1d677741ad3e892d6d66d18839957880e9d1344793a1ce1537bf5161a71cdc09

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ПроверОчка/AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	AnyDesk.exe
2136	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2136	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2136	1488	AnyDesk.exe	31
PID 1488 wrote to memory of 2136	1488	AnyDesk.exe	31
PID 1488 wrote to memory of 2136	1488	AnyDesk.exe	31
PID 1488 wrote to memory of 2136	1488	AnyDesk.exe	31
PID 1488 wrote to memory of 2288	1488	AnyDesk.exe	32
PID 1488 wrote to memory of 2288	1488	AnyDesk.exe	32
PID 1488 wrote to memory of 2288	1488	AnyDesk.exe	32
PID 1488 wrote to memory of 2288	1488	AnyDesk.exe	32

C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ПроверОчка\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
fe80ee77a7412c0caf48eeb5bcc725bb

SHA1
07c35af7e614f8d40aa051c655185f66a9dc1717

SHA256
dc774a1c310f4dfcb930775fcc51dae5c6d8fc63aea51d89b5765ad5edbb6250

SHA512
e4bc6a5538f0f2c8d4620f31e104da8aea403f80b69e7bd0272e4bb382aa68c608bd99ad4f43a568e060ea5ff66f78989fd05fee4ba47d1d9a2ef6b2ebd8ca20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2f2e87f676cc7ec4d5b44e5a3ac64c43

SHA1
c77d6530b3f7cee0215bcac272bd82796567fe21

SHA256
88adbdae572c2ee7ce6a8bfcb722be0e58b7aecb60b17dec877880ac301652d9

SHA512
3ea8c341dbb462f935f4b68124a5d92658837bb39ea7478f4995aa41135171d286a33bf37cb71de3dd91a5e1941d7c2cf1f7914a336345b4c5bd12ebd0ecee8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
460ec75be6fbeabe812d3e2a27bea88d

SHA1
2e1c0cb6bebd82ef0f6a5559ab9798749252a1dd

SHA256
8d91a953ccf7a27f00c28fa9c74f811dedca2dab60b1e595ae6f1d432e3f73fe

SHA512
e9fdccbccdc046378ea1541492b3096cd342ae66bb9a8fb62e935aedcd126f750c6f530b53cdbbb910204835e024c45588d06b320e7a0067c1a90fe8f9ef023f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
fd054b16b17b77c386028dacb0c08f5f

SHA1
d2e48006f6ac5fc7e278f69b1a3a6d6627a4cd3b

SHA256
41c2261192b3487d9e079e2b775fd075ef34ae8bad05c5944e9bd206ddce3273

SHA512
2f401da2c19923dbbc9c1c242e5d994b148ad98c2c5c54ff8644574511438d6b7f9c2460d33a0133a62161901f2bc7964c1ff936dba0d6a8659d75d7c71d817a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
b01eeba22bcdd2ec4086d18c82a3f851

SHA1
8f64369c8e7e7d29ed38496ca4170157a4556a3c

SHA256
99ac557d4eaaefeb46eab1138c65586bf41fcbf4f6efc8047d78f7781ed81be8

SHA512
2904e31c87f2214f7702aed0926622d5537c98e28450bb8c4fd37f2d299b5c768a9dc270f109f641ca529af7c5ba9a876addab1d2259498a7d48e4d4b9268870

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
acb1e12d1e62b64b624b8645faaabc2c

SHA1
85f15a3f7c831b58842ae7f98b4d1200e397338c

SHA256
2374225b02935c413bb6cd00925815f038b29e7a1f7ac55b8857d11ccbefa834

SHA512
3307f1acc8904661e191b15fdcb9fabe3beb311b9f3edcb12dd4a28b4d1aeafd5fd07e0eb11c8eee3494d1336de2b9888f733db78c92ac66b5dd609a0553f0f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a724b3aaae1705db1427d87ced91841e

SHA1
c2d4ec94cd7a71430245b7292c85dfe5d26fae37

SHA256
d5812d58379893f6c840509ccbcd3d726cac9a2359aea8ee134f4e637b7692be

SHA512
afb82fdc0c1918446e0f76ae386654bcc8b75e0ef8413229b73c5239aceae4ad5a17a16aebb8660b39609220f0294886371515a46760216748ad26fcf5453f7e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
794a21c40b65d133e6db164f93e83b7c

SHA1
c7db16be543d234650cd33c5a895302c047614f8

SHA256
2860d7a63126e1547971aecfd853ee5135c9d714c263c777e1d50ef084055ef8

SHA512
bc159c682c47d50e08fc4ca58183b0d6ebb2b1faac8f522e468b6ec9cd2dbd1c7770f7b941ed16e2bd9054f54670f51aee642ba75230c00305515d63c72e071d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
726563d982ff032969163543a746479c

SHA1
ec267b68fe4087476836ad9ad9dc5e679f2223f2

SHA256
f2984a7073f73551b2bd503c650af0b0f5bf20f7205060b4d5cebd4013d231f8

SHA512
f45fb4211e8c9c36b52c10b56ab0306507bc84b5d69bdef3388e3a0342ca77abe43048769ef1ce80fa9ec256669a67f231301edf2ad9d0703434cbd69f5c7d9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e3dca5f1aa89524abec65b107d3a4bb4

SHA1
af33234a2f905f4bb2775cfdda9b31ab782f16db

SHA256
fe18f4ba547d195c32a4a052a8da217b051050fab583a8f40b47764fcfe9a269

SHA512
87f1b3cc74d3e2ebbeb4e3370e3ae3a83464f30813b856142bd666344825dd24b3cfe8ea835b18b29ec2190ea9862e8e2f792d288da036924337acf0c612198c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d006211602e9d6960fadef6da6a40cb8

SHA1
640374203eb6df62d8936bebe841e2e4d5aa411b

SHA256
cecc47629e332834115e493f89f988691352d734d980d1e3baed485d831b7571

SHA512
3399fc3bf181756cb908b93e741612b4fe87dc6a1aa7b24223574f2138324efb67afcad1f7808fc7695bfae9ce51e8f68b83a79ea0fa8709eaf28fb2ba9d05c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
659cd3260cf3acb7dad936296ef40785

SHA1
0320b0c488a18f89eef7320b31b4fc3fb735f4d6

SHA256
19033d0ddcdbb76f4e3780ce3dfb3cdc0d30ab0e7eda5077263e184d2a27f353

SHA512
c8fcb32604bc73d16dbec9f4de2b120d214c86e36e5484c12ac7e2549ca81f011f5de28a31ba1bf53c6bb954407da2294d3ece39b0629f8d65152766f0ed95fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
717dcbb4c613a3d37e7b09415fb65821

SHA1
25e17450174ddcb266528632aabb764f1ddf6f57

SHA256
0485d0f826b3c9e18372a288f41fae614473feff8379328e8eb7af86bac5c4e1

SHA512
ebf45aba95f718ab559955855e5a97389777cd8eceea671fa220b8322c7f02e707cfca3a594d8ec2e6ebe9de1df89eb619eba95fee66fbdad3fcb647edfcd912

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
35b9c05b9e5ce8df0b75565faa36d06f

SHA1
6e5133ea4dae4bceae0340d02a455ec58e531f9d

SHA256
7d81b0dc53f86ef2589180110fa88e4672fc98dacad3c702d4aebd22dcfb04b4

SHA512
5d3c4669b8881fbf93db1b2cea1fef842e6fa0f108e32e2288a0a961bf5460279225d7c2c6e8aa81efe41ecab5cec7bad52371462964912edba96e4599d390f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a215d1195ffd67571214a2ff3e0e7a43

SHA1
c213e7f42647252c36c06fb304e1e1719edfbb8b

SHA256
698ed6cc559fdeb2b46daeb7b8c21f81043d1fab450d7f4c6ddefbe7f5cab4d0

SHA512
1c592a9abe5c7f4da8b612697b0d37c21632a407a03f268424e4fd16f212fd15529f6a8d1f8d1502a640d9728aecd85ccf5e30c8e7c1a417862e6cae89712ff8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
313aae1dfc0911a89e222a7e55a4dd6f

SHA1
46590d2368eb9e9000dda42ac8bbc4fe0023797e

SHA256
df27a5799d65a9aa774700145a1784d1eddca6fa84a314574ba718ffaf2d8ba1

SHA512
867f0b0e616aa9412831c86cdc10fa385d3e190eeb850976302171bc59022c830ecaee60086dd8d97b40cfa5a1d613ee5c68bee7431cfb9a323fe9bc5cd77baf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cbb27014501371630ee2af0c59a2a04a

SHA1
46c549fbb5603519d2a8e4981a3926e964b07525

SHA256
29effde6cfe382b7e87fde76b843b87e836c13fd116180ca375658cbbb85acd9

SHA512
1586bacb8b1afe554b7ad4b83d8c602de2e6ce22abcac52b2acb496923a76defb42709f8c4a286eacb11483bc264517c6c5a49d827d3e0d76c2d454e1b15b717

Download Submit
memory/1488-0-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download
memory/1488-4-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download
memory/1488-2-0x00000000012F4000-0x000000000252A000-memory.dmp

Filesize
18.2MB

Download
memory/1488-258-0x00000000012F4000-0x000000000252A000-memory.dmp

Filesize
18.2MB

Download
memory/1488-257-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download
memory/2136-11-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download
memory/2136-259-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download
memory/2288-12-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download
memory/2288-260-0x00000000012F0000-0x0000000002A39000-memory.dmp

Filesize
23.3MB

Download