e55752ce0e4bdc9426430bf580efd1559864d24c3c0f118d58ff513e6d618fd1

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bin/debug/AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1532	AnyDesk.exe
512	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
512	AnyDesk.exe
512	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1532	AnyDesk.exe
1532	AnyDesk.exe
1532	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1532	AnyDesk.exe
1532	AnyDesk.exe
1532	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 512	2368	AnyDesk.exe	84
PID 2368 wrote to memory of 512	2368	AnyDesk.exe	84
PID 2368 wrote to memory of 512	2368	AnyDesk.exe	84
PID 2368 wrote to memory of 1532	2368	AnyDesk.exe	85
PID 2368 wrote to memory of 1532	2368	AnyDesk.exe	85
PID 2368 wrote to memory of 1532	2368	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\debug\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
80077f4bcf916062bad6b43a29ed699a

SHA1
7783a5db62fef532fcff4ccf7d78dff91623e1fa

SHA256
b9ca02117f6a92153d1bdd25c0bcd09b9295b9bef704962c7fe4ecb58a44a945

SHA512
bed378a4eb88770fb66bad855e7aa5969da8d1c9509eb0c55aaf00925ee490d5d267c05f266a388c6396c1007125f37229dc6b0ebf13f2cde06e2d872de7a40b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e43f417885671250a2c26f910666edb8

SHA1
b590ff807679346d2e702bae3567108a90ca2141

SHA256
b725388668d74a2419e5617e7f3a15bf96a2519b5927ab9277f0fc5e1f4f3774

SHA512
b596907c6202cd4184fa5e5771c24d1769a68a05c6d6232077af84ac3417dac823796142a4b6d8a60fc5f0bc6b4786f8cb387682c2a1d753c3f04937670b9d6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d2d12c907eb4d7fb51cc744cdd864668

SHA1
f9f7b31a44f566cdd9490590908a00e525e7e716

SHA256
7bf810d0ea20be949a94df8df365f1ca67d8edc847d42614caa138c487ee23ed

SHA512
37fb9cea95cffe1e039e6e6f47d0dc091a0d6d63c2efabc912d4a9a5cd196c68132f1c7db96963681c87ae6c72a514391a2eba19e2dd9347af92cda6149eb3b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
24a69c6decb8ed236ce448db46b0ce99

SHA1
7ce298b114a4bebdca6c078bc09c6491bf1c6dd4

SHA256
bcc1dafc56a6cf808af9f8b04da1e3218750a974a94053540ba10ee4fccff36d

SHA512
e7d16585ab43ea48afadd912ed45c9a94c047c9c73ae516b4218689733421905c965b01cdabf9e28b69eb090e7c26569185ff22bc14ff147d1f7d2393a75d98a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
010a66b9281da8bd3d2c6e4bdd31418d

SHA1
7e9f3487cf2e9d6484b23ecaee5d1fd5a9b304d2

SHA256
ae1466a33cbab404045b0964691c2ba4813a544610dcac3d63cd1638cad481bd

SHA512
ed2b981652abd790fdfaa681784448dda0af140050b47fe0f1c5547ef321b7e1cecc510224e8cf303ffe5451abc453c62538e5d881a7bc5c9f4c594c7d81fed7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
689B

MD5
4d7607042570a7f0fac763d6f26a2dbe

SHA1
998b32bdaba4bfe6a3d106f0ee2ddbb51b2d414d

SHA256
841110af5425652c5537797e65e4015ec27ddd352157e692f8ecf64b7f0010b1

SHA512
26983496bea2ab09c63c0b0b052bf8efa349d14e7a61908f4f8bb301ff0a41abc65d8236e382fa71d3b2bf3e37fa5af08903a65fbab5325abe3d9b5c1f8cbff0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
fc10a1fa9ef751d34cf315dc841257d8

SHA1
28c1eee55466b978374b2bc43d8ae149055e9670

SHA256
0200f3d84f55bb9f8dd3848693bae7b09599ebc25a36aaedfb41f21122266d80

SHA512
5afa4877167cb2394c7480b6a9036866ccd6e984745ea9a915433309c7870c939d526edc7b6d9345d40e6c70446dba58e3fc0a223f759b2d47362ec131af5704

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bfc53a40af6ba1e5dd6a11246c6ce903

SHA1
00866beba37509ee0af8e41675052fc2ba20076b

SHA256
27b4aff1b80d53bb0ac3a92a4e91c50a098d48fa15a5575315b2eb06d4f61dff

SHA512
bb7e5cc9b40668dd90a2fd4b96125dff71bbfea2e8aff5495c1f0269d3c9e5e990fc5a8ab4636fbbcc59e9410e7dfeeb7b635479bd35ce047d85aa6844c3a369

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
927f0981865689ae24a478b011aadeeb

SHA1
f83c5bc85365e4fb990c75d859ab9fe6e5827099

SHA256
97714a5414a323682248bfe4aa75b402e10ec62a56b69ec1b9a6a2a1d4e03049

SHA512
e33c718d25d1ea673c46d98306ad79cebc3475b339c56e33718b8f1ad6c717b1d5d1fdb61fb0b922591ab9e1460a65feb4d2889fea375df071eb9245881cf67b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8189c6a4ed46762df57ebd48c9190eff

SHA1
e3758cd557ba3d5b8a7fba8905430933bc06dc4f

SHA256
0dcf614573a948297af7c92182e760a1ec71e6f38ba66fa0b7e682cb7e42743d

SHA512
0cf86a866bbf5112edf27b68393269c908d41ba854028e3e5c655368bfdfad6581db1b22d0721dc68a6cad64b2a61755e3f31cf668452b042c84fbcd03e0dc52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
f016ab5f5fca34cf6b2d346ed1379964

SHA1
a2c744a047ace4086b75fcf8c5ee07a6383c6b2b

SHA256
13847b1aa174b18a6239bf4dc2f3eb1f6dd07ca0dd5a5662085704ef9b59db89

SHA512
86c97539e0a609156d1566e24acc941b7fb5e1e25f23f18bfb3e11c093a7b6d94dd274520f903ea8933edd0442658f0d9330d39f12ceff86d4ebbc3e2974afef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6af823dff4fb7aa7cc334a47ffd5c644

SHA1
5ca1f3d35e3a3d25f08c78c83e78857420a6174d

SHA256
0c7dce5a3151afcab65dcdde67cf41fb310977f0690b637b17a42535e7a70ead

SHA512
50b473b423788538369775ac67072300ee5e329051d657609704f1238c540363ecfca04b7238e303be6678a8678a88b6b661705378a504cc78b64bf7d82b15db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
b74200a73a849816255478729bb699e5

SHA1
86dc15171ea8f2f95d0995b192f1ac32dd05bbbe

SHA256
5fd56ea163dd1f5ca5e7c1103e670b1552d36e31ca51a70ff961cba7e1039784

SHA512
2ad9a2751e5c0c6d56f4b75f5f55afc87a8b89788c6a3c87b6fabe74959c0923498da03f7aa6050a5c08943797e408ec74d4b9373669b33acb032578a06fe42a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c73d989fac04210d476938702ad44f4d

SHA1
6d7f3e9acfbeb13534e8e439c13850101a00a1c4

SHA256
21be21e69f23b097500b60eef3f0e7778a608303c305058397159ede0b10b218

SHA512
6b5d5ddc9562b04248eef0b61598808c4bffed2f0676272ae5e55fc23fe44754a025bc4a3f480b15d62a47c7492f7d9a96b326971f56bdc6757b600a663bb387

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ceb6c4cf710da0fb644cd0f08f890988

SHA1
ae0a0321554b2b64e98e3a0d59986b3cd4f58ea8

SHA256
4780d7c492fc49d444c02c5c5920f8db72fd38f247131147fa113767d3e386fb

SHA512
078bbaf08bee0e776f3a38a8e704f9e05d2e5480c5edfcb6de933750ae77b1122b4379b3c4c9d7c9dad501ea80379cd66c9363bf4c90269c8eb533f26f5e2d6c

Download Submit
memory/512-235-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/512-12-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1532-10-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1532-11-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/1532-236-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2368-0-0x0000000000B44000-0x0000000001D7A000-memory.dmp

Filesize
18.2MB

Download
memory/2368-7-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2368-1-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2368-234-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2368-25-0x0000000000B40000-0x0000000002289000-memory.dmp

Filesize
23.3MB

Download
memory/2368-240-0x0000000000B44000-0x0000000001D7A000-memory.dmp

Filesize
18.2MB

Download