bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b

Resubmissions

09/09/2024, 21:19

240909-z6ktbssfnb 3

05/09/2024, 18:47

240905-xfehhsxhlc 10

Analysis

max time kernel
42s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

e6f473bd5340405656209e620f43068f
SHA1

c144446dc23c86c7c9b26ce87c3176866372f6d1
SHA256

bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
SHA512

2e9065caeadcef0edd1e8e8fe3139e0fc5a9dd46011dbc0a4666745ed817cfaf6f859c9f1b5c1e5e957476cb16b42dcf14508594e44f2a059706865c19866a4c
SSDEEP

98304:H/9YNbhcFtvWK+XJURR51NX6hzzVwDmIoEWXF5fX+LWHF7uCf:HCNbhcF1WKW6whfOjGvAWHR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3124	AnyDesk.exe
3124	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4608	AnyDesk.exe
4608	AnyDesk.exe
4608	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4608	AnyDesk.exe
4608	AnyDesk.exe
4608	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3124	5104	AnyDesk.exe	86
PID 5104 wrote to memory of 3124	5104	AnyDesk.exe	86
PID 5104 wrote to memory of 3124	5104	AnyDesk.exe	86
PID 5104 wrote to memory of 4608	5104	AnyDesk.exe	87
PID 5104 wrote to memory of 4608	5104	AnyDesk.exe	87
PID 5104 wrote to memory of 4608	5104	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
8d998fb60fe59cb45ecf6795260195f7

SHA1
7546d53ab97d5538c80dcd5e4811b1f563f8a82f

SHA256
deba1548ba5a700717805f76da8eed3fe578d8cf766eac41c03b790ba7a242df

SHA512
b93c685817da02e24251b7b2085c38b162f70e318e46bd5236828e0da0d7b232f34655aac7bff221f8526ab008e4afe898114b92d2653f47d86c25cb7fa4e96a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
96eba753730035e161f4da24171a89a6

SHA1
75e3f8221760c36d30f30d1710a4825614e8acdf

SHA256
7673c4f49c18c2e876a6199d4df87ca0d8af9115a008ef991ff903a8380d2d9c

SHA512
1db28ec76cbf4eecad637ceb682ee70444da8fc3711d588f1e3b7d122689c1249a7f64933fd5a9cf56188fbe65e70d6a8739c7e2ce1ccc4ba1bc907d8c8a86b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
3090c0f82465819c8410bd1d41479fec

SHA1
8535d0c2d85c4a6b9bfe672e16304fdb53b3467f

SHA256
92139be0871068e5d9ed85f55eb460f3a18046b0b76e7d328b4d210c6cad1ace

SHA512
42ee9f8815f16d3e87960c9aaf88f98d5c54529c39a67950d7e3e5e8854fe9195eddc08b1316f9beee55dd45e35b19924b1c4e8aa8b0bff290b8ebc8015ddd72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
62ecb7b57055e52a0138671a06080461

SHA1
1d04bb28d7c162f234dac4fb6e89592d0612b095

SHA256
1234f32618aa64f6a57aff784c304249adabb18f166775816530b1efbe0ca54c

SHA512
839aa030c12b1d0e487dd3b551281a9b3bd60ffd331ec378fcba936a4bd25edde11947ac7ba5d6cedd5baabb96b653634fc756c93f4bf9037e162e46b03fc5ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
6eb4ea7b0237712d8cfea15afbdfd561

SHA1
fc98a8244715659251a936b7849cd565cc891faf

SHA256
5ab8d6f81efa0bf9996f9c35b210aa18dac664730c63b2a4eb8ff2355053d370

SHA512
3cabee12804abfdb9817cdef97418119e07347c12c6d0fe7d5379418a2089e3300eec6903e99ee42750cbe1a1f7da6353a39e2dc0fa106f526ecf03df0a2240a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
8946fd67763399a9e9e1df3b59ca2d81

SHA1
9ef1d85a16d58c4a899427978735583b73e5aa32

SHA256
210b59f2d588c394ebb55d0f888a41175ba2358df5da1fe17a54e2feac822cf8

SHA512
e9c2a39aababb2c6441ca429f0f22b22ef21075c3a5bded9c8122bf3e6906bf378684a824a9e1297134fab22070134680b1be9368a4784b74fd476b3e69547cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8c368b96e983a5d8ba99546d6c58bc00

SHA1
6098965473dc7ca065bf57c3bba42f9282d7a3e8

SHA256
872f885d801f8cc15a843f5083fa947238868ebbe2e65aebca92c891728dbc18

SHA512
c6a4fd027b658538160414dcc071cdd7f2b7580cd73991f6165eb5ea3d4637e60aaf46b22f119851e5d48d9260dd6c08613c085345360da486064540351eb9a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c5f2a62ba835ef9eb5a5a807212d18e8

SHA1
3d2085e35001dc5c0258e1e0e5555891ca6c1845

SHA256
d039cffa1c8d0ebe7964a32979d4bec557f0f8202d2670fa3e32c0648232e765

SHA512
925f4f779fc1599790a57f4c438c7a958bcf1b2ab0c9ce781609ec19b64da1ccd8e29c29a4d53cbc82ab73e7be37e7d65e3473310b5d952634d7449727db88af

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
30113781f05449c664972a9c7745086f

SHA1
8fb65f68a65a28ff9b93255f6a32da3249ff365a

SHA256
987ff2727835ae2057d16d3786b0a1fb944b5f77d5c3631831bfa739329aeaed

SHA512
41efcf269f441beb5bf00589c078ce172e56a5dc78662ea1adc00ddd23c70a92247544555f96c8c0638c951dbf6d10c53aa76fdf2ffb75c693307e520aa33bab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c5d3ed4b7672cd64b1c9a1e36d888cde

SHA1
b2abd9bc04653e3a27361b4ea2399b03fff95b1c

SHA256
edb9aff30334248b3aab70d375a6d761362b5172f684d2d0c9a4092cd940fa79

SHA512
15885956702ab3ab8e18aa793ac3ae7af35ae18eaa74eba19bf8d5cb40bc5d7457c96bf8bee9aa1b3bee4b35fb2bbfb3f029af986972c89fa2f2195a98e86b39

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a0547ada0a02c9fb41e8fdb2a9e9c415

SHA1
a0ec26f5b5cafbc75f86d571ddf2252da1ce12de

SHA256
d08473a6269d7b4293d804bc4b72bd29db34dae2fe3c331d7a5b3daba79b1085

SHA512
31c59842547a758591ee1800decd6eb724f0342c165df41f85fc9f932d49c585ab235a90ec049f23fe0d84471ee102277ed5de114cdd68c8732c4283a4632617

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
1df87ee8e6a9df77ff625b80b16be10e

SHA1
a001715f36952b57abc48a376d5f6e121fec89d2

SHA256
2a91d2fcb4c230c71a4b9938e866df5a64b028edd0f42a9e23e8cecdb4787fb5

SHA512
798ed14e73a7e04b4f12d48052ceedf2ee5518004af11b1eb94e8ecc3ad74c98eeb9e5be623169075a3073f5f49666ea9c2b61f81abfb0803646be05ef83c659

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c4e10b96cd6aa3076a684750ff663709

SHA1
cd054ee9d9a8e91065d00eec114546ef663643fa

SHA256
e3f366f8ff7195526a7b2c3b03b907d31a9e7b0839a002b8a12199e0811d996d

SHA512
0dca0c2d47970672ad7c2058c67632f4ce0a7c322d0a4b295b51e3c9e7c7663a46c0e1ce956264eef081ea9ee15e145cd5380e5363ac9c21ef8125742c829339

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
60d713dc67659ac5004c1b26a659374e

SHA1
59db1e6e70e3f150b5522a10171d270033205e53

SHA256
9553433da9461645cde7ec4d60491be16363e6b79271b2a786673019db2c629a

SHA512
50ecf9acb0fdf94fdad16ac8370447642a186cd6ebae38f22700d4a2380d8e2fe155286a788dbf452833af06a2c0c0bcd390e5b92813bf3e2f9378a7045e762c

Download Submit
memory/3124-10-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/3124-44-0x0000000005080000-0x000000000509B000-memory.dmp

Filesize
108KB

Download
memory/3124-12-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/3124-41-0x0000000005080000-0x000000000509B000-memory.dmp

Filesize
108KB

Download
memory/3124-45-0x0000000005080000-0x000000000509B000-memory.dmp

Filesize
108KB

Download
memory/3124-178-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/4608-13-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/4608-179-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/5104-2-0x0000000000384000-0x00000000015DA000-memory.dmp

Filesize
18.3MB

Download
memory/5104-4-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/5104-0-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download
memory/5104-176-0x0000000000384000-0x00000000015DA000-memory.dmp

Filesize
18.3MB

Download
memory/5104-177-0x0000000000380000-0x0000000001AF4000-memory.dmp

Filesize
23.5MB

Download