1d677741ad3e892d6d66d18839957880e9d1344793a1ce1537bf5161a71cdc09

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ПроверОчка/AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
936	AnyDesk.exe
1192	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	AnyDesk.exe
1192	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
936	AnyDesk.exe
936	AnyDesk.exe
936	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
936	AnyDesk.exe
936	AnyDesk.exe
936	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1192	2828	AnyDesk.exe	86
PID 2828 wrote to memory of 1192	2828	AnyDesk.exe	86
PID 2828 wrote to memory of 1192	2828	AnyDesk.exe	86
PID 2828 wrote to memory of 936	2828	AnyDesk.exe	87
PID 2828 wrote to memory of 936	2828	AnyDesk.exe	87
PID 2828 wrote to memory of 936	2828	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\ПроверОчка\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
7791f8d6774bf59537b3ba4f8d5c216a

SHA1
826b37a92eef321b5af7e6a1bd5583c35a20ad4b

SHA256
0d64d488d0b8e62fb4ef21b046f2ba2b437f77b528c700c5205da188345a53dd

SHA512
e142a34e0f90955bcab5cdc9a30b2abfcfbdc7b6eca83e762740704285c93d65661be428413fbbd8cd4d31d0d87a62d1c1803408c978eace6e641f5df959688e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
29b88ecd151a51a285002ed2973ea903

SHA1
fc6f6c5df62d4d1ca4a6f55012c7c2a07eef9e7d

SHA256
567a903334dbfa8253d0431697dfdeb85c4aba851c7181116eab94941dd96e86

SHA512
442f648399327a08cdb245ff6ed3a29abce9f0f6f3c6f0c7a8df1a7d149ba329891f8e135803d5f715a340ec4fb26103c39e1b34fcc3c8f95a574b430279f031

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2d106ea37af491affa51b9529399b2e9

SHA1
4f41724e813dcd99475917d2c1eceb3b1f92c074

SHA256
c6e7f0f96778dd62382e08a15e3ef44131f4cff5d9f80047e03cdb33f31f3a3a

SHA512
9e3c8db82e3c2ae466d9731cfc31d9841e338e384bf20b083b740154554d01be64b1ae4604ec8b8ab3286f9bec70f22fcf36707b868fc92355bb573caa4c2f22

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
39a583b7e0365c956acd8e521189ae24

SHA1
b54a9acb073298f1468f9605fc658781f3528fbb

SHA256
bff42feb32b13f90da5b9f7808c9b06f79a0c55ddc190cfe46015a92d43d272b

SHA512
ffd5663f310c0cb7cc95c456c36b70f823713ee66ca5b301a1208e768d3a056001e42157fa623d940d55b267ed4a3d49404eacab7724063676502e711374cac5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
58d4b3ec2f3f32be567f682bde5c63e9

SHA1
856151c79a7a6dd1a2bdcaf9ae93b229629d025c

SHA256
18db32bdaf258e588c9fa6a8663cf8f7199e0786ee973623f3b8a05c7d40102c

SHA512
ee2623ad9e6210d0918d6b6f43f4cac5a7d7438bc308cbe891a3a121a52d7b7e2f97fb5dc87f82f223ce1d2f6af3dbba5726a28c4ca0f39a6b413a7b85ccb7e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
1a7a7232d2ef3d987b509ae316387f68

SHA1
cac112889de43d33c0df0d3cffb9ba9023df7db7

SHA256
4b3d058679ee961f0b1a5877bdc00036a5c515ffda43de155bd7225ebac30bac

SHA512
2d368628ab00bf0e53dee92cfe316dc43a984051f5935cd555ccd2abcac0b0910203115bafc7b797c67b475c592de681f94d8ca8e0594772b1f493553f6b95d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4875680703a7cf7308324db1bf232a9e

SHA1
6b87e7f1964ff18f235b69bedec0a260fe4b8315

SHA256
5349cf767b280bb8930ec9acecd7dae64676af996a1f2d81435788b4032385bd

SHA512
c8e44975263df9797f293e7ea9cba344a98161d2a3a53c43a0201a5e0b65dd6ad838d36b825cf56e4f933dc4cba5556e510343a5869c3df8c807b11e98149ade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7a6b8a973ec9abc7378fc66b537956c1

SHA1
72a7ce2242e04f79b11b412bc51640adb158c2f4

SHA256
7526eaa79042269586f358b55a3c57b56dc59cefa7478edc2c3325936a25ea4c

SHA512
9f77c6cf1f1e48b1d32199137b9cd76473c4d6062128582c1051e768359739afffb29f05ed87be0c99c87a131c4c3bb3156ff54696bfed243788f34908e69e36

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ba9291df2808600a2142be548c95212c

SHA1
904b81ee068c8e5609fab058916be16bd268b413

SHA256
a908f4160822dafba0fe8c2875e70f14e48f383bf0c974d7aa1afbd24752170d

SHA512
039f08aabb2fb551ce9f327c942e074574ee65d142f64789e2ebd7f0b3bbe82a9b76026bbb5e5f4c4334cdab5bf4a9baff8cc25272825ed026a611fc47cba6c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5793dc3675dacc06ce7092ea0771d431

SHA1
8c1e503641b6cf9a54a041d7ec3406ba6b25f4f7

SHA256
39912ee25c943a75e3b93b3b0769e2d679009ac9706f70cd0de7035f600c31ae

SHA512
b9466cdbd17cbe9aeb18ce083ecdc49e445dd137bbe2430b723f199f45435667f8cfb1c3b0cbd6e5130951fdebda191b83fb3cf11dedb01dcc88539294c75fd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d7dcac0bc2804fa930c8a6272c13f3b1

SHA1
e1c50d78ce1cdb2142c4419646ecad1aa5d852c9

SHA256
b584c26cd48f05ccd8e4ca8ca7acf535d83704fe323e0677950e2d69d6479a1d

SHA512
811ed506436b3f1bb790da8ef5d15d6566c6957b8b13865a2d61223fcb2359f15fe74079baa59cc55634c09bc1f36c76eab39bd8949c6587a124d2fe98986a3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
00de2e12f0e360a697ce334057b9ea8f

SHA1
4d38f70586d70b4a208856b9a0cfdd35b3c7d1e1

SHA256
6cf47028f7a267be0c94c60dce13d57a6dd33aa9348abe2cfab2a3ddfa0165b4

SHA512
ebb96181d26e59f21aa200705b25963f5035e73eb8ae4fb2e78bde198fb1852dbbcde1e6ef88786df0ca8380afdfa7fb1dd1c6e9c98a2e1f8e501805345cb002

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eb6e24acded9e12a68bdb56dc05f86a5

SHA1
114c54caee492739be6405187a5f0a3824a8deca

SHA256
14df047c52c0a539369cde0aa473b05320cdba4d2a4638cd7b79621be2d2e72a

SHA512
23db4cb99df6dbb85ef3ead0ae26a0ae8d6ea8bbb078a08ccd7b483ed5119c1fd6c44f7e984dd4ae8a98ecf565139911eb327b0478a2e7b22374785c830a69d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a44e9c3879f0c31dab0fba70165a8a83

SHA1
a89aea0c0a0714fffa19823e32c01296a4135dc6

SHA256
e4375a154a6549e57f06e8e41c2f25f887d60d473cb858e290aaf3518b3c0bf6

SHA512
8bb36c64977eed3d098bfac5b339a4efdd4e7ec717e6410cfb384e6e96965abbc7dbae1cf2e2cb4c25ddd76427ffb354e78edb43bb186e8f2635de352af90272

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
19d0e3d8cebc631ee72ddf0bc6fcbf08

SHA1
832d7752b14a6c2fbdbad8d8b8216660a3bf1c82

SHA256
f880c02a3d73928dc150cd0c673ef3b48af5741fb5c28272d424bba4e72a31d8

SHA512
c9ede0b03497f09f070a2689c71b2e1f7cea648da40e3b3e44c805f379dc4fefb3a96b6c38b203854f8f90978333156ebca3cda29fd40ecca08274913602dd8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70da2620285ca38df63d599361ff81ca

SHA1
0a620b8e6e0f7a4337f3d1bd7a7b12954ae5ce3a

SHA256
fcddc002bcb245ca8399b342735eacb9d807c2577e3dc6c3c8626ae822f21bcd

SHA512
7a9073eda24edd49e6957de2d3a66f0d347bcda89aa0e71c8f4c0a1f58f53ffcac0126e3ef80afd4b107a8bc9419472e059a62909399fd16a236cf76c495f9fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d9b15f914c7da5aa60f3e62a6670841b

SHA1
f0d296581b758cbb3e4834a7ba153edbe8843b8c

SHA256
14b09d778137db84f0832b1a07d9f208956e9fcabb220e77a74c60d69e418bc5

SHA512
545b9b97e43ce3fa82da27c206b92326b809cad0e81e40178cd094ccf568dea0f16b6bb07bf1bfc7132ae87a81b192b0837a3aca03f811d0d7b8d8fb01c697c6

Download Submit
memory/936-245-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/936-12-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-22-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-10-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-244-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/2828-1-0x0000000000264000-0x000000000149A000-memory.dmp

Filesize
18.2MB

Download
memory/2828-243-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/2828-246-0x0000000000264000-0x000000000149A000-memory.dmp

Filesize
18.2MB

Download
memory/2828-0-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download
memory/2828-7-0x0000000000260000-0x00000000019A9000-memory.dmp

Filesize
23.3MB

Download