9301f6668a60613ea24505b0de6bc59b0e98b9f68a5c8a990c60ca076012d528

Analysis

max time kernel
592s
max time network
598s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

d11cfd20a46e4e671d95f0c10bf67b41
SHA1

b58f48305747847b1a7e921a8fda2da6eba6d08d
SHA256

9301f6668a60613ea24505b0de6bc59b0e98b9f68a5c8a990c60ca076012d528
SHA512

f72e098e6a7ad07d36bcfc4cbe2e5ec33ab93606e3d40d122781e3973d7f8c3ac629ef7b33fa3d6e43b25c80c37e674a7c6eb338062b7cced779b5cc240bd8ba
SSDEEP

98304:lKie3Zkgwsf2PJ3SpOrt4Xc4rpKU4xzFtYygtS3fv6t1QPF8U:o3Zzwsf2PJ3SkxWcVpR2S3fv6t1W

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2452	AnyDesk.exe
2452	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3476	AnyDesk.exe
3476	AnyDesk.exe
3476	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3476	AnyDesk.exe
3476	AnyDesk.exe
3476	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5888 wrote to memory of 2452	5888	AnyDesk.exe	82
PID 5888 wrote to memory of 2452	5888	AnyDesk.exe	82
PID 5888 wrote to memory of 2452	5888	AnyDesk.exe	82
PID 5888 wrote to memory of 3476	5888	AnyDesk.exe	83
PID 5888 wrote to memory of 3476	5888	AnyDesk.exe	83
PID 5888 wrote to memory of 3476	5888	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5888
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
4f8bcb5369e06c5878d9d3be98ee8333

SHA1
617d86a649808c5ae39a274595593a10dfcf5567

SHA256
d1d1095f863b5a1c5f50a9f08de24e79102cca59ba3d68481870437aaaae0394

SHA512
d8b4be6fffd4a8e65b6c45534ce63b2af3fadaf00ddeaaf3f6b0f8b6f7c9258c9f6ba1662f29c2fc4369865b7be4e78f4a9b3158262ec4f3dcaacb99fa242e34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b76ac9a61f17fc8bbd37b92c397e7e88

SHA1
e8b5184366e23bef549d5add97f26491137cc4bd

SHA256
492c4c8f84ebaa3933a72c8e4011b01446acb4853d49b04687cdd8badf4e2302

SHA512
f65183a3ee63da6427fe85370bf9f1a794c15c44c9b9e93580d12d00abf3d9ee0da9300ef426b73869371c0d200264abc34cb140cb9aa042882974ac7b707e29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
282f64bb95d2aec68812c6e3a16cbc87

SHA1
e578099cea4c322f202a8d57d597a710291fc5c7

SHA256
bdf32e7b46175862c63111c06744a8bd6fc51704253f702ab46d29589229a43b

SHA512
e0ca54adfaec9dd695f84b719f373a94707ee61c8e2cfefd724d44c535f843df1fb8aec8258531202e12d2b83f2b0b35e8abf56022758f04876b1d522bbf04d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
44561ee83460b89e53cdfc727c948c08

SHA1
7b4b050eee35cbe088ca3532b9490037440d428d

SHA256
87f60162f87349509428f6acb1121e79c5afbc5f219e5118bd14f042bf64b73e

SHA512
158c56700c388227f7c78cf2093b96a2973d9a3e9526351d128de67bbc72d999a43bf0f91c121afaaa98716c8d2e1b622af4b3f49281ae2b214f45a067b12087

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
11de9bdc0cc5395590a184b8e5b40148

SHA1
50541581ef1cb2902d586a365d23c4f2e1fb6a9b

SHA256
fcc3547eccc07fab84989573e8f8108a2d51f5025a21bc53b426c4a0a74498c2

SHA512
08c7cc64bb4ddb6cb442d5c46d72d270fbc4a2b331c5a68012582a245d91979139949bd1e5a02e803962c5e8aa2a874bd7028bdacbf7d0e1a5db7226fa9f9710

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
58b433c589961fcb3265586308fed469

SHA1
482049d4ef7122642dcb8a34dddf8d1a52b6824e

SHA256
02abe9baa400bd237e77705d1b4a4f5b830b1dba6c4070af25fad69bf561c5ba

SHA512
51aaab42e2319894ebef47b55a94c9c01c5389dbb53471088fdc9ce6ea8f35a83be71727bd5163eb43b93d8d61dbeeed599499d9a610cc1b60e3076993820025

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
661b89ab09ed816e883628b4411a422e

SHA1
533aa8ed24d23e5d8db71d81dd122cbe1f8bf87e

SHA256
e5f3b18a8b72882e8211e927d9e94091da753d3a40036ba5aba67924b299e84a

SHA512
00eb4659fd380e9b2aa3421d9f10819e6684274401016cd2ad0f1cd1a204b490d2a8d96763c3d9a0102d0845fbeb7ff6d0b9a7ce9882e61e419c8daa19ebef44

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e281480821f3d0605cc59a774b600aad

SHA1
471c438da43bf65b165aa9a6ce07a9101f15bbde

SHA256
dbf0407ccf275e77a4a4947e61ace965ef6dc8bb69d7c9c17aa47b95f6f579ca

SHA512
21c97274e0988da21ac5ceb78f4ff25d379a8f28e3c710c546b1886337d3ec049dbcf3bb4cb653dcd770ff2e55a52d2c284e2b34688c9b1844965c3708bce44d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8f9deb7ef9dedea2e370f567111f2a8f

SHA1
7b1259e09cf788a577d8cfe26dbeba73e76c83ca

SHA256
18a6e984c726d745e0514d32d03b1d96824b5934aee74799f83ea93fa03dc033

SHA512
f21653c2916923102c6c563ed20106f63cd0c36ad2f35a23e532ede74abb2cd0156ed8f147dda5a15379c4ab6d5ca924cfc3bab8be795b885b3d4ef945b8897c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0bf13241b4be583970c370be9cf7f8be

SHA1
ed4a585ff3e2e5e5cf8d1d2e82aeeb020faa3d97

SHA256
c4fc79bbcc831e669216e94d52f8747863e503cdb528d5ff978908f8e8551519

SHA512
cdd43c79793e8b139640eed3b9effd98480715146fc985bbf0a89ddbd282a6504f760e5a6c9fd8fe04936f9c215efcab1230e23d738250843250090f7178fdf3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d16c63cf86b8af6a0830bf095ad807ab

SHA1
377383db69bebfce07f737fd178c316c502bd7f8

SHA256
d870e9fdd59c3d9ab6bc4fa4c7d1cbb79abd5a2bab8fea8b93c4a73951b51bf3

SHA512
7b771f8245fbb4690b868eba7ec093db1f487039cec8c65dbb33fa130310ee421cdd9d739b4ddd24acde342055dc693913c56c8c6a72539697610cd4d8fc5630

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
3a6e016c3d5174524f12f35f9a31b6c2

SHA1
2286674397cb011f8dcb4021136a7befbcceabe9

SHA256
b5b9166375ea0a662f409c29ab0f98567168665186061002e377906fa39fc71f

SHA512
85fc772aeecd4e1b16a741e803a983c0e1df5593d32b490feb513203ad54c7251c40d9be0699eaf761100c4fe824f02a7b864e29dfcf6ccfd06bdb3637977588

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ab343044b0a08ff073943a6041774c9e

SHA1
5e021a28b54f574b34e468d1d2fc6e9bf5c284cf

SHA256
51104984ab1415301fbb53085f525fe44c45408222b3741cb4dc1e6f629c92e8

SHA512
f711651a216bbe65085b74a0e74422bb714713ffb81d1420aa2c1e9b6a262cde5db72d0d5ec90f858298b139e8555eb1dd503ec5a638ff372eb98fd5a08b602d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d6562ac651ac743f53bb851967422a5d

SHA1
716b1ee543eb2af20647bcbda6de20e8a832d84a

SHA256
37f46fc83251a173f16dcc93b0637e17f7ae57ffaad33c9a3546e681e6f7710a

SHA512
90c135e2e959dbfd9fe8654aa5fdca2af483e88bac5efccd6d70b64901fc1873cf54b9ca8f4b2bfa1acafdd43f6e79c7937cfa82d3eb41ef5de1d867fc6f0637

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d93e405658360f574324f711380b183a

SHA1
48f5de288a24d0d64683901e317ef5a385829102

SHA256
977bea27a55c63d1e7a496c5fdfee15b495bbc093b5dcb6c70700a325fa06ae9

SHA512
4880b7c70178d0b09eed9ef520a751ffa354b4fcc2f96779d18dcd780469157a4bc29056f2af94e84f50c700f9d0b4c0325e91f5d0933957adc6020a32043c2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e3b638726de825c23bfa8e8df9d6a2e0

SHA1
3382f128588c65b619775d16f6f88730baab49d7

SHA256
239f121d11ae6e29acb3e950a596826c18294c96dd1877c1e7d89f8c2dd7039d

SHA512
40feabcbf3b6d52a3f37147f4989ba162c48e26c9e39a2bdd849bd0843b66f1a69cf83bbbb22f70921d859a216ea49a40438ddaa3e512ecc318dc255c0366ef5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5b5e8b4efa446e95428ffa9f65047541

SHA1
eb0f7ac6ab765ee636915fef09b4e95cb77ce782

SHA256
110e8432313fe2e0544742c23793afed0ce71dd2ec749e2f3b769c7f225905e5

SHA512
fcaa8cbf7fa37c3f0c0c457864be0aabe6bfdcf8d34df846413a8277d317e5833359ccb60e710fa7b14d9da08888b08ea7a6a855c8cb0fc79c336441f633a66f

Download Submit
memory/2452-43-0x0000000005330000-0x000000000534B000-memory.dmp

Filesize
108KB

Download
memory/2452-39-0x0000000005330000-0x000000000534B000-memory.dmp

Filesize
108KB

Download
memory/2452-11-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/2452-42-0x0000000005330000-0x000000000534B000-memory.dmp

Filesize
108KB

Download
memory/2452-232-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/3476-10-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/3476-233-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/5888-0-0x0000000000F94000-0x00000000021E6000-memory.dmp

Filesize
18.3MB

Download
memory/5888-7-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/5888-1-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/5888-231-0x0000000000F90000-0x00000000026FF000-memory.dmp

Filesize
23.4MB

Download
memory/5888-237-0x0000000000F94000-0x00000000021E6000-memory.dmp

Filesize
18.3MB

Download