734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a

Analysis

max time kernel
4s
max time network
6s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.9MB
MD5

bca01af10aac7833188c47d7fec17196
SHA1

7f7898da333b924bd358aeb9936a944eb8bf3c09
SHA256

734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a
SHA512

4429536226a6f3e72d008525c99bc0e676973be04670f7bb49f93ad20e7c8957ceb945c9eeea3ff47e6a751525976b0f4702e90d682940d225d6cb82a6567032
SSDEEP

49152:6ZeC+Xpi5ZnHuNO7HrDequJVU6GTTC/gZAjj4agcXz75rtelRqEiruLh3fZlTP5t:cpfn7HruwEk00agcD7fkRX6uRfZrnAnC

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2676	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2368	AnyDesk.exe
2368	AnyDesk.exe
2368	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2368	AnyDesk.exe
2368	AnyDesk.exe
2368	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2676	2856	AnyDesk.exe	30
PID 2856 wrote to memory of 2676	2856	AnyDesk.exe	30
PID 2856 wrote to memory of 2676	2856	AnyDesk.exe	30
PID 2856 wrote to memory of 2676	2856	AnyDesk.exe	30
PID 2856 wrote to memory of 2368	2856	AnyDesk.exe	31
PID 2856 wrote to memory of 2368	2856	AnyDesk.exe	31
PID 2856 wrote to memory of 2368	2856	AnyDesk.exe	31
PID 2856 wrote to memory of 2368	2856	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
56ae8c72a18f0cf4e3e2875951112f7b

SHA1
189fc9a4ad4b0318838d9fafb0139600ced6a3bc

SHA256
f8ce17e73f9e0ccad044e43825c9f77e0d786d1b881ceb423d4aa118f17d36c6

SHA512
0dfc4ec6dd09f80d8ddd4e6019f26bae4c63850a0228c1d15ca7cba726f68434f2cacb010aa61a701f54a7061ce0ac7c7d9f366214db6294e36a81752fab3489

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
548c055e4a6ef40863193493cea95bf2

SHA1
2a8e0b0e28aef12c48793880b7ad9e11236a9633

SHA256
94c2a44d60a2f1eb7898dc261e3e100ae2a22c0fc521701c4777eae7d45dfbbc

SHA512
b9d3565b1139797b18b67a9cc9d8b4f3b34b8446a27be0d4d9b6018be32c53f88fa9bf02ff6beac14652fa2c11387620c020bafcbdc2fac52036f794f8e22a22

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5832afb488087b6bdae52e1cd570aa05

SHA1
3baba3dacf1005394e04ef0f35d6498d64bc7587

SHA256
f34f0e1c21e16c8eb127f9e10354b1c6f4b56ebd983f5d87f8371a7ab4fd954f

SHA512
2f7aa1f797ff4ed1874b9a37557136a5593013b9a71b8507c6e84e6742b16e39db10739942e9d4efce36ce2ca22ff8b46317ced54fe0da5a63fb5bd3901e45c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
77c8399e17b1571ca69ee08d028cff96

SHA1
2b16b1ed5dfcdae666a0840538ca669cc2d77f5a

SHA256
f9caa97584f251cf5416ec679015fde46884d47c2b83a9df81807400c4d21d75

SHA512
822e65c35c4606452543361a9e8a869ca19ae2d9a659774ae53b0b00cb670aeb796553900b93a7a88b11911d9016d86ba2885ed78406986a63f8a3b79e50d650

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
29698db4728fdece647dc7e1ca77a52c

SHA1
70414a91d5f49b2f6ec6ec958e002b3e2cf2a2a3

SHA256
c8e48a45466e9a970b89ac7e9771a50a3488b18b7b4a2121a5693914c1336621

SHA512
64fec178487dd5742bfe0b7f178ae816eda5caa24c7bcfc999d76fdd574e5cf3e595ae883956d527abbb4a95b7a7aedfa01b0a96f4350dfa2de9c9748076ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
798631787e5ba1dfc103f6a51d9536b4

SHA1
25b2ff38335a0e4954f5c6fc6ab371beb94d9874

SHA256
5bcb2f5f998a70f4ff8a71007c50346db53bec8940cc914f163bcad5f8ba78d1

SHA512
328a735fa6fd917cbac0cdd29839b6b84b2454dd94b95887b2f151b8c57e98c60ae0c4e7342e4743bb7bb746f46e14b27d20eedfc885c037ba33e2b78b7a1d79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
9727ace705d5176442a14a2324ce931a

SHA1
bb2e769e33f7b3368a6213e5bf722a8acb852ceb

SHA256
b26a68f02683cfc3a57d448e43ca6b22e661fa3f783b3258d646597f1772b2cc

SHA512
fa1927d0480d90de944ee1324fabadec714392e0156c78d8c814e980e9500562e9ca36c517b5791fa30cb47bee71f6300064aca557ecf89895010880e183d376

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
159eac352efc6d1a498bd99056ce8905

SHA1
83245d409200f9c6a6556a86b21596adf721d863

SHA256
5cb471267589e0609ccf05b90be3865bd69c05b1273ff48ab3d5bd9265b352c5

SHA512
8e19127c29555f27dae07fd7b576f2e7b1a2a676b650582fc28b2992b4f1013f3a94f2311152f38ab7b40963bf7ad39873aedab4b137d147860ec53b075766e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7e4f773f5da66cb2ac1902d65bd8e24c

SHA1
8870e6819b7945feaac4e4ba005732ff36e71081

SHA256
0507e5ce6af344c312079f7255b64c1e580e4f169942078f8a38841c3f8f5695

SHA512
5ffffe3f5061e9440c833814e96c7f6af3ecacd6bc4690d3be6f878e11d9c8ce96af303e4283952bcee418635d03afb62c0b262d7ca8a90f41f59499ed7fd36b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fc64d36fb5997c25c8deb6fb7d2cdadf

SHA1
6531bc8845bf04b2a2ff2d7289854291af69709a

SHA256
18f3063f38d2f452b7ee1de248d122e908317cc48fe9e812992fb082287f3414

SHA512
f1101544984261fefdae73eca71adc171df034520caa30b4f90b9a58ff7a013efa50b32299d76b1744eacdecbdd1576bdb89b9a6ae83d0b26ff0deddbf0b30bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e91390af5d2bbe15dcc23ed171ad1a67

SHA1
9dff7caca94e0d89d9b47bbd370aba5dbfbeef99

SHA256
1298b6eb982b9f65143aef7a3ae4f87735d00ad1698061a4ae18d879c2228707

SHA512
65e861d4bb9f0ed3b5d0b1af6c5b2b7c37d305a362a528849453e49c11f16f17fcd6842615da197ffd5c2be9d7958f967e354f6d0d3da7de25e66b238d4613c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
645ef44a3ecca6a1b6635ffb4a998dab

SHA1
80e46f9958513c1f0ee26810f7cd215b2fa7107a

SHA256
0db703acb20d017bb4eb2701eacb1cbddb4ee55b364c9c7ab7151eb0267a8ee1

SHA512
70c907588ae9e54a4b160d10694d19e8c51d8180d1db9a454dffa380bf002f81b2714f0d03dbfc2ecea824842377d9726142da332250acd5f1b19f8d37fe2243

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
facc1e03eae690ef75c9ad6d732b47ae

SHA1
f1eb9041c539c16575af10307ab7796e566ea9a8

SHA256
1dcc3ffe2a28ea927e19ca4f0262b030991c61c33a84af2f47945381f8cef6df

SHA512
82b7d15448d86f78e59156a181a1d72a16f5c747bf925f858937f3d310f5e3d737f76228acddd6b4a9808dba0c1a2fbaa72435a6a130f98d44e9349ae8dc1a7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1540956332773c0638c0c440f2e42e27

SHA1
ea9d74453c6c1af1aaed31d8f487a5b8f428ecaa

SHA256
20b928342d5a71b0f97d2f8e848fcb8c1d9a744a5c961516739be0a838b7cb93

SHA512
c8ca0e8e09c23e41b7345d8a82a98b7e0b7046398cbc2a94c14f7eefadf0dbd2d37ffed5554372edbac12551156c3b7f0055b09aeff22c85cb88f4546f8d3cc4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fc11f0a5e92bc598e4c259af1e3aeb37

SHA1
b7236bd91ac43830ca953760278f9a968d8c3f95

SHA256
7161b02b8528d0cacf802657cd8d60df5aae68591565f70181451a570c0914b0

SHA512
32b95cbb274d162fa76ae8576bd0e14f6c714cd10c5158e67982da15d77ded731cbb96f65bec56faf6f1604a64d980e0c1dfdb3ab93a24ee6b213a515f49525f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d4f469fbc5fb0d129a3444953b364f80

SHA1
ab441f5ec344c821033f17f68fe4c4ff2688e5ad

SHA256
13befcbfc0e599f14aa987b8e8f2f6b7a7a88932659781f9dd1e8d94ff61714c

SHA512
2a162c78746f9090199f2d730d42db08b7e14b000f626bf97f1318eeb72072712136932a55d18921e4c8dfa238b432d738b2bfd0884106330dca4944149fa4e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
123936015fb474e0851fc7e4c3b0ee54

SHA1
3c822cfbaa788cf2a067b91f352ddcfb4717e3db

SHA256
30e51bf2f4b4f81351f88e79665ac7208f670d7f040ea8c0d1c99876e9cad6bf

SHA512
6f5d86f34a90241267748683c5bac4b27cb6884babd7e7ecbf3a2ff8bfc109277cde44392c9034fe4839346f1b4207abd7e3455a75d4d05a06b002fc40002c54

Download Submit
memory/2368-13-0x0000000000EF0000-0x0000000001F74000-memory.dmp

Filesize
16.5MB

Download
memory/2676-10-0x0000000000EF0000-0x0000000001F74000-memory.dmp

Filesize
16.5MB

Download
memory/2856-0-0x0000000000EF0000-0x0000000001F74000-memory.dmp

Filesize
16.5MB

Download
memory/2856-3-0x0000000000EF0000-0x0000000001F74000-memory.dmp

Filesize
16.5MB

Download
memory/2856-2-0x0000000000EF4000-0x0000000001B9F000-memory.dmp

Filesize
12.7MB

Download