bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b

Analysis

max time kernel
291s
max time network
301s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

e6f473bd5340405656209e620f43068f
SHA1

c144446dc23c86c7c9b26ce87c3176866372f6d1
SHA256

bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
SHA512

2e9065caeadcef0edd1e8e8fe3139e0fc5a9dd46011dbc0a4666745ed817cfaf6f859c9f1b5c1e5e957476cb16b42dcf14508594e44f2a059706865c19866a4c
SSDEEP

98304:H/9YNbhcFtvWK+XJURR51NX6hzzVwDmIoEWXF5fX+LWHF7uCf:HCNbhcF1WKW6whfOjGvAWHR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1612	AnyDesk.exe
1612	AnyDesk.exe
1612	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1612	AnyDesk.exe
1612	AnyDesk.exe
1612	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 3016	3068	AnyDesk.exe	30
PID 3068 wrote to memory of 3016	3068	AnyDesk.exe	30
PID 3068 wrote to memory of 3016	3068	AnyDesk.exe	30
PID 3068 wrote to memory of 3016	3068	AnyDesk.exe	30
PID 3068 wrote to memory of 1612	3068	AnyDesk.exe	31
PID 3068 wrote to memory of 1612	3068	AnyDesk.exe	31
PID 3068 wrote to memory of 1612	3068	AnyDesk.exe	31
PID 3068 wrote to memory of 1612	3068	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
9e10c20b06c9ae96e580ddfbb0ebb2e3

SHA1
0f9d58e5aaa309edeaab103a6eab82aeb29d13d6

SHA256
863b6bb5a4e840d0419bbfb4f412a314b24abd0973864e3a33a58fbd6c505447

SHA512
de2c085ca5656bed51c16baa8aed3522ced0da7d0914f224c6acb5cbc14055f3865fa056add2a8a4530a01b1498d788df77ecbf9fd925c29df202023a9b5843f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
a47ba4a4591211d5bd9ed17232376342

SHA1
3190a8a265ba901a4f8b18cefc1be26a81378bc0

SHA256
0e6ec5f7c8acb41964c3752690ef8a52e58a10825aacac80713f708adef115d9

SHA512
0d141a1400586153954470c14bd2370585419c5e649ea080603ea1b3165a06391fcdd668c6506128f9837df281ff563bb33fb313315d6dd4f4d995e659f34286

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d28550706593968e743bf0666fbc65ff

SHA1
b11ac998ff8a67f550fe1bef9b01b7c569cb7381

SHA256
0c0d0d2ad41fba4f3e862cdf0604b288a65d3a04f0fc991d96af107ee6749420

SHA512
5b7c3f2efbfb64084c9cf0b2e0b84e52ebaf242e7f46ca2e3aeb9b7a7982e33424e30f7592d426e6eadc1a4e1d278fbb69e4f007b7e7cbdb43819aed49c2f201

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
de44dcbac1f57389cf787c03bbbf588c

SHA1
f1d4ed66fb28e1b607dd40d32ef15353632053b2

SHA256
af50fbf5e66f204b003ea417cc43e06032dbf0813b809edfdf4c3d8aa3f907d6

SHA512
10ee08a240f49123e7de2dfe19233b0f174558af94c0773d3c8607dccb8e7fa30eadbfddc2c6807c07d14d8d8c8ac22ab600e0c20a5b9e429ae363e9dc0e8864

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
9bc7848545765779e39920934b7582f5

SHA1
3866ec1bb5ccfed1ac2ff8592b1b85ffb6dbd46c

SHA256
4da1f7ff925c558b3c3fe2dcdc2fab3c1b52b21c93c2972268ff99d103a74c9c

SHA512
3bc1dd7035807148ab9cb5a607cfecd26718902148ad59bc8e216db58fca0c8f8087a37d578084aafe88f709835ca86c7ec3a86657f77e3af972238556078bb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
2c726f9670234285988c34ca5d852064

SHA1
fc19951899eec212e017c560695c29bf3bea9a9b

SHA256
07b6725673092ea06ce1fa1f3f06792424da6fc8d6665bc8c37310832878cf30

SHA512
50e58d9da08afc6f1d0f46cdd80666bf4558f20ef602c119eff26a177b7b3986534170cd2026b1f2a0ad7b7aa6aab70aa9c84792cb18272ba22472d1fda9472c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
01484a940b37eaacdba92dad58eddeb3

SHA1
db818ad938bb44e35423d47a0392c7a8e1e4db60

SHA256
e611645166948d51e044e831924dde00e240d342a8c1a5c530ec70031da0fdd5

SHA512
6484f78b2c504d915bcd142fe1ea05c2a5ed63ebb0f46933f1c1ee42a5f947ed10673b4623d818fd5657650bc018d05919497ac7a5d340d474f2f179dd087622

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
187af6054b26a7c45ad4c3e09d1cc251

SHA1
1f80c9bffd145bd50e77effc5daa384e794c0ff2

SHA256
4a19edb213f1a6d71d6f59c7846aecf92197023b97a9f8b92ec90f092ae74e63

SHA512
f1403863c788670874362031d9251f3cc64522a27eb65c86074eea07709bca628c0d95adb1b64cdd09db37a4c731f68006960e8d1661ffcb915a06b730e223ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
988bc85c70f2842f4edae98c04c8a616

SHA1
b1d3aa2968bd0a78fc2dbaff39df8334d3ee30f9

SHA256
8cbd4c9e1ea5df3252c4bc31123f6b5500da1c24bff528c036f53feb373c2f86

SHA512
0bd988d75079abb1f3fb8840a9466bbcbf4e135d9afbd0437d3822b5b0502e03def3efd13081f360ed0e9b69ef38be4119b40d83e98868aaf1d62dcc0b7cce79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3a158fcca8c863d9e123510e345b483f

SHA1
9dc825c872699ff98200f06e60e63e67c83bb014

SHA256
cc67d5137c9a9f6eecd5f83f036682c47cc8237b357a48f2c5c7433dc28c3717

SHA512
a17f3c1752c55cf701849b23deef5eb81103157bf64a64d3ad0ed35117701cd8166db0f64d2ec32d43a9d03067bc0a5fccf2cede861401f49a3e73471fa71aa3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cd6bee4187665560d8f73da996760da2

SHA1
92fe74c9f34ba887d7fb02ddd18269891068d661

SHA256
2c45ea6bc7748ff9b8e0aef4eee06f05507813f4ea6d30c74f9eceeaed997b78

SHA512
f3370fad0dd27310f75dc0f6aa5cb915a82dbaa0bfc489ed9589153074628d1907710539d1bebf6d379fc93f0abbfff40655438430bac242a7273c39d4b5fefe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9fd2fc6428bfc7eb1249b09e6c205655

SHA1
3addcde9c586c7181338c8158469661b64f31446

SHA256
5e7c7f247e9304a153825a118b1658531b8cceea1972b8a6636d6d95c19924d8

SHA512
f5a998b96e839cd0b92c857e39c320e451355b721f9d94e10440131160b6fa8a86262064d8b7577543348ef920ab5a6395459471152bcc65fdc8c30b5e9af233

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4fa215579871eb922bb7cf8485638165

SHA1
8520acaae77b1fdfb7d99c3554216a46a84fb491

SHA256
e51e32e26c78608e567d0128a442bec8f73a742c8e3bd3b5e6bb32f82af3c2b0

SHA512
7216ef2913089e130efc012e3263f937c0933cb113a7d71341705d87f939989264ac8ac823ccbd460dd0a6b8835c95b71aaa3d25a6e7a84a0e0fde0085aea98c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7d148dae2be97fdd8dd2f87fa5c5d02c

SHA1
c0ccf33f6b286bab015dbf409d1c0e655c0d744c

SHA256
9050899ec71b10fada012106f6ea0763c703aa499749adee4f839bf9a3b1c96a

SHA512
520c50392a18bc86565d6fe1203dc68380b73cde81675534db7164e763230b2226e863a4b1e08eded6416c25c4b514a97af87eff61384c98175379e07cd20c56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b77996843f65fd3113b30708c1420979

SHA1
0360def23610caf369d5d3f46a12bc3bccc124a0

SHA256
726c52c2e8875d16a34b3a7f9395a5e6b672edcb4151b7b70df42185058ead50

SHA512
e05e385018e68cc41456ecdb0313a3567e96abcd457d8ee08d39f97c1a519ce8cb0a208fd8dc955862a2d0b1e1aa73fad6551873bfd442c416c4ebb87ed4982b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
40e76f3ed3012be282c6cce13a8d0a74

SHA1
8c55153529a5de32f9e0fa99e93cdb342e2bab30

SHA256
d936c13257e32a572931f86c6fa0ceeacd028229f9a33d485d0c8310af0627fc

SHA512
68755d7fc9f4f5b0b518249893c4ac3eb10f7feea29d30829ed87d36c24965aa0b558974bcc27477de59b40e65af81a0be4e31d8fe8486cd42d8e208127c74d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f0459bc8da8cdb3dfb2404afb3421e55

SHA1
e6f0931043bffbde1edd501be5d0bbf568005aeb

SHA256
80002c539c9602c633151a5de4587da1ff723f934b6529f9c4cee063ebbde6d6

SHA512
9426289b1a7008daaa2eebb1c578c7ba9f06722f5da53251fcb112c55f886f5f5a6e76bd8c4235048637b43cf94098e04e8404cb27ceb71b4e138419802b4d4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5e1eac697daca2f0d8c59de51b1fa189

SHA1
f87fe38eb20b552185e5c0c380aa1e14da2681d6

SHA256
4c7bff6b79690cbc0e33a9974a9a5a3e797c14b43881b33938aaeb0ede2805c8

SHA512
3f1aa2c33b2b697331484edc35900e2403fe6472ee54706e47652739afd2ebf73c7c4f7b93681f20a9dce2c83beda8c10605515ab2a1a56263bb26e6624ecebf

Download Submit
memory/1612-118-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/1612-268-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/1612-10-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3016-117-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3016-267-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3016-23-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3068-2-0x0000000000274000-0x00000000014CA000-memory.dmp

Filesize
18.3MB

Download
memory/3068-7-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3068-0-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3068-266-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download
memory/3068-109-0x0000000000274000-0x00000000014CA000-memory.dmp

Filesize
18.3MB

Download
memory/3068-116-0x0000000000270000-0x00000000019E4000-memory.dmp

Filesize
23.5MB

Download