30663f0574cd075b83fe01ed7e639000029132536a493ed88cdc1f2f2c012890

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VFS/Programs/AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	AnyDesk.exe
2468	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2468	AnyDesk.exe
2468	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2272	AnyDesk.exe
2272	AnyDesk.exe
2272	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2272	AnyDesk.exe
2272	AnyDesk.exe
2272	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2468	752	AnyDesk.exe	82
PID 752 wrote to memory of 2468	752	AnyDesk.exe	82
PID 752 wrote to memory of 2468	752	AnyDesk.exe	82
PID 752 wrote to memory of 2272	752	AnyDesk.exe	83
PID 752 wrote to memory of 2272	752	AnyDesk.exe	83
PID 752 wrote to memory of 2272	752	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
4fbd69cc5aab347f7c2a8a6c6f18e7c3

SHA1
725c7d66f8a4e597904e0997626978e636a7038d

SHA256
90003602f3e876a1524f65f206b3b8b445dfc59851dc132e1bbbe335a667e907

SHA512
073b23894975b05617a3bd7bfda415d2949e025fa5c30c9a83cf6a2975945d7c3137885a7d432531b1d8fe9138c5107147144ede682a2d92e493abb487d2cca6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
72fd225705ebd54fb834532d3f97e1a2

SHA1
8cdef1ad2ab960881b7bc192e75a5893f9da4da7

SHA256
a6b2ce49be33af8ffab7b68b3bccc5ba509420a43ab7112f5294369b948c25cc

SHA512
a6a9f1e5a764b680dff4678884255f9b31cf9a20bfe563897f7c2a9d60be82659efbd48464513c07ade1f09320aad19f5dbce88013c3bc9687ed79a30bb7c660

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e7f5fa2e72571584ddfe1ab5d1e535d9

SHA1
4ffe6b80fabc9e4f488bab3f8072253cac5c65bb

SHA256
8c567d203f624a27b3475b505ccc0270e70b2902a676ab99e280837bcc33db03

SHA512
6aff2e387e1803afb4ec3e925c47b1b0123594069be4f6e9ccc2c6c5fef5de7a3ec7798fbfd81114ed9ef23ac5d098e18cbb11e9a4c7c1a6306148200c081ed2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e706459693e047c89e5c417f8b79d2a6

SHA1
22ef91257520197a8405015666b59deb5c89f1b9

SHA256
90955c36cd7aa7dc91699986a4940e3b5648f7785b79bc6a900fd35dabe706c0

SHA512
0db7ef5ca72488f168d71be6e07080ea76f4ec50058497ff0f9adcf28afd43cec6646efa4b4f7543667bd1d427aadf3d9ff535ce0c542811a2fb97d998be2ffa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
b6ae38219f06c49b57f0a82d09edd09f

SHA1
96f9012eba86a420c6b841a6fa0084b3f32bb12e

SHA256
7509598320ae78f8383b8a3e0c188461384e0d43492345f111316c2d55d3b88a

SHA512
308fca1041b9afc23ad5074865586f5f1fa566d28e4d7e7081f7040bdb9007ecf1da08143f247169f52bef8350dde57ea3bfec594b5ee77200b15599c7068479

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
22ef5d25173bc5d8e63f8b776d48f263

SHA1
fc37859effdcb2689da16b5d1f8e32b30a8cf7e7

SHA256
94f5048c77563c68454caa86bf884c595a96cdb015aaa6f7f8e471cd7f15b7f0

SHA512
d2c19fa0b28e32667e43aa337dbfa9d4d487c21c591b97f7ca948e7588405df09012cbfc95b784d36624deb32bafb4467826914b3af6763082c2382f2d202a3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cf77ef76759f7277bf6268b987a7b872

SHA1
d084514d2e953307bf96fce5c767c6637e131e72

SHA256
7ae03386a45c02d5da4f9b73ec3412c862c25c5d8b82ab2f6c8b0ef4d3827da9

SHA512
a813a3d359598395008255c0b5fe40b191af34ca28e42bd8539bdb58d4daea968255890aca3d1455666c7d61da7c27980378e0f19761b4c015ab92df9a255e43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e94d62d84671b2628fa776b361174be7

SHA1
006c5fd56c082dc192d3aababc2822bf07ec1927

SHA256
cc417f4dd9e68fba4380f9f2d6572c08b115660ccefda1fe0f040c6e7b2aa6a6

SHA512
b0bea37892ee7ecc2ec069e5da81946e171b1e869134edbd635002bb57ecb38fef6f403ce3f9399726a425cb9cfba91a3b26cde5fd0a585fbdba751cc08a423f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
05b946856fb0b8e341f3beb42ed6b6e2

SHA1
de93289df19e3e138b2dc6a9441365d64105f313

SHA256
0ecdd7838c35880cbe20388b5ddb3f7cb85ec42c6df7309fdb434fcdd33ab535

SHA512
aeb5e445a17dfa117ebe6331504087eba1965d49557242f2a42e956540a2294add376950d82fe4ddc99e3b0c578269d4646a080a7d523b57af5936421949f164

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
15d093c7f9117003b82df7aa5e5b7e75

SHA1
c78cea127fe451a89f56614dab5f5745e5676bfc

SHA256
b674f44b52b3b98984801607d09d31b1b3cc9d9d5aed3fc751d23d0b922cbdf6

SHA512
ce11f2a2ca776fe66cc8fb7f482e591e1d49d54edc019b90e2fb6e62f0a1519da592f5ea6e41e79b0f00e82eba57023fff74ef1df9820c2f7dd1d4af86dd9f02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
83dc96a46e72992cecac64afebbf7743

SHA1
ff685650c5da4136951a079c82676b145addf56e

SHA256
18c3f82c1005245f443a036b466ff21f545c209d3ac9abb65560bfcf90328f3c

SHA512
809d5d88ec8f2917a4131f1ce1438316ca4a5f47d5fbc415e86fe77fe705405ec9fc4df1de5444d4f6fca66991186c118442b4e56915340a78056c0a1d31b77b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d0615bba3ea51f25a94bf8f18d2defa4

SHA1
4f20dac863f79e0a3ae347dfafb31464e82bf164

SHA256
15e5ac0970139a767e427c384fb791e0652a69d5a61371d931a605b8434176ae

SHA512
17ee4be68cd6b5583b7e6c60e1be35170411e5e5c20c1d711cff3f813ee3cbca27865d741d7ef3ada7cec7fe0a902c39f24ae2512aa88341c47577bd9879d362

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
347457c0c80575acf62dde27c1e3bbd9

SHA1
16d803303d35c5241cf7c415bef99bebba369e45

SHA256
d78e50e92c7a85828d2f7c7ecc36fbdc963ff99c8a48418a3ab1a6210c82a4dd

SHA512
12a22df08393a272da1c2f4b4fcd07682920e4872da29fa6eb25a1dc6e3dd49d312c74a085d4fa83d65835e5fcb661dff030a72f7b660c8f153e8acaf72d3e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
038b5ecbc006483913d7b0ed9187a12f

SHA1
e5a3fb29caaceab44bbe64694ceec804bcb63571

SHA256
3de2e22aa941ed6406b20d0b4accf5428336ff4d7cd0ca063cf3688277367a27

SHA512
bddb68a0dba95d707a36c65cf56d745fc8962f34e1754cbe1f268f3347f08c8a768eb776d1cc2b64301f2cfa6c221e73ed494e0cdd300d94b6b3940ebff89010

Download Submit
memory/752-1-0x0000000000064000-0x00000000012A3000-memory.dmp

Filesize
18.2MB

Download
memory/752-8-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/752-0-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/752-217-0x0000000000064000-0x00000000012A3000-memory.dmp

Filesize
18.2MB

Download
memory/752-216-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/2272-12-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/2272-15-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/2272-219-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/2468-11-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/2468-218-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download