7b9a0fd990959dfd15a879bbffd13d4959b9bdeecf6831b91b8ac02d72e9bba5

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoof Instructions/Toolz/AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4424	AnyDesk.exe
2428	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	AnyDesk.exe
2428	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4424	AnyDesk.exe
4424	AnyDesk.exe
4424	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4424	AnyDesk.exe
4424	AnyDesk.exe
4424	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2428	632	AnyDesk.exe	83
PID 632 wrote to memory of 2428	632	AnyDesk.exe	83
PID 632 wrote to memory of 2428	632	AnyDesk.exe	83
PID 632 wrote to memory of 4424	632	AnyDesk.exe	84
PID 632 wrote to memory of 4424	632	AnyDesk.exe	84
PID 632 wrote to memory of 4424	632	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
647228a3e0fa50225591bbb420aeedad

SHA1
2af58a1d97d2bf6f5149bffda38dff555d0dc464

SHA256
2f0a66005ad3fe762567fb4077022794f5afa690a51da8dd662b4a4c2ea447c1

SHA512
561b1c15dcd92b7443126571f0f36a25c940266ec39f3785fae4c0144362f5fcb4ef035723efbb0fdf3e8f6daf9dbdbb82430a9aad8335e8c9c64bb1e2a74fa9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
f7ffa9f6bedea62503f0d379730d33ae

SHA1
fbe1a99d8a133344904f849c689c8d47e547cc9f

SHA256
02672e6c0b4faeab6d045dbc277d59504ffa6779068db1e70fa17fced15768af

SHA512
b7cc603df3f4587f7538c42bd1188096768ca08f05a1730d7ca5ebca588e55e308411bf12c35f3e0d7f37bcc0e1b965b5d5734b3151111a296f069e9657263ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
50587c4c354c25a7cb75151832ff7ef3

SHA1
719a3f748ab83ac14017de027fcf9d217a997e31

SHA256
a20d216543a82bc9375ae7aa3293961fe55a11e1f64dc4fe01df7216d9d04a18

SHA512
aea897a5ba54e6c389c6fa24918e4b83b124fe4361471f04f48a8ed227811d57642af74e7500541ef829586cc3935e98cd95ff8e9b5173b791b775fb3939d71f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
82a05647b49eb012085c1baf521bcf45

SHA1
c533a7ce42c46bb7bab78ecba6f53d105bc0d203

SHA256
819ed309fcf6078d869618228abdd7abb41720ecf7d3b648f80f1f830ba3cb3f

SHA512
7ed69bfafd912bbf211065456066ff0ba9cf30149348d0e0bef2c1657d92ba6eda673e9939a71038d19fc5f112bea4c08224c304dcece7fd16540868e111a508

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
47c6d77e6925bc5c563ef63cd975bcb1

SHA1
08c5f8d409e4f227983d94187c0478dbcbf0a831

SHA256
7c8b1b3db6b352507b31a4cdd1d36231abab403de9461534ab7a758892f8b52f

SHA512
6ed034d62d04533c6f9b0c663ff265a235b060824a6d2ee4d71875b790314e71321b5e55ee7aa27c6c983a6cd44af5656a674d2f1abd4c0f05db985e1e6edb9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
888119b241b3589244d42278009ab476

SHA1
3a07da4fbc5682f7e321da39cd81524613ed27a2

SHA256
516a88b45bdd08a2571f53c261fb4898e70a99d636e08c4d9c45faeb4626c0d3

SHA512
112f1b96c2202077d89c14f677d2d89207e06f7989040fdd407d869a81b92144f2f64878faebc682fe3237d218e2055d06748c29f4a0d7267699d7a08040056d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ba4bdfabe5d7b5da821bbd72b4b99134

SHA1
268a48d513e80241d7b61812c37cf507e59e891e

SHA256
d37fe0f81cfbe7594b0b8750279093b108d7e271c6738558e02de5aac5ec2ec5

SHA512
465e9bda086ced42613e849f58f8833d6f300cd9e6d14353a4967077a360d8d0e9fbcc5bb7665f3cad009f1f2e87a62ceb45a8b613980fc93e900b48394a2938

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e4c69559deff2c155e9add0e6ff5c36a

SHA1
ee082616a6815e02423bbb8d70d615328f882bb7

SHA256
a56b9ae42d00ada5208851afb2600b0b4042f6cf11057630457e717b1a789fc1

SHA512
408031c68215348346757ddc9ec0dc5bcd352849820fba6ef30fd10cee704d208a6dcdca3585d10ed41f6e1de66e75e66984dd3c2c6111c7c5863edf3f270c6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2d2f4d77a59ae582f4193b633a8481d5

SHA1
0d07880ae5c072af3cd33129725e55828c00b626

SHA256
eb087e437b010b7f5eb7bc6621d5cb252e6e19cd9b0dee924afeea385573cd65

SHA512
c3fd8e77531d65dd577eafb8138d52fdb3c5ba89270d8f566035c90f3918da8f1791f1085421c394fd897f0a47ddc613350b52b2e14049a65fdccf4a26552ef0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fd6d5b6c44835070dcc1d622011157f8

SHA1
37bfdc7e9245ffc963d8d92ead42ca4411313630

SHA256
c047d4c3ca155e0e05e36dd8582388c59b85e5517811436306fcacfabeb0f26f

SHA512
42c4d03b4a469db5207aa4f153c21509507f8ad3317323c255f924a5a346242514f34fd00c8d18b05688d5c6aa721b1897227f1441b215bb4e95b8882a590244

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ae7f34bc16afda48532e431e48ed02bd

SHA1
8e03c4c9b89864d929dafd3213d14e30a617c6e8

SHA256
e68d159b6a11f2b3c81196841f6fc2e4f9423ac798a8373fbae8cab8fbe12bdf

SHA512
9459c290bb714bdf380412d9e006994a80ccc7d55f7e199b6c7a038c480368f04b4d50ce4ce72dc975e317ad74767fee556b0aa32b83f6516076df47ce3a0315

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a9e7778c5637c584fa05b4ea2466e43a

SHA1
35399b3858bd838ba5c34f865f80653103bb9d1d

SHA256
0de8434ac78485b1b7bfc5847ffb27d436530e0051a5f66d08a37c9378bdd69d

SHA512
3c0b939ee957ded180bb9cf91fda4a5f05911e2504711e39320dbb539244a0365ffc3173cf433a3a1d0ef09c1c85b4d2ed3e5baafcba3d5d8990b0c4a8af6db5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b1d65d68a17d9ed7696630e065254152

SHA1
92ad1127444782436538b614e27d9992f51f0624

SHA256
5f430750f30943fc3ecb34108dd9c55ebb328c2fc013571037ddd8576b6d2a6a

SHA512
87259a29b47504f5d54a59a60ed60dd6b98867de98ac989f00c1138ea62a07ac67c7e8effd0978ce2391552fcf215cc7ba0708da90b8efd38c8bdb70ed7005ff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a7e395e4a19370aef80a721e58349932

SHA1
c9ad6d0097f20c49a7555e4f12d20dc3a93b28b4

SHA256
25f4c3155f358032e645a2244cfd41c299a71175f60fdd4e0ce66b0ba7320732

SHA512
c7514f221c971dea388c953c8b492e0a261e815a76ef46edc2725511d75f4b7a2e27c1df40428846069d8b53e864d48bb018b5fb23daae93c387f0b4b55544b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2486a10821e91dd47d79f67dcb8d914c

SHA1
436bfb4683d0955d31252ec5f57828909e601541

SHA256
d436e16f14123a728f399a0d6d5698b0ca06215188b3a8dbc0c2bd1727e36fb2

SHA512
8ae6ff377416b31672f6bb2f360b1e70fe0ffac70bbc5ef33c7b4c2f0bda4a5e7b19adb13d5402108207e9f8d72a9a0c0293815127906a9552834d1036462bda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cceaedc50164c7551f13f0ffd716d256

SHA1
7cf0130f15823283ac57332e0fe67a5ed6c7d187

SHA256
1326303f2bd704244a4e30f9a01eba32f3f359de859fc07dfd7abd203351e7b4

SHA512
8c42f3b68650ab48aff125785fa918bdd2a2e00031f0cad730f26e605936f149ec9703926b226589a9309306f3c787f3a3a48d88428cf31e1065ecf71fa71c74

Download Submit
memory/632-2-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/632-5-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/632-1-0x00000000006A4000-0x00000000018DA000-memory.dmp

Filesize
18.2MB

Download
memory/632-262-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/632-268-0x00000000006A4000-0x00000000018DA000-memory.dmp

Filesize
18.2MB

Download
memory/2428-12-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/2428-263-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/4424-14-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/4424-11-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/4424-264-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download