734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.9MB
MD5

bca01af10aac7833188c47d7fec17196
SHA1

7f7898da333b924bd358aeb9936a944eb8bf3c09
SHA256

734f3577aa453fe8e89d6f351a382474a5dab97204aff1e194eee4e9fdff0a4a
SHA512

4429536226a6f3e72d008525c99bc0e676973be04670f7bb49f93ad20e7c8957ceb945c9eeea3ff47e6a751525976b0f4702e90d682940d225d6cb82a6567032
SSDEEP

49152:6ZeC+Xpi5ZnHuNO7HrDequJVU6GTTC/gZAjj4agcXz75rtelRqEiruLh3fZlTP5t:cpfn7HruwEk00agcD7fkRX6uRfZrnAnC

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4856	AnyDesk.exe
4856	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3520	AnyDesk.exe
3520	AnyDesk.exe
3520	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3520	AnyDesk.exe
3520	AnyDesk.exe
3520	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4856	4232	AnyDesk.exe	86
PID 4232 wrote to memory of 4856	4232	AnyDesk.exe	86
PID 4232 wrote to memory of 4856	4232	AnyDesk.exe	86
PID 4232 wrote to memory of 3520	4232	AnyDesk.exe	87
PID 4232 wrote to memory of 3520	4232	AnyDesk.exe	87
PID 4232 wrote to memory of 3520	4232	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c363ff764a4068a5c3b328dbeec17e6b

SHA1
987304cfe005fd95319101919fd1d77ab9b669c1

SHA256
b9f34dbc16401cc380d09369e694c41dfcfbb9b450abdade998d9a11a4c406ae

SHA512
afd5140ea146fe456e0222b2ce4d10434ee9bf1a24ee1b0edb3fbda23716f28701cb87bf0fb2d25b64705263cd6860108cc91042036f4fc2c3bce7ce7cf6d291

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
42fb1777290da6fe8bec06c57fd45430

SHA1
dadd310a7428a03182a436623e1e0016f4ab3ba4

SHA256
327398dc1497176088588320c401ce541bf8c1a7d0956d629e5559090306b1f0

SHA512
1dfcac06191d9768d1f497e79be4aa3a5464abc98073564202aecffc53bf9f0f1302d891155c09cb902bbf06b3c94554549d1c32240fcdc535b7174b54dea0e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
074006ac0bec8ae48eac217430a4501e

SHA1
98d56eac60527a8dd01195b5cd89a88ee7e72e71

SHA256
133fa58e26ce5b198773c636a91379be611930a0b4104e1a7da23c37ebf0d692

SHA512
a1dd3529b0dbd562a68a43db4ebad125e5403e0e48b891e0873dd03c4e4e9556c79fcf1745f5f7353541b02914982ceac300555a622a0ae25c2d4a26d6583814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
eb66a55a8d79b8b3b2e70753fa1007d3

SHA1
69dc3864a24a067275e9e8e4707a69ae8db15495

SHA256
6d52e8db0f1bc2245827448be5f7c3443f8d0f886204cc1a993128b476440f22

SHA512
51cb7083d3827c4ad3892fed867fb4b5e1c668b545d4ce2248101659b4d5de3679b6fa2c4e2960fa5deeaa171a657ea7759a0dd3cbe2e10debd65173b65234b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
5799c609b0ee7c1de69ea2b2a15f1763

SHA1
ecf1c5e03e639c7a4b7d8666dcf20be586fcfcf0

SHA256
452d7bb86b0253c1ad2f73d74cc8fa5b9cfa4610cc5e19f1891bc245a638c61d

SHA512
e8c4ce851a2d2246a8f4dcb84b976fc7b75b9dc74ef8f9dc988f9ca437a6a2b7d32545874581133faab6e7d1161a69e7d896bb9a94ab859f461ae46583cdf484

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
53bcbde30a306d9224ec04541a415382

SHA1
6ade320b3f727b093bd42d3fdb44bd269b9cb489

SHA256
f5612e43d1d29e6bbd672669c2e269282f32cfbd1b0f213da020c4742f159f8f

SHA512
468de63fe096537ce4633f8d595636afdadc3009a2a25d916c77dca5a1cec12915e4c44eee8e5abc285daa14eb0788a1bb7f557fb03421168c86b9b25f655b15

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ad2c67329f284a066ce509da6cfa67c2

SHA1
90eed753b91482d4a4d46ca1d6028537c16fd10f

SHA256
b453a1dd88427f91a900a696e58a0171d04d03a4f1e9a968d707be72a49cba4f

SHA512
e8733a52effdc144cff1f10bfc17532bbb25027f9fa137addb26abcd73485d6f69ba0de61d89afca7d90a8e503d58299b918ed73d366b9ba29993d6d3642d165

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0bd4ffedda2014ea9e9d6bb380298595

SHA1
378e8ebc8de6719640ed41037d267a6cbfbcf5d2

SHA256
73760be1752a66fc27f4aea780bf8b46fe9a87a62cc32686571db92928e365f6

SHA512
8a8d9a43395eb02fc902425bbb9edea917ba021d68fec3c4e429b259ee614b06d7f428ae56c87e07d01cdbbe401b166396f0390bab229a7a87af1280775b1e68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
063e8ba1f0eabe94bb92065d3c693617

SHA1
5261cca4e1d732fdffac22eb7cb986efdb434b9f

SHA256
0b19751fb1f5e03e2582ed6ba67b7861fa242befce72bff6ed2d7dd210e2aab2

SHA512
a606a20a88a38d3750b2ed7130902faa18579dbccc41908d3da960bbf4788f3efb605be839544060bfe65af3a0e3c1416e32036d8714f61c2b656eb75c013b38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
713d5aa4f55f468b650fefe13d8ef995

SHA1
cdc45b309ea345556c9047d94cb92c3987196681

SHA256
25335777dfdc7416c3e8231c69fef248b535dbd3b0e09068db970918bb8dedd9

SHA512
6860efa50df44b3a8837e5a485a8b92c4b5f6d4d87989188f4119593476bafc6d1b60a37529323d2f80d4fb38e99bd3b6889cca0e9fe4dfedebe5292a5a156ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cff82c05149d8aa65c9ea640a00c9b78

SHA1
8dc338bbdec4863c3c56e52265ca34b4300b9077

SHA256
a8b05bc962c978ed1543c80b977a666628a677521af903167288a1c44a6f8ce6

SHA512
98768be5fc55f84eec6418739df5a2ad3693dd9f255886a6041037bd61cebea38e6dda6e5be38132420c5a42fa39e4a2732d7ecbbba65b7583f60df46e2b9fd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ef71b4c2b17a88cb0d4084777fa9eaad

SHA1
7ab4de1a85cf930befc4918525a8cea60a2302d9

SHA256
873e4ff08f4d9f98ccc9a95c4cad71928503fc0d270ab5a1ef49ee3f7fdb6205

SHA512
92aae79461fb62903d76c23c977dbde4063397b25632b5b7dda22437b959823cb01967659ea67cb4c0b1fbceccaa67a946a246281ad1c7a40be152938ad4a53f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
44de1a9fa338353376ebab1db00edaf6

SHA1
4e8a79b71b4a9f5cea9389d59077d09f4cf493e4

SHA256
d486eee1277f80994a4ef242e46d7005dbeb161ba7573e462e40049855448b8b

SHA512
62d73064bee327136aad0cc66adf1bbf2f5298d23fa68bc1ce616e1317c5fbd7874462058c3ca25a7940c17997a9ce3488accecd0c7023e87ecd5cb47ce65cc0

Download Submit
memory/3520-220-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/3520-9-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/3520-194-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4232-3-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4232-191-0x0000000000CE4000-0x000000000198F000-memory.dmp

Filesize
12.7MB

Download
memory/4232-192-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4232-1-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4232-0-0x0000000000CE4000-0x000000000198F000-memory.dmp

Filesize
12.7MB

Download
memory/4856-10-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4856-197-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4856-219-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download
memory/4856-23-0x0000000000CE0000-0x0000000001D64000-memory.dmp

Filesize
16.5MB

Download