30663f0574cd075b83fe01ed7e639000029132536a493ed88cdc1f2f2c012890

Analysis

max time kernel
142s
max time network
162s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VFS/Programs/AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	AnyDesk.exe
2552	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2840	AnyDesk.exe
2840	AnyDesk.exe
2840	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2840	AnyDesk.exe
2840	AnyDesk.exe
2840	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2552	2736	AnyDesk.exe	30
PID 2736 wrote to memory of 2552	2736	AnyDesk.exe	30
PID 2736 wrote to memory of 2552	2736	AnyDesk.exe	30
PID 2736 wrote to memory of 2552	2736	AnyDesk.exe	30
PID 2736 wrote to memory of 2840	2736	AnyDesk.exe	31
PID 2736 wrote to memory of 2840	2736	AnyDesk.exe	31
PID 2736 wrote to memory of 2840	2736	AnyDesk.exe	31
PID 2736 wrote to memory of 2840	2736	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
bae19b0ce09fec8ff069034d44ab2041

SHA1
a4f0b407dbac014953ce107bb26cf9207504fae5

SHA256
3e0c42e9f455f678fd64c7034994a786f311180820c4c2daabb4952870bb9896

SHA512
6fa8433c298971d65d337561c3a038ce5ab1fa8a34da06fd09b814d41c76de34b81d113c4acea4b01d67ab1d0214bfdb4bd5f2469d9f7230f8ff865cde95ce62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
e1af36bec0989266e034aa3d851de133

SHA1
48b03c16f916741f1833270c4d4f0d18456c2a72

SHA256
5e009d5fb9897203006d9b092eb6c703ebe6a71393b77dcd2a354d5e4ca44902

SHA512
b1e03458eec326611cc7719e276d6624413593fa43eb6f920edfec3568989ed59404de5527eadc83ea887cf2b0730b3cf66036fdbeb51169945eb57d9b88ce32

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
eabd838a4fef8d77bd8580e7ae57481b

SHA1
06893677eb62508e69998728c5bbd903b8574f83

SHA256
1a942ac1f3d43a187cd2554038dd9f24d2a9caf594cd2eeae3d0a19abc2dfd40

SHA512
1906893f0efc883053ca10adcd582502e393340b155a701f0a45e8e23a53c7edd551c735e684919e4f659e839edb64f8965bc787d87fab0e8966e202e504bf1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f74708255c1f725fdc67d8a978379089

SHA1
af3cc1527b9d9bd16af5da3338e55116cda9f488

SHA256
ff68a253d28875c4b8729f08b0209b2efa3ea9b3594605e4eeed21c81b7962a3

SHA512
fd03309f55fb3f28552af3f3ee2be7b5f3c676e24cd7186d2da5edd2c6f8bde661198704141632b2b2fb89381a4c90709a6b816ff1204594bf18024dba818ff2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
3fd68781bface7ad3c132c7057bcc240

SHA1
aa23f716ffe66104aa86dbb980d0a8f8904c7015

SHA256
5e03625a8d277cac3216e75065c025406048ab38c63b09b13643f136e7aadbde

SHA512
0d203717cecb93435e8709c5e2bc148b967a59580c8da2ef9e5777223ec64281fdfd8c61dc6a3063b5499e5d4e24057b569f447381b8e86031864e659c97d207

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
7e2a807f90fe88a54cdb7653bbf5d2a1

SHA1
55f80d97f6ee913925759705d19896b46f0c60d2

SHA256
b6d5d202cd6e79c2bc224fa0c8813c8d0a549c02f588a7c93737f575314ca2de

SHA512
7361a8c840011afdd63ff5fa7b7696ccae3a56696147d897052a27881f55193e4e2a5ce1b1a240324e72b428d2f6ba242fcf4fa0b9a2f36fd2cca24ad443bc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a5b7acbd2017d09e12e2cfc02d4fc079

SHA1
cb5af594f0fef77c969cb3558dc10ffe3f0939a2

SHA256
bd99d45e8361b10c744942ddc6a70f42f785924cce037e025e4b8817d7e3cfe7

SHA512
71505f11fabcfe6800ff5f969caa9c965126a8cbffed31fa4a263f899161bb53af4caff2da3ebed7e6b34949caf67056288031439a72bf653d71ccb9af4593f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a3da3a5b08af0cd693b3de6a134f5916

SHA1
cb517a6450972ce57ee603e62dd4a5403b7b4cb7

SHA256
72811672076ced2cbb91091d4ce583d9bedcda11f4f4aef214686a2de79b15ed

SHA512
339ec75cdb2c6623f0a8075a08b5d830e3e5dad70f40de17320a20f7c786cbb57c3d231816fa83805716e0e2ece0e73652f4c750fc89a5ac460d17c8790234f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1bb9ca31d6fb18fd0ad6a4bb9d25eb77

SHA1
f238032bfd3a7b35caf2cc36c9caddcc3f12a15a

SHA256
0ccf1f555f0681800f2581cccfa675a72a427f0ba2420598a9381cbe987b203e

SHA512
ead62ce2323b50dc87a838b3ba168ec9e4f4529050ff7ac24abf4b778873762d606d0e2ded13270b7fe5ea576ed8b3e52a2282402d27b2ebc6bb7fa6127c974f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0abbda7f79023ac0ec8b3c39a1b02ce1

SHA1
4e4cad486f9a2167eae1bbf59398d671748dbbce

SHA256
a90fd17228c2ba9cc19540f39ddd3696e6a44cade41ca649b2359722dc2c6feb

SHA512
c389112fdabeccd95d425bf32cf49dc8545fd05b1a710f58694b3b3e2bdf6ee0fa63220e6a57c60e3bca0d41153797ccd0e0da6e14b02ec3a4591aa85299036f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8fec95ed7420989e9124dda70c53e2b9

SHA1
aabb106c93fa056ea6d586b1da62c514da6cd8fb

SHA256
f860c63ec8b10ab74dbe46cc0bd45804e3599aa8fde9c5687857246b2efa8c85

SHA512
1fbc2a5069a5bed8cfd186eabbd7de372f8d80027d0197c9681a847429438b3611500f0bcd0993984770b047e40ff6d598dd8213eb37ecb71646963a3c914505

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
a293ccb4254c412dbe34a1feac6aa0e7

SHA1
f6c8fdc8e6dfa14640fdc65377463431645e0af0

SHA256
8fa86181e49fcaf0fa1960ee472f53a607a807140e7f131c7561da9972d20e4e

SHA512
9a84c342abf716d6ee3f9d4dc047c665f4c1eb47bbcc415f2f275f99e849c8ad89b03a9db307aa1141e20dfda21d306647804ac602cbec375c03f044e92c3806

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bc4c7719fea6e8e1799afa027d9c35b3

SHA1
0d814cf725e149b5aa2e7255dfb665d21b43a996

SHA256
cd65d726ff86447e10c475f47c89a522317940845428cf0af09d3297a941c08e

SHA512
3fb7985a5d9b341225c9c5dfc70c89e0e49e68276269548554bae822fdb838e5fb7fc3e3f56ec6933ef25bb8091d0af00520e752ddb4ce3da2008ba5b896405c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0b56a6aa7a77b7d758ba3455dc9b7a10

SHA1
66683b44ca4d58a6296d551a8f1047df7072b34b

SHA256
b39844ca09d60c389fb8e2cb8d851789eae4559f75a3679937bc35da002d0021

SHA512
f9d611c363f34ff342a5d97a8ea7e1425a7cce6ce1a41358e13f99d4a339016a4b3df6d4b3a9ef3e4b3aa6bbf2775cb5998cebc5acefa455d38777b0928f3d28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6b187d8860949fed4d06f2ae98b3826b

SHA1
bb742491b8da7e5ce2751a95a17fd31d43283f13

SHA256
f2f4fb02193e95b9697617852563be0d709b0e6d332f15c90bcfb0a4e11c3ed5

SHA512
22051a75c5249aeecec2f4be54539a908b21cb5fb031e6e884d45a8466400034378d3d5618158ecf3fff447da3f359386fe26ab89fef2cdbf33d8ed29ea09c83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3618fd93e416bafc67185f8c717e7e6f

SHA1
d9e5c572fd8c5d83d2ac4476939988935e85706d

SHA256
7bab937bc11601b09a5823bb1794c7965b770d54bc2db064741b4fd3981b3b5d

SHA512
043f1bf4d0cda5212855de9d5234ca61ef322a7e2130d989234dbce3dee2f6615a0f756eca4f5c2357d3172055b373598659daa2e859301293954a7ab591d239

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d414f666ec2c785c04f363aebda69225

SHA1
8e653c23dbc7edfb60469d8488dbede81740ee76

SHA256
f8263613fcac6224305a5df8fe1d8d1f4e8508c9d18839911c01073f0fa56895

SHA512
6d137895ea6d835d6027c36e39b7bb903894e93f33dc958425a21eaba64a716fec80ffe4493da66802eba17c4e380d7d3c8755e70f5550ef9188da9d162c031a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70b170bad6dd3b2a2ea527a5fe1e4f51

SHA1
f5906ac66c3e1c2ca15ce8d231cb723b7bcb4792

SHA256
7cdc2b75c7360946c4b027e71bc7ab3b3f59dbfc4c67a5ce703296e8aee8c261

SHA512
58333b578f0ad65b4a5a99d73edc0bd40b888571dd4a0c6bfa5c71248cace81386b9d3c33d7ee9302920bf1e5630d0f668fe7e41257f8555682fa1200feaea95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f74de4df249600655a9d48e13744e91c

SHA1
b36c0ed7aec0da928d95b78c7177fbb43d1b0dfd

SHA256
4785065ebda6a1933216e1863a5e411ff93dd9265d79a3f3a4d11ee03cd22bee

SHA512
ee720a5464f601e2e5957b3c0b59e048f692a1cc5c07961d8b984e2dea756549271f41de8888ca1d6d2002080a24602c53535c687394bf8df7edb81a69e611f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9fb4dd25e9f2443de3478830db14180e

SHA1
ddf43a6083ad0e79b91bb208d7cb0b7f0421b874

SHA256
d41ae74a2cc6ef228e74994127da8cf711811f9f8ab8096a15adf4120f3655ce

SHA512
ad59ad56324e9a770b33395ad0598f0ed487b2445150fc8a5ca333a7e1c4d5a3f0bcbc8612b17a5ecc51343be4676fe6a3a95c5a9485890b8ac5b38b393005c2

Download Submit
\Users\Admin\AppData\Local\Temp\VFS\Programs\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/2552-11-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download
memory/2552-251-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download
memory/2736-0-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download
memory/2736-2-0x0000000000264000-0x00000000014A3000-memory.dmp

Filesize
18.2MB

Download
memory/2736-10-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download
memory/2736-249-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download
memory/2736-250-0x0000000000264000-0x00000000014A3000-memory.dmp

Filesize
18.2MB

Download
memory/2840-20-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download
memory/2840-252-0x0000000000260000-0x0000000001997000-memory.dmp

Filesize
23.2MB

Download