1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

max time kernel
1791s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20240802-fr
resource tags

arch:x64arch:x86image:win10v2004-20240802-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
27/09/2024, 17:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

4.8MB
MD5

ecae8b9c820ce255108f6050c26c37a1
SHA1

42333349841ddcec2b5c073abc0cae651bb03e5f
SHA256

1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
SHA512

9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
SSDEEP

49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe
1144	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3952	4648	AnyDesk.exe	82
PID 4648 wrote to memory of 3952	4648	AnyDesk.exe	82
PID 4648 wrote to memory of 3952	4648	AnyDesk.exe	82
PID 4648 wrote to memory of 1144	4648	AnyDesk.exe	83
PID 4648 wrote to memory of 1144	4648	AnyDesk.exe	83
PID 4648 wrote to memory of 1144	4648	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
858edb1f8abdb291349496e0ce7cd719

SHA1
a880cde38a3e86a998243c4510a123a6e31c93f0

SHA256
c8bac595683bb9b248893042926c5333d89e59929de334c2f69f243cbbb903a5

SHA512
6528822d1288384c79a514f713a6f3cdeb25fedd95811d1ce577f4ba692d656da8bbeea2a1ddbfcfccb432e97f59d116e9175e4f8731355a06ee857b6f3eafda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
28595cb5394449a100189abfc75e2466

SHA1
34a0772b869c5e3e64ebc544313ac3683054dd59

SHA256
c01234918a0364abf828ed22a3447ddfba3cdcd9cd0ef9a8266afb7ffe24b8aa

SHA512
106a5ae131946c2e3efe6c47d5fc5ca7b4683fdfede81168ca71f5e4d5b826c98f6f711dddedb787b7782082cd2a0c072c49dc6e73586ac509c814bb6ca45d03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ddc1b9dba7b89042d9f3bed2ab4bc05b

SHA1
4b07d4b8e27ebe61d737d1c696b77c276787b9d4

SHA256
a1fd33a4e171fbb1901d4caa60115909eb059c9d18fc2be115f19de183115a4f

SHA512
bd5de247ee249bc1fe96cb8f3e905a9ae2a617a4fea26c90584a0cbd5f0587f4aaf4dd3584b95705b3e3357ee98a23eb7b91eede5eb30ca1ee63d7a86bef7e10

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
191ff0d50a10cd6d776255e447d7faf4

SHA1
23f7022b99709d64a22072bb4a7a9b40333fc66b

SHA256
e5f00472c23871ba17769613c62a4c5de22afcfde193bdf62f4749f14e1c85c0

SHA512
444de8e71c585e5800efb55ef4477cb3c6dccb2cae8d8da020ebed7729e744f6c43480f35b99bfcfa19ee5f22cc7b0cafab66f70480864d377417d92d8dc63ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
ba1f19558d96569d8e1c8668a19703e6

SHA1
d2b63a79f387f90ef756a8c7ac766d330230124a

SHA256
de58f49fca2344e3a4d1d611cc21af0a8c3ff51dd23b3f8d640bd1684ee0ba7d

SHA512
42f529948ab0d3006b8b388bf1941095c7ea46adc7ea067b29cf0b01a5f7a011d1d3d504e1a9e5d9908eb0b60f48f3e8ed85abd92566121f9c444f50149af245

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
1c8880906840d8c27b62bba5644a3ca6

SHA1
c45236beaa6d8a8b3ad23243391867e6411e0553

SHA256
7d0c85857cafb6966e9dd23e1c9805902364ce878ea4ac5e831aed56afccf418

SHA512
b97a3ddda2b1c5870e3c71c40f7b0ab8a2e66d998053b3194243f83d03a49093bb0bee76fd97e24db6aa9f92c229517c96738396f1e585c4eb5cb2000b1488fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
a90cf62a6202ad77b5dbc05ccaa37a21

SHA1
1107743b60185c982f1861222d134c6cd071934d

SHA256
7b16e77397ef0faebf5abd515de0b1ee276337bd88b48a2c52881a36776826ee

SHA512
d676e468f7c0b792ae317df65598be5e99278b21cfb518bd40867d1a375a9b768be84d8acbefefe0f0e8550eaeb1702ffe54a00d23dc92798949bf5312d73594

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
cccc7a25ad7aa4c2b0669c0cf9a13ad5

SHA1
68f89a597e162da9e2ce6f3ceba52eae81dc77f0

SHA256
ab1b9081410e2edd900e40720a06a17f31d02716e4069caca71b7bc2fc9eee2c

SHA512
7e4c9d9128edcc92f4113deb24fb53bae9dff979ffd7f639426052cbbbae2ee163f25932259da28d1d6b9494b7f2ca056d17edc32391ecdc0dd8d57e56e8fb81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
6bc6312b0812eec35080f673bc3cc482

SHA1
4cccff7e625f2ff605f6fa3b636602d0257a211a

SHA256
d05c116a245c582e3cdaa1c0b116e5dc9bf3c19513ee539518cf9bdb513e9582

SHA512
f43a0954aeff957e39eb16dea1803a535e9567fced1e8e9f3bd0d27c8cc7d4685b20f977d42b113d74441ccce10b2862dc7a70ad59d7fe3fff0cbb57337e6129

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e174a99af913c10cc3c1b5b3386b1465

SHA1
7d87bc009f3b0288536448e97522ef46a0479910

SHA256
d056e9ae81e418bc1d5f94eb546fe2dcde5fa2e2dbc39d1eec4049685d20b71a

SHA512
f56780f23debcba4fc1947bad1b3907a5572d42fff1a7402171836c88ed309348c7b6879d94c7ddcceaf21f3f0953b0cfca195bcee00d3560e69253a10e00cb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9b9cb83e7bb0b26a59341599d70fe2bc

SHA1
0c629ce440b477cc4c66741fd857969575f63592

SHA256
334d7ea20b83e46135dfc6f2538decb60b862b428ac3f853344d918317ed0bbd

SHA512
6883f002e973c5fe6caff4aa5e06f40d2447d882f3ce2a75c40a465926aa977a2bb6aed9105f40acccb32b1a7c73646e25c8569e7d778e7eeddd33aa72d0a6f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
fce3c955aa60a20ac5615a7322f83dfb

SHA1
ded1bd712b4ce7307f2c447fb3d374c8e7828e84

SHA256
47290466ffa96dc3479d5b2ae5b4f152ee245b9488a7a6a2194f60af1d133e94

SHA512
65ccf3b99f7a4d9ae17f3dd91718098b94b04ec895aa8bd1b144d6d259136766f590fd9d4a85388ab470476b8ad87efdd1a411d8f7e0d3b091fe7a39bf78bffe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1f0eae1da92c47733a925943db810e1c

SHA1
149e9761747189570c95188fcf26138324374b5c

SHA256
2752881328cd6792ef7f68adc4fb4c42aafb105e98b0e0b37f06051a59307c69

SHA512
e35174d997636942df0d769dbf37cd852d9b1d75f3df1a0dfab0a1b84a282e2cd3234a14df4ce30a9c1231bf7a3280cad3aa65115ef64c1a55160f858863424a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
34a45cab29b10acea6971de69e703e09

SHA1
e81b3f04e10ae75f74659db3dab8e9fcbc3ec109

SHA256
7b89bba97841e2567447160350af984129b969ee9eb26de67d0805e77e91c192

SHA512
a379b7dd91faf0ad65b5898fa00ea82384a61e3d0c7385ef2ab159ea5c8e5796640bc568312dfba4a5456bcdc457b2d171d3bd4a4e050b5ccf00a68cb900d3f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5747dcdf7dae5b81e9b8897a5654db21

SHA1
889ba9d5d332cd8b240fff70fd417282f660297e

SHA256
883b0bc20bb21d0edd166313114618075bc96e097ef6cad9fb9ec8a62505b5e7

SHA512
75ed2b52f47c1765c284b91072308efc832b9a0b31fcf1066fa558d8f5f5121dae9754f43a0dc1720e9ecf0d0d347ceca0c8ff227cd5856216288b4311df9a19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
bbe9ba04b121ee6893f18796c32774c2

SHA1
60cbb0e666700c406764c4d434593ca1198ed58d

SHA256
f15eb7d3cba25c3be14076c0a0f195fe9e786e995f62124312219401e44c2610

SHA512
773902b4d9aad2e15cd30abbe045e613981f8b0d2ddf140a75c235fb8e824200c467b1d093cfbd464f5037210858ad0ccbcb0e31d78af103ccc8291273bf5e51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c2c5957be6dce6be97561a6a680ef362

SHA1
203723aff94bd1a4a53db63e441516aef2bb6323

SHA256
cf331e5bab01672daf5c186399c0ab79b54f2998df8730bac00979f7e27c28a1

SHA512
b42ae2579ec95eed4991069028552a674b2f81ac73600673f060b1bb8ea978880444d85f47cb6a83f7742855e5b828108b03dd6c27ee3e4910fbf8da273d1a36

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52e9c9fc38a3e158c3e007b935476494

SHA1
9453835b4eb9d63af45febb6780d0460dc5a6211

SHA256
aadcb170f3f1dbe2fec49ad2fabfbeaff6569beae6eefae39f276d77f4a6f73a

SHA512
02e0350b4f1895913de599223e02dbaf4c998d5172645983afc2b305e7b5dcd536854eb350565c07d068abecc9579ab4dc27bb89b90f63e73ae788f7db3c469a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c56ca7a0733d095a9f0390c4de8ef1e9

SHA1
dc41dd8e3ee02025374f894c26ecbf4d88cc9efd

SHA256
a1301d5bf42351146c3e1983e6a43d651b19473085e80d5814252ad60b1b9f29

SHA512
b1074550f3389ea3b25ddff830fa1925f51cf0f762acc9991627660d2be774eb983b47788f0e56c149228225cfe959fb05f35edf5da586cf59d5ade27b163304

Download Submit
memory/1144-13-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/1144-231-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/3952-12-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/3952-38-0x0000000005030000-0x000000000504B000-memory.dmp

Filesize
108KB

Download
memory/3952-41-0x0000000005030000-0x000000000504B000-memory.dmp

Filesize
108KB

Download
memory/3952-42-0x0000000005030000-0x000000000504B000-memory.dmp

Filesize
108KB

Download
memory/3952-230-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/3952-10-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/4648-5-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/4648-0-0x00000000002C4000-0x00000000012B1000-memory.dmp

Filesize
15.9MB

Download
memory/4648-1-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/4648-229-0x00000000002C0000-0x000000000176F000-memory.dmp

Filesize
20.7MB

Download
memory/4648-232-0x00000000002C4000-0x00000000012B1000-memory.dmp

Filesize
15.9MB

Download

Resubmissions

Analysis