

SHA512
c5a702da8f35c841b869f63daf11dad716d7932ada1051ef39c68eb3520e0ca5ed80a9e414f2e78358f929a3a27fd4020bfcf8bc92473ea4ec7dbad50500e4fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c6a23b21174f4dfe3f312976b717c891

SHA1
e45cc4fe8568a588780afce1276691c36fde645d

SHA256
319504e2219415db119e73c2139a6a60f745cd35185c71184798e962bd05f781

SHA512
87aac477fcb861014990c29520b386fedb135f1ae64ec77b051ce5640735ca75a84db36bd410340157bf834d409fbc4e933753b7e03734fc8bdcbf1e29d8127c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8856bb3b1b3c0ccfcbb1bc2294953a55

SHA1
3ba92562ba2dfff7863c6899e26c446772ed6903

SHA256
580d66640c039635d8a95cf0d8ba59ee00d3a0df14a53f794f023063cb3cce58

SHA512
2e5d703d740a2a13a1e952bed9564e511f7c26067276f404465f69e77a904f06edaca3ea37b6fc9c238ad0ca150eb28add575c207eee73b77e272da446bd87a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ffd39a83274c0d4b45e7eda778e5f08c

SHA1
5a9e326fdc0f04ca43eb173a85bf432aa0ac7123

SHA256
249e6d7fc800ce764a934afdb58299b9222a56baea35519904dd0c5393a1250e

SHA512
f1c211c8b5c21c6d6dc7bd74b4a3e4fcfa3a49f3f3f38b2b3d4782f281b90b43944de91a68c0072787909942548fd54905a46dc2a14f88d1e23d788fbb5ba9a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
79b475f6bef0b507c4274b5191e8f107

SHA1
3a2ed7f216c6660772aa42c507af86a4341c8ac3

SHA256
6152dbb8833b67cbcce66d1e7f87a3814a14928f5df8a8a3368bc2c02272b0d6

SHA512
16b13cb22df2f617c82f80f9c08122b5220ccbbef2c3181afeed369cfadd1d4d9e8b9147c940aa75e7087ca5cc5d4ed093485044fc32061dad3ce59050498339

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
34ee38c33f1bcf86ce45336e4a4f48d3

SHA1
e974e4c75c3dabcdd27f67f5629aee42c53b64a4

SHA256
0ca15eedb52d359f0b469faeafbf03c0a7774f7e543aa7bcf32860e1560ce231

SHA512
b2aea091547ab1f64361c7daa732b76499dc75db7a7693abcc367312992d8ca1c686591b671076e023889bc43ec378ea9e65da6e9557479839b2cdb0cffe1522

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c98336c4e5f23c79ef85508dda1c43e1

SHA1
b84851163d130c3fdfdc7f9b9eb273f57770e33a

SHA256
cfa51d0853292087a8d937ea1f335573a48af728259300a917f5cf44abc3af52

SHA512
5d9892f758f4b8dc915dfa57f3653348f3036740a8cb301dea30d595e8dff8707bc1fa959c098335fe68e336d8aa72e1c01820e45f8e6333d392a6fb02dd43ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
461c7e39dc44ba55e2aad55759c485f3

SHA1
1e52ae9242b2fefdb3210d114e47538e3069908f

SHA256
37ac9ba5342a91d94d0976b28ed64f571522633db5e2b4c131c10803f2db0d4f

SHA512
c0f1f9f508f4d38f11e752968679a07707be93d5604c2337171c2be479cf5a0aecc52963a079724beefd217caec2c8632243ad2dd297c9fbf520b4126870b9c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4281aadcbf0bd1c9dff811b07aabd8f2

SHA1
888c73a64a2bd7985222a0209d2751f82c2bbbd4

SHA256
1231ee1620b8c93661e97708ba32225d5116fabf175e8aef9a89398309a7e82b

SHA512
0e0d7c97c0bf8d0c4a23d41dff6dd8c08e7c9c03706c0d02aad4a178d9d3f517ae8ee6d866d3749fb5e4f8eba61ac78d78d7de6628bd683eb7e525e625b5863d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
532f4c6d9d34ca898c330f62fbb4fe9b

SHA1
1f4b652d3dc45cedd296d5082aca1466b12ef28c

SHA256
de08a4bbf23425c6b46eb07aabaddf6e6bf23b2ec3875898bde197adf6caf8d2

SHA512
d30d8be090bcbaa877aa411ac08c3951f6a5888741559d5924ad3cd2e2735f9d89d5cb38dd93839ae64cd4e10e684cd249936eaa6036e43e455532cc14f08000

Download Submit
\Users\Admin\AppData\Local\Temp\bin\debug\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/2436-179-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2436-1-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2436-2-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2436-4-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2436-256-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2736-19-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2736-254-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2740-10-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download
memory/2740-255-0x00000000008F0000-0x0000000002039000-memory.dmp

Filesize
23.3MB

Download