30663f0574cd075b83fe01ed7e639000029132536a493ed88cdc1f2f2c012890

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 01:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VFS/Programs/AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	AnyDesk.exe
456	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	AnyDesk.exe
456	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2716	AnyDesk.exe
2716	AnyDesk.exe
2716	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2716	AnyDesk.exe
2716	AnyDesk.exe
2716	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 456	960	AnyDesk.exe	82
PID 960 wrote to memory of 456	960	AnyDesk.exe	82
PID 960 wrote to memory of 456	960	AnyDesk.exe	82
PID 960 wrote to memory of 2716	960	AnyDesk.exe	83
PID 960 wrote to memory of 2716	960	AnyDesk.exe	83
PID 960 wrote to memory of 2716	960	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:456
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
71af938e23659305441e56791fb00200

SHA1
9c2d95a84459e5339c19b4cd8c4eba778ce68903

SHA256
2130b3dfec8028f039e3f975857f3892c6c1d72fed0bad496ec1b0bd9572d548

SHA512
44d2338c1bfcefb1df72199a3d963b2602479bd693a0558f0ab37106884e96d5f004665ccdd14f50b30c7a350aa521b548292f8eace6f9c74cce4489bde8703f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
92a81d40ff51264aee049be3d3e2091b

SHA1
692a8f2bc7167cfe17f7e17dd8396c77068e33b6

SHA256
4b97613523a1a4c379f42eed3796dc6e128c59b9dee3bafcfdf54047c5ba1377

SHA512
313835b031f4734baac15da720f321dfee311be3cb5670090030f308e2ffe0811c2ef61cd945e8a096acc5038ce546b7dbd0a101b13888e67203435f24af622f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3c6bbee54b81986e4b87e724e9913a31

SHA1
b066df5b366682c906d6697ce75748fe8d6f120f

SHA256
e924ee65b047c4984b620014dbb33769e799e2278b30f6fdc0ea709b9196a5cd

SHA512
072711aa5aae20f768444c91f532d636d20cd2533757cfd42a07145055a8fca656843aaea9ec008600a6003c03acf52133a10665d8306b6e525af82f7d194a98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c1deda3efc287d3a2e62ada043ada7a8

SHA1
b57ab2b0498952a7dd24de8989ceee178c3db95e

SHA256
5a7649bdedec31c49fbe33515e92f87735fb6bb8b74fb916671227a22103c55a

SHA512
a860870479d230c456f408fb15f0216772209bf9c9492c75f72702c93a1ddbb4eca8ff570129a51e6c5d6840bc2c86890fab16b97c35d44432ed35eb63b6fdd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
71b3362ac5bb380818a1de9d18f60efc

SHA1
b3af32c3c84685e46bc5a0e717fcb7ba21f32a47

SHA256
e64b5ee9336f210d0d0be3f3e2a09c4826cfe4115b0c10c45ca6e27cf89ce19c

SHA512
08cef1645e3716a65c5cae3785489f8fc9d5013b4ba293ce3c06ff2ab913652fa9e07b85f0d66d43a91cf332859964b5a8c8e5f0b70e0f822c339c89d66142ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
1df2941ca74ec27cfc864b915601ca27

SHA1
16dc05a4a535bd0f5cbd264406c233e473bc3fac

SHA256
a9cb65e532d79d6919d5233431be40d841ef210164d998bc2e7beab0cb2e585d

SHA512
5381f3c5f43374221f066b44ccd5648a432d7937a5ea3a37f9a222120edddd11e04474ce77685cc4f355cfc71f9a8a6ba5ba1b5ad4b0c30caff27ced5fe06529

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
99713e01ee92898f305bb4fd29efc36f

SHA1
b34de5ca036bf132144ca68365e90ba150d5072a

SHA256
ad54fcbb468eec693542710130c96e3c9aa2df066ae6823f6584a5df0b33f66d

SHA512
747316c02beb1488b8196309aac5ace3d747533daa5b840a4f73fac80e890e9b892bcad5407074614bedf2e3a0c645355c9acba81a86d3963ad225fa8aead405

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
638098bcda35b57968fb8cce45ba37c4

SHA1
3c8e4ee55f91b7d56d356723dfab21d9e4a61ddc

SHA256
e005ca8b368b9ab41a38aa96ee681ba1ee8a2b5ef3f8aac5d9bae07b2e818552

SHA512
67f21f38c87e0b8476f0058112b342e62a0c248f7df5599605c7ec2cadae6bbf20ceaff4729f081570fa7cc8b24ec5be8086c29a2b0bc02419262cc2941485c9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
88d071db21a069ac9153b6f9cfe785b5

SHA1
f787bbf6814a1c458be21fa720a1cc2a5521e94d

SHA256
bc3601a4eb89fb6784ee3c13ce7d75b788e5db694a6422ca2a04a4e10243d9b5

SHA512
851d89512d05ac9dd57ea89c8d391d0f050f193a32832331368ad126bb3609171756ac50468c0f431368cbe1231dfb56e67a9bf0e0732ca7cc94492e095e81e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
39172c9360329d811935335b8d429e7e

SHA1
8a702830c05d423bc4a70826746c680fed3cf823

SHA256
cd4865b1d38ca4ea8fd95a4e7472ccf5c7a187bfc77b6536d24d9db4ccd398f1

SHA512
2e617b16a320910079947ab195885260ef39f8852a9944dfe563809665ab8a9e252147aad80a7a74cbe3a87bd923b510fc99ce7091a03429c8d9c74d4721424b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1271aa5ac5ed7269e72e49b970383336

SHA1
d4320f97b04d28ec2ca8a8cdefd9f67b257fbebf

SHA256
bd8b2d6b39b60316f5626a3336aa3921f33c06ecce014456620bde8dedafde42

SHA512
d0eae70237fdb4d5315d41cea34ce3d6d33038db0102991d1974d1ed3c1a34a964a5d249b0a75de63f62a921dd9dfa894afa20189e6485c4b326fa3508f1113a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b47ba8e3853021273717a59ce6d0fee5

SHA1
2d881a39cb3778970547a4e8b4fb93ad75fc7934

SHA256
fc623ad688371eda36a83c664108fbebe310399b8750af4e3dc3b5c27ddcd51c

SHA512
3b762274c8d480cd2cdbabaf3ec19547f7cac23a82f80e00e87d91162e4a311400dd948f09def99404427b530a902cb11b4ca5feda16abddf4d7cb5a3217f12a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
fd0dc987c0f0911aee85bc507fbc2335

SHA1
73ee9491baddb48cfea561a380a602fab443f169

SHA256
89121547f462fbc0088d10de2134fc58b48f6adffab6e67f0bce055f5ef700e8

SHA512
cc0ab94d8636465a9f1fd89167467463e18aa42c38b9f232984d3ed30e684662b9bff57a358b8e33f944fa56ef5850dc3a9c1efaf0bb0254741526891c9130aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
33c420f15e2d6f192812a87320f0b4c3

SHA1
9a4dd5d5bde2f353d4bdd6bda33cf6067375778a

SHA256
f5f8369d17f2e641fbbca7f9ba4df6cfceba85c2771ec78b360e5005f6668e50

SHA512
ba4bcc6635ecb1680ecec6c35ec7643e8e7e471b1154bc0c62247224b26f56ce76943a1c8daee3ceecd3d6f96bb0d7df88b1e95e306bef732a1834d0731a7fa5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
85f04692fd936d836722ee367cddd75b

SHA1
8f06852325ac4bb15a26faf01d2c1f88d3031ff5

SHA256
90255efd07c55784dec6330eea816774045b2eba6977667c6914d8237b296c10

SHA512
0dff52482ec3fd519b6848e226f864e4a58805b9b26ba4545fbcbf5941140333db0f89e19f339fc085c0773e28cdacd859c7ef80f79d2496a9e32607f0b024b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fea089fafa6e43461adc1e72c37752f6

SHA1
416f0ff9235dd0d1625b911717ad087dd11158d2

SHA256
add4a22b63085eb1724df44d42a6b2b243b7fa716156bce738b7ee162444c2aa

SHA512
e38db507b2aa1b4fe49efc7d47378f918c448d944f6226b7dff49a99849072b71f24d93a94dc8c116088a410f1830c787aa46c83eb471c4d5256941d9bf05798

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
735a1053df5b83d6ad97bcfd431f3c92

SHA1
e55bdfe92562cfb3fd31938e17691c83aacb4ebb

SHA256
bf74362c28ba747f4d4e638a6fe7c4e7695fc4fbb79d959cfa3f0658c89c132d

SHA512
3b284fceef2bc98f5f198e2418af234345ac16c30cea67ac28e2af9dff3adb9cc03bd77fb8720b39aee6d7ded6d8996f8d11d0a28c936ac15c23e858d787fcd2

Download Submit
memory/456-227-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/456-11-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/456-17-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/960-1-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/960-0-0x0000000000FD4000-0x0000000002213000-memory.dmp

Filesize
18.2MB

Download
memory/960-225-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/960-226-0x0000000000FD4000-0x0000000002213000-memory.dmp

Filesize
18.2MB

Download
memory/960-6-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/2716-12-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download
memory/2716-228-0x0000000000FD0000-0x0000000002707000-memory.dmp

Filesize
23.2MB

Download