30663f0574cd075b83fe01ed7e639000029132536a493ed88cdc1f2f2c012890

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VFS/Programs/AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	AnyDesk.exe
1996	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1996	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2752	AnyDesk.exe
2752	AnyDesk.exe
2752	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2752	AnyDesk.exe
2752	AnyDesk.exe
2752	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 1996	2896	AnyDesk.exe	30
PID 2896 wrote to memory of 1996	2896	AnyDesk.exe	30
PID 2896 wrote to memory of 1996	2896	AnyDesk.exe	30
PID 2896 wrote to memory of 1996	2896	AnyDesk.exe	30
PID 2896 wrote to memory of 2752	2896	AnyDesk.exe	31
PID 2896 wrote to memory of 2752	2896	AnyDesk.exe	31
PID 2896 wrote to memory of 2752	2896	AnyDesk.exe	31
PID 2896 wrote to memory of 2752	2896	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
b2267c19d1f815559a970a2276905ab5

SHA1
49b381be07df560f291abc6a495ba00ac0ccc224

SHA256
155cea41d021eb82c3e4bb007d25cae2fb86b37b353fbd0559b06d219f831412

SHA512
0c15af2fa2458863b854a992cf088a374cc859039b3b7c2d1fce5d6a7425b2dd36ed2aa5e74a885ea9190fef707de811c54a1f9fd1a17427a5c7f5d701647af2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e70533afc186f57e5f22774e733f6459

SHA1
e2edf4f40b0b06b82e05c90c2703cae26faf1450

SHA256
cee5c8ff0763ea400a65e9987744b44047269eccd452a24835f861e697dcd7cb

SHA512
e52b5f982a30fb99592b5c1a5c201251998a95fce1a0e034306c7ad6f6ceaed2a03d18400d9c4cddeab558f624924ac99dbc56d0c4cd03dd546ad025f1bf48f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
655ff5f05e062d3fb148bace54b616d9

SHA1
c55ea0a4a6936ca1bd23fbc9d2f55e9111440091

SHA256
82bedc420bca12c8f6056cd21dabffcc4cc8fb3618f50351a207eb40731b520e

SHA512
80301028fcb60db4696f7b1610b8b76617d5e5a42a4576e2abec78967bc7cbb4b930583bbfb189873cb1cb995e1d5c1fe960368cc3e9646c8bb62042d1307fc9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c4ab7607e5cab9a322047498c66ab424

SHA1
56ec002cc7380304a37d9a514a6c4e04343ad4d7

SHA256
10d611427c3a1ad747c3a462d88b199261a39ba66546b2a15d7d5dc8bd67f5d4

SHA512
675128c6b2e0cc164afc69dcd34a24d7fccab4a27026f56daddf09fc253cd5a36962a949be4c01b1f101fc9ce6c2a86c43584364e273ee26a282c95bbf54dc28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
5ccce898075a7b224fdc4c4b14ffad4e

SHA1
2c9c9339d5bb4078dd4b9b513e47a90365cdef28

SHA256
0ff78e22d213342197f8e2b6d58bdf0422e8cd662283a2b62b5c3329db07b020

SHA512
3df90477b0bf538a82bdb25cebd656a5a606a6476e9331d51dabfb6691ca1c7ce9187da671ddf988678e67cc2cb97844e3cfadf4cdc7aed114f898a655919218

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
c61bd39c2348be7f6f67555d3fed82f9

SHA1
2ca35a27372831196072e597854f2ef52689d905

SHA256
63cfd13cf9497e11276fa76268776e347d1a29ff0713172fc5ee80ba45930bda

SHA512
c39498a19409b652a180877dc9f318f9f414f7634fba3d9eba6bd7a34ab58ba068ca4cc73a254da766cb250c89d7881104dcdcb35c98256a026dfbd6405cbf6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fe53fb999b52c29f5fd4fbeb65ff3edb

SHA1
42923dce89d3a13a73b6cc736671a5e1a1a3ad5b

SHA256
822da6af9e6775fd5443399cd8316f757bbc744c695cf5f9ffee5dc38fb58c6c

SHA512
212085242df63584e3d8f73279289194501b396182a510092cc3ef9430a2497098feff3b6c05135089623f0b5bd22104f230506439601f6dc46d6d042a94d07a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
897cf4530de5238671a5e9f2f1a9c201

SHA1
eae19f71a492fa39730f3b397c049aa7e7fd87d6

SHA256
2d58d01931be2c0d65f4c516767a4457903677b4a722d41e41fb54c2601a8bb7

SHA512
bc61abdfd938f7376a9600852cd97d309a082b0182b12a5eb0a125ac5178ffded356fc29b55fdedd656cd3fa82b9e2982ff07540dcb890ce7f04ab5cd73b7ad7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
73274b2361cf827c8e23297c8559b122

SHA1
701b2111996389c268dac5870ee7fdb2da493bc6

SHA256
9c4af87da3b9468bf60fa236657480ae00bdb68ba87eeeeb26ff79ebefb67fff

SHA512
363c4aed84af748c730d4239745738ccbd3659c8be86c40789da6bcc51fb1df75172def3a46df9abd5db6d6275c63fcbecd03fedb750c83b8f47143ddeb3a107

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
eb648d48a3b2c0494e7755444dd7c14f

SHA1
6bd873c344f2a62e460be27b99fe37b44af54772

SHA256
403301a2de424785b6ae355c90a513268287befd975ec00ece5a7dbb7b303956

SHA512
991bb0a733088ea8404c5727c02bed9172c2fa80baa78132c0763b037f00aa12eaffc5e6226db69fa7aaace2df19fcdd08f7efc65414a31cb286257bb2ffd94b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
772083e72d9886249eb3165d21b9aeee

SHA1
3b836913adabe391b4b2051f9f2e6226a76eb50a

SHA256
2810aceb8ced9fda17766b7042205f5ba91b1fec148fbe34b499a43909f60454

SHA512
0fd60359dc4ea2f62976db6cdd9ae518672dc9474f7fdc3f4c1d615df316021f1af0d34b6436aa22fec4233ed3c559bf681e21dbeba51574129b9aa70ec57b9d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
99ebd727dff3b8a887e6bb0d48586515

SHA1
5ce88e932a93ac77d38e1a9d0aae8ef70a3bafa2

SHA256
32da1e1918c0b3c835565843addb58603784083af2bd2176a72bba553a4c19c4

SHA512
2378dd61f2da4411d04e0c98b58cd66f2529703579b845c9561155908b1aebe2c323e06defb3629bcd38cfe45fdab5987d20d27c1d63b2407cc1b595730784bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0af82daf00a77166adc8c8c726fcf5e2

SHA1
bace9a310e90e367b76e4fad3704035f343d619e

SHA256
dc8c4e13528ad8c6c61cddb20ee2aa812292fe310a52e5b016111a4a17cec4ca

SHA512
af16f72eaff1238adf5c6824c8217fd087443e4bd6631c13366ec50d0ff1c6ee8b985c50746d6fc85b9effdf03a69622f22aa955735aad4b760c3ddb580ab06a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
bb451899c75f2ccc829ad64845067681

SHA1
cd69b042907f1da080e18e9a876bb2f8208128ab

SHA256
c48104d2f8f4486f015ac8bcbac0488fdbf0f472d9da0b593361b43271836ddc

SHA512
186b231bf7fe2fa62c6354c9344c4d1f0a216cf991a4ecd9efd61997f8cf47f29feb8d6e278856234265bc38ff6483f14e1b94c0ae09c16ae975fc60eac6f141

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e9b40ec3f52e821fddf6aba1179b29f7

SHA1
c450ab41f449b8d31e01f8a34bae1183cdf2eb96

SHA256
a3d84f2138212755478f60f0e110055bbe32cb050c5c2356cb659199b8ef8636

SHA512
3944e9e2474e0f362a78ad7cf2b3d70a3c65ac401342b6fd84788a02498757ff1cc6459ab99253289cf0b88dcf804a6b4733ac85f234ee3588fb039d88e8edf1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8437c0346ef3361537b64c715645e562

SHA1
fb2dfe7e487bfae0ee2a1e7bd7ffc27ba94e8510

SHA256
1b67c9897af82a8633867fa171ed841d24baee2984ca0d2f1f1c937014daeb80

SHA512
00e55395b2fcf3c086e88c65f5160f26b9f067e275adc5007e324211389dfb84aad51e650adceb930618be85caf20d0b2bcd6fa0a89fc9424ca878694a1cb163

Download Submit
memory/1996-13-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/1996-251-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/2752-11-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/2752-252-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/2896-6-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/2896-1-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/2896-249-0x0000000000D40000-0x0000000002477000-memory.dmp

Filesize
23.2MB

Download
memory/2896-250-0x0000000000D44000-0x0000000001F83000-memory.dmp

Filesize
18.2MB

Download
memory/2896-2-0x0000000000D44000-0x0000000001F83000-memory.dmp

Filesize
18.2MB

Download