746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

bb3af87238abccdd1b9001f96348e756
SHA1

6ae600ccff0741ce420bbd372c931b951094121f
SHA256

746475f67cd3456551c5cd9c6205c9754b2aef17472af1b40d41904df2337a2b
SHA512

c5f71d88b9938079fc4e44ff6b8329cae451c776fffcbb2ffafb29bcd3107a08a6f5f5327bc5b367a0bac7cf66ec18e549f09815099872882f431230694c5b7b
SSDEEP

98304:25/+S+eFDeCPb5AER4V3CItOqgw2JqaVqn3+GwpU5bAeCoMg:29+STDeiVAc4VnOqgw2URwpGCS

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4732	AnyDesk.exe
4732	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5024	AnyDesk.exe
5024	AnyDesk.exe
5024	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5024	AnyDesk.exe
5024	AnyDesk.exe
5024	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4732	3104	AnyDesk.exe	94
PID 3104 wrote to memory of 4732	3104	AnyDesk.exe	94
PID 3104 wrote to memory of 4732	3104	AnyDesk.exe	94
PID 3104 wrote to memory of 5024	3104	AnyDesk.exe	95
PID 3104 wrote to memory of 5024	3104	AnyDesk.exe	95
PID 3104 wrote to memory of 5024	3104	AnyDesk.exe	95

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3960,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
3e4d622ab59fdc8656592eb57792e6b1

SHA1
53f1c38a2869b578e4183d545e474eae68043991

SHA256
6ab4334ea96c7aafb5b1bdd97ecf3d38c408b23246dab197214ae189c654e15a

SHA512
6e80db6191f2f687933e19728ae90bdcb620cbb82c387b12f3afd3be07955d2ad9d7c86b9e5748c090b98802894fc46c9a57c503bd691cc80e434fada19b35ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
95acffecf2b455e8d66826f94c1d06d0

SHA1
f61e84bffa49366eb6441cc4e29ccda30fe3d321

SHA256
9119b5617e938b7d58246c85efb56cfc2551642ab8b9957819ffc25c2c4b6290

SHA512
db496fff50b9220fcb4f15535da98500082cfb4473a4b58d387ce1d257a7eaeacf6b706fe19664cae3eb377c796b05a624f0845b359186970d46103641f6fb02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c1aede98220749f6750fd6bc7d7ee797

SHA1
fde26a29bbf71768be18a293a47ddb614e1c5ae6

SHA256
a2f4cfc6e1fe0a052929e6207abc5318f16c7650bb39845e979fbae753a2d7e6

SHA512
da68bad124d11f3a930fa2931f0ef83e602a1539f9cb35d7bc3d01da958c8e8a7b55082fe1196f1e189c9e6c23154d1a3c1a2a522a18fa76e60ddc6a907bfef9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
31dfcb848c0a40e638c45735bb91dbfa

SHA1
9f33f9dd6bfa4c1af52b22d855fdc487962ce4d7

SHA256
56cbec39e19293c9c4cc832b5ba5308332ba9e6220c5d1dbc435f8d9066ecd38

SHA512
f7b397fec9a1e9fe547e6703620e0dbf798124f7567e53d1c8c2b4ac8df9fa09fda980472db30a3d47303fdb315db624489c8b75fd4e16c1c70adadce9d6ae6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
6547f3fa06184d96d3c9ae895dbc967c

SHA1
e4fd83dfac5318ab1b6f88221aabc1e5d91c5665

SHA256
bcd439b30997e5a5581966fd3594d709a139c561f6ca2a07d5ea6363010b39ac

SHA512
e82a4af5a18c9516130b9b89c656915749ddeceeb879687121a1ce9cc5dcf127621280b0f3403d4bf3f058b78cb83f509f94af8fbe747d9d257c8a70a7a42c35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
e12d6e5f6520d8a6f12544c3065cff32

SHA1
fb9d47bf944dbdb353ff0e59bb1a5ac6c253c3b8

SHA256
0d0cc650b5fd67f55e57f3fd790f41ae3921bcd0ca843e33cb76e0421f84fa69

SHA512
4bd54799512e752af97c92a35850e75cd580061c517ce703496992cc4aab6295eecbfdcd85475483c85cf99ad97806a5100e3337590f238a77359f4e1cab3114

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c3297484d57139edab0a593b3d0c42c0

SHA1
8a710043a499fc3831f1bc410438a13cad1f87d1

SHA256
1e66e73342de1aacc0762a6dc69c1b4bfaeaf53fadaee5779880405b65a66c3c

SHA512
0432dfebd9ac349e50e709b11bef4d4ad3ad9cd317261bbf0ab04bf3a5a24f491fd5f83944f067113f03bb524687c58ed8a5b39696a75c8e197fc2ba580c0113

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
219965f71a2153272dc451ec3d2f3b8e

SHA1
9a318d74a2dbb766343030aefb130556baeeded6

SHA256
76e8abaf5253a12fdfa7246a7eb9bb7100f3e874cdbabd132335865f7b61dd68

SHA512
582a686d8fd330a63dc7a1d4a8b56ad82bcd74a70f5611d84f8b2a4ae9dcc13b882f5c2773e91fd0f0cb4fb2e23e90ba56c14fe16ae7536c2f3dfa91555ee59e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7ffc25760eb78cc5407d3e4e87d3b28d

SHA1
c767835156cbb22bea26969e768763892551a2ba

SHA256
5c87bd6b9129f9d5507574adea7f4b559a22f347689ec47584adac8ac215a72e

SHA512
b00f0305ac66f1ed9b8043c78a91ecb59791d5a36be0bb14cc4b0f8fdbfdecd47e8d7939ae33f6b315ae80bfc2f03f94dd1454cf1c26d815d3e699fc39659e1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
679b6c0e35e2704824a3da7c53657b1b

SHA1
6f09c400d2b427bc4ac48f46865d0c59a6c17d3f

SHA256
d943f13fc971d4b9994784277fbff634e59d5ab38ad6cf0bef18f26d2dc3e03c

SHA512
3a97cf94b342b015d11a0d03f975033cf24c2daa1163533e1fd22a38dfdb6aa4f9bccc231aa0cd16ea3f1487f9c8defc96abe731aabb31c99e53fab38966ac0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
77bd3b79e5c3fc5a2158bd310790736e

SHA1
545fcba45bd962c774583a9625618d2b8b2814e6

SHA256
33c1230205831b37a00a3b4eb9afaf717373b0072f94f021bdf9152e6bd6630a

SHA512
8d4053f83dfef584db6559498747e82dfab4f8ed263dde092919c3b724cd7f9f38d41f144e002523df09950b0d47421cca53852df109c18f562396d71386330d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
979cba928e809caecb14fc03a2bb54d5

SHA1
59f8cea7b8d5c377b0ba38afd51aef8fe6ce9f53

SHA256
e56c5a086c8516e92f26da84b8cdbbe8f74faa7727f5e037342c19395ad74df1

SHA512
726be6ad111e24563c61e200758d8997d4c4f6cadcbe88c85ba8f017a2917a38aa41f2df79e97f23051a4625b4ff97b9e1d7b0161644e94e3fdf1ccb3fcf0ff8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce6438d1b8143334cbde44610d9f631c

SHA1
6180d7a7274819e7674b9f1174fad99c5ff0033e

SHA256
a955403282cfd44b9e4f1bbae1402366b3fb28db2e833520cba838859578e1e3

SHA512
d7060a001ff6ff89de41529d236b12c893ee699f650d5fab871dac1f3b0d2ded4966a3469be9869f263f793524085e44435986c21904960361b93e0facaeb7fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8147a980fb437abe77a3b799d51767ed

SHA1
b3c7898342030b44ddea5d8432b70d290cb9a6ed

SHA256
bdb71240294e5cc1c2eb0e9dd2b320db4ffb9a3c4bff3b45e8253cf925ced256

SHA512
cabc89f1b7f6bff0557c1477a63876801f60a957d5ab81c50d71d4ba31c2af3fb46ec757e4fa45f3c7a10722b23010d89c9ed68618ebef77a16d49c401161600

Download Submit
memory/3104-1-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/3104-0-0x0000000000314000-0x0000000001569000-memory.dmp

Filesize
18.3MB

Download
memory/3104-5-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/3104-233-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/3104-234-0x0000000000314000-0x0000000001569000-memory.dmp

Filesize
18.3MB

Download
memory/4732-40-0x0000000005370000-0x000000000538B000-memory.dmp

Filesize
108KB

Download
memory/4732-44-0x0000000005370000-0x000000000538B000-memory.dmp

Filesize
108KB

Download
memory/4732-43-0x0000000005370000-0x000000000538B000-memory.dmp

Filesize
108KB

Download
memory/4732-19-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/4732-235-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/5024-10-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/5024-12-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download
memory/5024-236-0x0000000000310000-0x0000000001A83000-memory.dmp

Filesize
23.4MB

Download