bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b

Analysis

max time kernel
593s
max time network
599s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/09/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

e6f473bd5340405656209e620f43068f
SHA1

c144446dc23c86c7c9b26ce87c3176866372f6d1
SHA256

bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
SHA512

2e9065caeadcef0edd1e8e8fe3139e0fc5a9dd46011dbc0a4666745ed817cfaf6f859c9f1b5c1e5e957476cb16b42dcf14508594e44f2a059706865c19866a4c
SSDEEP

98304:H/9YNbhcFtvWK+XJURR51NX6hzzVwDmIoEWXF5fX+LWHF7uCf:HCNbhcF1WKW6whfOjGvAWHR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2844	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2796	AnyDesk.exe
2796	AnyDesk.exe
2796	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2796	AnyDesk.exe
2796	AnyDesk.exe
2796	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2844	2172	AnyDesk.exe	29
PID 2172 wrote to memory of 2844	2172	AnyDesk.exe	29
PID 2172 wrote to memory of 2844	2172	AnyDesk.exe	29
PID 2172 wrote to memory of 2844	2172	AnyDesk.exe	29
PID 2172 wrote to memory of 2796	2172	AnyDesk.exe	30
PID 2172 wrote to memory of 2796	2172	AnyDesk.exe	30
PID 2172 wrote to memory of 2796	2172	AnyDesk.exe	30
PID 2172 wrote to memory of 2796	2172	AnyDesk.exe	30

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
69e0d5ce6e1a2859258ecf576b59a2d5

SHA1
3097eb65ccd48f5e7b607bc0c73a6bce9d99cdf6

SHA256
153ef465e8c84624438b38a11bf3b32c4c9d0e12d66f479cd0e65d72494665d7

SHA512
384b9319419e4d470bd860396ee03b629b4257e4fb8328abaa298fc83c8f160ed9d5138acbe01941fc1a2b004a0605bfbeff2d1abfe56aaf0b30b39b79141671

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
02b6be6bc452073629e7a7e244a1c4cd

SHA1
08792588e8a0dfdf2c64b4684c5d3dce61f8ca8c

SHA256
9fb36d135902e4e1a01dc9a7a6ccb8f98ad45be1bd7ef0ab2dd9b5043948a30b

SHA512
bf0de6e1f16d375b9d46b33df48816005a2276e6f009712c106ae274a4bb60d2eb0f4c34bcce8c56a47d11e2c12a9ddbc7d86b60b7b722b51b7d0eb8f9413ff1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d94974a9f3425df91c9a9cf8025177d6

SHA1
98ad35731292472040e61986135b22e5ecb2e494

SHA256
19c2feebf572f1034021868e85f759e601063a5a7a7bccc476fa54611d27b621

SHA512
e5991d13b947b10ac01a82d6b0953e7242c5c07e6f75ee6806c966d651ca6bbb9fa8e3c1a4d1976088d1c0a4b305e2aa4671582324a54530d5266be36f344faf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
264210943691430c1f99563bcf2540ac

SHA1
537d989813c7149b45697e8f9e90dc5438c79d8a

SHA256
d890770729fa56f6c56397de86912968e39da178cb40e54fb9be9352f1f50668

SHA512
fc00eebff03cea8acde36d549d79288cbe348d5bab36de295f6968d22fdba2627648d19a48e3ca4645b132645c9ab530a764882ae353bd77c1b7895e33a06980

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
697B

MD5
8bea1594170a5df094a2a65de8c926d6

SHA1
223f9ff228282b4933f40c583b5498636a96cbc0

SHA256
cd8de62412cede6a9b7feed966ef2bd69b2cd89df508c593c84e84fe2ff1f48d

SHA512
429499b46c92008f36d38377ba9af5a5e0503450ca7c7669ba520ff7c12d5f7f507659daea666e676f73c3dbc35fd6326926489f65b5ceaa5f5e957a46d1ba18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
754B

MD5
7264a2860f0ad8355aa2b28d291c18bd

SHA1
22aad05db5670058bc1fa86b7aac6bfa68335391

SHA256
142287208c6bc834123248692d10c4b6f6581a71a906474e0b3928cd691152f2

SHA512
e8614ad4f1e3909b6f03aa2135d55908505bfc13dafbbed2e6c206a00c9d2467d86fc5508d1906cc680031144d7ccdeca9c7fecf9efd32b58b5ef073943eae15

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
762B

MD5
d9ecf852d989d282db8d67b8b0eb7642

SHA1
3dc725b8d0b0005b4a839e47430f2913ab7e9bd6

SHA256
d5b309e226c11986cbbdaccc22d3d16f698e1ffebfaa3e1184daf69c0cb3a2fb

SHA512
ed363fa56feaa7662771c658c3465ff5554b6a9b28ab2c7d90207f5e638890755d29cfdc9bd683bf78b18d3f5c3b8e45d5bc2ba541e8739dc538db6752d4a973

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
144e64acbf6a6cc0fc41f33bc4c431f4

SHA1
f7de509ada664382a57d34191645ce75f4a633c8

SHA256
26917bad5a949f63e0aa12f78dbf6528ec69eb0c03d616d53ba5b1ad3dfce83f

SHA512
8dc28792074ef2d709811a94c94a9f618ce03f3339105fcecdb0d8e2a27efe10a156b3ff3cd22b48280411d1c42f906bf276980589f48ca7c76adb52a73e8e1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
dc796c085d54635a55a097e6538607db

SHA1
4bd01b7c01a289184a24cf33f2722578d202b11a

SHA256
cdac599bde4174827b2e66ff620b34907c7e1747195fc75cec5288487e743a9b

SHA512
310fb1e3b971797d064ca61e56e88a63df3a1d1ce086801c54082cccfdd1e75417a6a8ffa37a0b127e2ecf1db14c3bb8f53ae03926c76ab575feb82bb06476fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
59acd8aed772f51a377243e1d13e7a56

SHA1
497efdd28c40b688a0c872785201b346297b3e6d

SHA256
7e27f74492c0aad59ff1e72143f3100632d7a12011bcdb970dacbff00021b58b

SHA512
87e09792dd33bfbe8992ccb1b5bca943c07afb7ca8e4c4bc49f1f694d5f9feafdfc75a7e2d63b9e056a2cda26793aa9a58928dd1d40679a96b03c71c1f4cf5c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ca96bbfa1265f7a23094ad86e1b6dc89

SHA1
3b5bf8786dbf22e9e36e135670d6037e7016b4a8

SHA256
f0076c84e94c33fe9cf1e0b366a9db032eb38274eae9e67940d017097873c8e5

SHA512
178a9204e8ca80363e6b06e0da3b99310687fa5f2445d96cdd85cdfc6fadb333a125dbaae60024af6d502cfe99369fb7ab2dc322d74b475e0f016aa5addcc177

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a5ff2802063a6f6b9417de01d3860d80

SHA1
951b5fdce531c98c0ba3f6e01b4bb8ebb34d0a4e

SHA256
a273a5593669aedea4ac604b49d8c51385a3a631a7a94e94547e64d712ebbc4c

SHA512
38e77b662fe09f21d3fd0e968d47c0a0d886e9549e510198086c345b8340eeb7e19d8281b94d2d57338d5324b6d6a14b0e7eedd8aab4f37e8b09365f05020464

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
003c396cc2dcd1844f8b0263af169e12

SHA1
a17db7eb46e2cde5606ea753fec7b93e3ec6dc29

SHA256
ac5dc5167ccf6ddb4ba7d998b97608ff1c1ddfd041526475119d7f6d85173bc9

SHA512
091a1f09d8c780bc30c9e23e57cdd8999d8d2be9e2c599c59ede48ebfdba007a48411dd3b5d3408d3c139c3078b437f41722d1a259a489e9c188734fe5f3b761

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
695171697bd1769b356d59e53e0aee51

SHA1
4ab05334dfa7e69bff45eb8072aa19d288ab293a

SHA256
0388a91463941d9701e35008d9fbe8a29b0d1ca1b001a0abed1960f2012a4667

SHA512
53058dbe04ad815345b8ebba9b3af3d3a38e3fa567a1058b1ecbe18516f6102cbdab08afe3321cc97c3de8c6f7540f439371298b4dec5dc3a85009c9bfd06845

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b97193e4646c8e1cf32881a33bfd1331

SHA1
66b6ac0c213bcebf7d37cdf99f72ff3d8e994ad3

SHA256
4ea7e96e0e9572402d68f90d3b4f643a46331a901825935e6807f1d33fa7bfd1

SHA512
ecea583565f4c24cdee940080857ab163bf4a24dee572067024a447f9515187544e401fc3d407c6281e8dc0079ba2139f120b243ee40dfe33fc83108a764b2c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3ddb0b490299739c32fd2bad18121b23

SHA1
5267e7ce82fb42e781b70fc0287cf5df39e80828

SHA256
614505a66f410e1873a42a8ae78ea6024a9a046c49b6a99d93061d91d7efc8c8

SHA512
051877c8a9e9985d1e84aa5a476f0f11fc8107f6929e7ddd5f0c17a0abc610d156d63be895bb454e415c13ef910c54b178d5f1ccb54d2a37d1b0cf86a8265b74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
659eedae690cf48bd8b50c3ba2e303de

SHA1
8a21333376fc63c0f9135a9f1d83b47719fa45de

SHA256
4064642415c40859c97dec7662e4bb72c3c2c10091297729994dff6c85b9e755

SHA512
029378a8c655b2615a4075d155221354dcbc52f93f4c049d2f5361e87a710600897e03934f54a7f9f289c88756f931fc04dde84f60c4044a54c3ea5ef86c109a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
487ccea1098d9043cac88360ff196bea

SHA1
4e6ef77d8dab7a850fb5e7433ca7c324f3b6ef3b

SHA256
5d04aedbf77856cc9bc6bd5fcc67f30784e60dfc27bb036c87109f26eb48b9c5

SHA512
9e5e7139ab43087756fc5a661f69707f4cfa685e2790b8d71cf7b0c63c3e3a2bd2128d46c03922548beed99a4cdf35594edd153052e18232c49e724958fb7fea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d246519e0324380cd9a53c81390f74f5

SHA1
5754985fe564bf83720ec15fe2d6fbfb696ebb8a

SHA256
709c1ee45d4c2c64c4c5b165866308e27c1e1635855b024ba92847434c2f3277

SHA512
133faf5681e0b11c9270a32a2d0226a9eab03fee50f999ea3f4628c4bdf4c2b0dfead8f9b260a9a3116abbeff202e6bcf0aae0adb7fa1c3c232a38bf12e34a68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
fe7404236d2051c1f4ae80717a8f11ef

SHA1
777437d27595b87dce5e50b5bc2c3495221e0fa9

SHA256
9140aa35a31c8733395a2baa67c5a15d974f91dab4b7cd728419e29a7f5d5db5

SHA512
a9a02283ed578808128062d773646631a33300924e0c5441c41fa08eb3f90abdb8523fecad9a65a5e7fd890f2c8ffaafb140898d5a7cedfae8bdbeaa1935c47f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ccd7dfcff57bfe8f9a7ae20a78c78cb0

SHA1
f6660e387087a28331b6fa056e447922377a20d5

SHA256
878f16251c2777c641b5de0bc281ca654fedd2b1d1ba86d26a28401eccf07ed0

SHA512
3f0d3ffcd168692e59b19c409a20a3de94f5698084e51e99ffc850624393343b52bac21db1e92746b14640f1c6d1980f6570083cf26d9d874bbbad77072430b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b387a08907bf9c5501ac5d6fb7de2a6c

SHA1
5191d4524cbebded27e6cc86b8cd3741e5839736

SHA256
d0f4edd68a0a7e7c7a20223ec537be0c248c4048a56d633c555e8cbc55a4b241

SHA512
5d1223845e8e38aac78b9ff653999af00c5c141bec17c7e27f3a21370ffc39500839aee7972642a63f314632a016631e5289ebbd116c9e57f34010a1b7b2e3be

Download Submit
memory/2172-5-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download
memory/2172-2-0x0000000000FA4000-0x00000000021FA000-memory.dmp

Filesize
18.3MB

Download
memory/2172-0-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download
memory/2172-260-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download
memory/2172-261-0x0000000000FA4000-0x00000000021FA000-memory.dmp

Filesize
18.3MB

Download
memory/2796-16-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download
memory/2796-263-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download
memory/2844-19-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download
memory/2844-262-0x0000000000FA0000-0x0000000002714000-memory.dmp

Filesize
23.5MB

Download