347e7d26f98de9ac2e998739d695028fa761c3f035dbe5890731e30e53a955b3

Analysis

max time kernel
1793s
max time network
1794s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/08/2024, 01:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

c8246dc58903007ccf749a8ad70f5587
SHA1

0b8b0ec823c7ca36bf821b75e2b92d16868da05e
SHA256

347e7d26f98de9ac2e998739d695028fa761c3f035dbe5890731e30e53a955b3
SHA512

02f5ee6fa5365498ea537f931bab82e3d95178cb8ca42a108030649283290520c27490557a2b642649533b935503ad240acedab005bcbf3dd7691f5671caf975
SSDEEP

98304:W2YT8JoWV2+H/mgMlzCozTWz6bZRajMHltHv1sRVHzQYtRP64CcnbaT:W2+8mspg2ofmmZRaMFbapx64CcnOT

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1620	AnyDesk.exe
1620	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1776	AnyDesk.exe
1776	AnyDesk.exe
1776	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1776	AnyDesk.exe
1776	AnyDesk.exe
1776	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 1620	3684	AnyDesk.exe	81
PID 3684 wrote to memory of 1620	3684	AnyDesk.exe	81
PID 3684 wrote to memory of 1620	3684	AnyDesk.exe	81
PID 3684 wrote to memory of 1776	3684	AnyDesk.exe	82
PID 3684 wrote to memory of 1776	3684	AnyDesk.exe	82
PID 3684 wrote to memory of 1776	3684	AnyDesk.exe	82

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
24a2d51b1456ecd88998a9a4591bbd72

SHA1
03969c455450df9fa25235ecb8bd6c37ba671f4f

SHA256
bd8130419c4e65010d52e66ff2aad05d7b2dc03bd157320ebd078d1e12137140

SHA512
b16c9b52a8dc3ca065c14dad779d6ca1c2e571de2c3f652f82c006202aeb716768749eaaf0422d945feaca3567da03972b65d21ad70bb6c3bad65c830ff879c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
bc2d1373d9307b640efd3ed4f007c0b5

SHA1
57f540d9d391982e93ffd41a259e98a75c03454c

SHA256
f641f8f0185f298d70ce96a753f7e066d63e96cedaa08ab0ba3efa252ecff848

SHA512
1f327486e0f4a41ec60a48f40bfcedbc0e6e0fc80b65eee98d4e43434ac3c5e50932bcc1aa9daeb2a5979897bf33d8451c24143b927d629c3117bfc122e8f085

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8273728fa56357424c0d080d4c41810d

SHA1
3779a3e393b4809815e9c7fed8f440090afdf994

SHA256
8408113dcadda30e47de02eed05d53a845d13f29fcb7a1f3d056787c3cb95a19

SHA512
a492097f97537a8433f1e19d6303d208155b096f2d03dc61c5430ad4b695dff6eda76aa80fb4ca4fdc3f8f05d3c89f5fae368cd8248d5d4c01ae457332551025

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d40cd653b8a7b737da559b49182568c3

SHA1
c95f832ad168e8c4b25d56c59f12a7f96e341b72

SHA256
711100c47927a35ba25e74b34e8dc7135951c18d2ae231ac49a48c0a8952f1c0

SHA512
59a32e40bf64b77fb1af9d925441143421170fe64f706d0ba02193d9b2b757c279a527975758ab69bcaec96ff86b2f46d97a01126562d6142a053a49f38ad546

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
f89a9eb982772c4fb34c722450f58906

SHA1
941771c05383ee6cf035216ae021b6db38639355

SHA256
4ed5bf1c5219ce3950e5f8865f52a05cfb1bc928b021fe0a7a4053b262fb6895

SHA512
e0eb4902c69cc791c2044366b848c982153735b35c51d26daf6ab17d587846bb3671355bf08fd727f3b763d9d66e1d23bdc9d9fb0ec55ddf0034139628ed7714

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
f0e45763c3b7162cc9c0ec6d02494b4c

SHA1
a8c1773415d6df632a5a4507c85f929871eee1bf

SHA256
17fd190e63c88e1f1665f22fc5c4727c489bd52fbe981aa4b8802973454adc00

SHA512
67ca672096b4fbcf45f410b074fdda93ecf7d243bbc392d23537a5157f9a606272b335056794b20dfe35a9628c0edaa50558517ac8f7f49db609e54ab361760b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
7384e5a7954592c9993dc9825a086e5d

SHA1
c72f91684bf32676f69f6f62f5bbee9f2c50e108

SHA256
eae6ca5bac5c53eeddd60a8358eefb6ed7727a469f61008a61b3b0b7f95e9b58

SHA512
cdcefb4db04e94f7b08d0bbcb5de3c9ed918688fc88185a0f96fb7a55d09e9fc964459b19b4e9c08b02b0297296e0c7aba2eb6b064d689a243a7737797a7d2ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
6d75471d320b870898141af6df0caf74

SHA1
651b06fd0b0a40412f629e2a108fb9d9efc64408

SHA256
cd2f7015fa9eb1c31c221dac810f8399342a92f0390351ef0b7f9e2f1c4cb11c

SHA512
74bbaec5ca9befce9282fd39ce7815d982ccd93a769da429d84665fb640c035bb6574ebef1f6a7dd61e70c94c8afaf5b789c8b4041825cd4ca6c2e624e50de37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a639294516ede633395915f9a28a5779

SHA1
56806fe529b91f901e48ed51987656d043d43e60

SHA256
7d48c688508668526ade4ec52fa3a1e54245767d9804a9efc1fa88924b0f61b0

SHA512
5e96903242f7b7aa719af67655a6165a6da4521f7b51227826e3459205cbd5f0618ae580f9d20aed01f967c2f090e3e3499eee6250a81e29f2029da4bab7ca5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f1be47ffc0097b23eca8eaffbb0b8ef0

SHA1
57f7f02dd964f90674365bd0476bce478915f9f5

SHA256
94e486f6d374ae6d0325e0038f7337a48fa23b44b106821f37ef2aa1352b63c5

SHA512
fbb4af5fc463290a4f929b37226ace40539197d00f5d4b04741d6b1bc9c28cd8ad7c2b47fa13a81385bf1b64505db5b20b1a19fde6b40ca23bdbc5f6b6e63347

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
324a188fa9965377568c2724264791f7

SHA1
c20fafa57aa1b0ce63504b9aa33e3a971a850d13

SHA256
fa08c2054f91573f3bfc55aa060a380f44675bbbcccedddd57c3f125097024cc

SHA512
460fcffdd342a00f62a6854400539bf27b4139a97bbbfdb7537f44ae3835ef27cbf00affeeb14ec33e7a7e0e40b433ef7eb7b19ce7f3facc6eed2795f3bca024

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
2a8894cc00fde10fdefad2607b09fccb

SHA1
1edbeed86944009e203e5948f6d68aa47fc8b459

SHA256
09e212b3ac49811222596b5923e48a5272d1a434ad0c52c6527586080d9b4eab

SHA512
e78e8e52b70ca7ac22948ac4f4c106fabe939a76f9006d766d4ce2079ccfc54120b6c6cf2468910ff5bf2ce24c85bbebd0d4b02489511322dbe43d74c54b3e37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0c7cdb1772d9befc07fc82bd4a4d9ab7

SHA1
9dfba2f107e84e9bd9083c0e6a5e67c1063c4110

SHA256
89a94aa0ad5d8caaf5385e8c3be3060f6c1dc4947da65bab1e6b64027209e5f9

SHA512
1c47f75d2efcf779c96bc217ba098b40921b5bb5d34f5c01beeb3b933a81f8483f397ca73ac00c18478d81257a605e4a672ce592157521ece088f2204654f43e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
6ebcaeeddfc41500766d767ab40f4f5b

SHA1
5a97a00f4d6bb91e6ff3b649456bc78e0e7db8d7

SHA256
4763316ecb7bdfbb9ce5ad89cf997f5efaf2209f992283034bf484ea8417d138

SHA512
02427083904f5add569f8aae11516fef5389968c88980776f45554c79c3dae9bb7ae7e403494b70f6c4af1c18bf2fd948ac92b9d02ba7cef9bd27f57ee2c42e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
bbfc834af48d06679b3780b20a42dd08

SHA1
fb244520d1000fabadbedb9933398c2706a091a8

SHA256
e828dce2437faf4c99b4cd018ba5415eab1b928f8d2154ab846a7af5fafa4095

SHA512
32a07a956e3fd4b0b8c0664d48d6e5c430cc5504348876149a9ca4fe27f3ec5fd2c80b47e0be9711282b7042aa6bc544f3d7c1bb7e5fdaa7f1a9bb49216b3c75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
256f94465565a9935d0d427f750e79bf

SHA1
e13085c74472dd80c332f8d7d09978ed9675ef2f

SHA256
bbc50553e9f8035dda31b6e0dab06fcb23c4f3b4a1242797e19a448f738f5ba0

SHA512
4cae83aee74b48a945ac70d9981c2fa348c16d12c3be1aad785583b8f874cc920cea2e3afe7c079a5ec5a7a18eb4a4a77e2acb0647ffd8596bf3e7762819e252

Download Submit
memory/1620-40-0x00000000058D0000-0x00000000058EB000-memory.dmp

Filesize
108KB

Download
memory/1620-12-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/1620-43-0x00000000058D0000-0x00000000058EB000-memory.dmp

Filesize
108KB

Download
memory/1620-44-0x00000000058D0000-0x00000000058EB000-memory.dmp

Filesize
108KB

Download
memory/1620-244-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/1776-10-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/1776-245-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/3684-0-0x00000000007E4000-0x0000000001A36000-memory.dmp

Filesize
18.3MB

Download
memory/3684-9-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/3684-1-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/3684-243-0x00000000007E0000-0x0000000001F4F000-memory.dmp

Filesize
23.4MB

Download
memory/3684-249-0x00000000007E4000-0x0000000001A36000-memory.dmp

Filesize
18.3MB

Download