30663f0574cd075b83fe01ed7e639000029132536a493ed88cdc1f2f2c012890

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VFS/Programs/AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4104	AnyDesk.exe
3948	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3948	AnyDesk.exe
3948	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4104	AnyDesk.exe
4104	AnyDesk.exe
4104	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4104	AnyDesk.exe
4104	AnyDesk.exe
4104	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 3948	1844	AnyDesk.exe	89
PID 1844 wrote to memory of 3948	1844	AnyDesk.exe	89
PID 1844 wrote to memory of 3948	1844	AnyDesk.exe	89
PID 1844 wrote to memory of 4104	1844	AnyDesk.exe	90
PID 1844 wrote to memory of 4104	1844	AnyDesk.exe	90
PID 1844 wrote to memory of 4104	1844	AnyDesk.exe	90

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4124,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
bf1c7e6d86789440a3581f900c55d940

SHA1
613822ced76ae866688e17690cf26e336b586154

SHA256
5e180bf0e32f70d75c37f6c5ff4753f9e09c65d62f54474be7869d11ade3f8b6

SHA512
9807af6644a666b3ed231a335be2f360edff30bb96262d7c43260ea32e4e90f1391c1b72c9e1b411aa5ad95be337f0aa40c61b0ec1c1c48a8f05b9274b612dee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
1a2c42a775fbce858ddc30e57afcd38f

SHA1
639dc2666d369f4ed8ac89489cbf4ce0920b879f

SHA256
d62cebf60f9a5160bf141f2cc6a182960fb4169af297fd77b3e61c858c3c622a

SHA512
24b6e1b106bc409b393ab6367036bd8bb66c89ad88bb0509c33f2672de84816283b2a3fb2177934c290ae06f70893f8ff494901c7646af676cee086d1b2e5650

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
db665b9fa2dce5cf6bc4662328240daa

SHA1
06521d6cd6be5e709bc5d3da5d7bd4a2164cf9ae

SHA256
00ffef36bdc8dae7ed1879acad30f98b61c0d58c995b45965b6503ad0489328e

SHA512
ae26ce14cd24f2fa4a41122d4af37eb0afa26912a9f5077d70c6cb394533205571e9236e12b2486c8058245ed6cf25df973a5684d93c538831e1d479a61653a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
93f04a721c4e8e638209b6acd6bcad07

SHA1
5830b5bac6532660eb08afea33aee9935014e62e

SHA256
502415b0a457c833e51cc8156e2456630d687affaad155f13592c8d6180277c1

SHA512
47e2b16a261b9a6f29e03462bf7af79b86d75d7fa4de28439120de28d452b6015ebcbd5a20a1517401b943f0e4693513982ad20e1b52790b2be65a054a704942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
a38465709f0aaa38d0a008efe1fc04eb

SHA1
7512944a2b7e77450073e480b5f3c7f4428e6f6c

SHA256
7b79de731ed4c1195c3dd5266713292f982e4398545ca193781d8c356dbef3bd

SHA512
3112642c69cf33fc276cf00df5f45133df8252d86623ee712b51db12a529885ef3cf6eb8239b23d093b209fb69458ae110ee6fba09240311e9dbc3bc9521044e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
8571d3ee551b666c770d386e6a2e4ab1

SHA1
fc669f63a1a68d8b660bdee94b817ef6308e5678

SHA256
19f4ebb7f681168e2dedcadd86895ab2d18b581b0813f47d7adef4bf27327d8d

SHA512
fa3e9e7ef53d02be9d0205cf7be15fe786947b4937d69891b6bbc01f15af3c83b96618e88df6e81304c9f52cd341a6cbc13ea5703b6fe532c785d3231dae99d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1556e46f5e45505a5a5689f263fa67df

SHA1
b589d189ebbeb9ba1671a7088ad489fbb580e6aa

SHA256
c4fe802b1425af0e34bf636744efdd13b56c2489d065d8c5c5f7dac6f16d80c9

SHA512
678e8079841f0ff1a53899cbc108550a2674ef1b5898906f609980eb5ec53336e2d0216e9a6e26deb28bf0b77892bf0f1df172175f74a0f055853c15c0784fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dbaaec25a5145a22235a305938df242c

SHA1
95a2138dfe9cd622dea91db2336f659d8e133af3

SHA256
b172808faf2a0abeff241b0e41f9c4f383297adcdb71f89594db85ade692aa46

SHA512
1a2ec545e931a38f70d6b835b98402888aa66b6d14bfa2cb69e0142dfe918cc0be8d9c6e3f19c6807efbf70edc109e5fd04220a93918072aaad64aec85463a18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
63c299a34ba040fbde1c2c52ef468024

SHA1
d928087d2f48f0aeda1842012af2a20dce756f9c

SHA256
00a56de08d4816c52904cb3b568965c1e2acc8c5e63ed83da7bf6b792174a0c6

SHA512
910e22ac41b29f518b4d229650d258f5fe80f73c1af3e0bbb490b32355c9968571689174e023ba5c3c38a6887ec169ceab5a491caac9ed935324e0e086d67b2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
cf0dc4cdfdb49131c855754cbf45743b

SHA1
e1d76f7a5c4c434b0f3367e5ec4a712151bf1aaf

SHA256
2c5f0a01f306ed98a06413210e3a965d829b16455afdcb6af64824ba57b37ede

SHA512
212d0a30b0d20638cfbda02afe27a8b67cadee58b092342ed6309eb4f6006975ea028f7b97e6ccbce6acb08fa20e7da965f4dbadbe9391dfbf6d399eb85ea2e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
428dd8776a23891b8152f1fc2af60c65

SHA1
cae50072a7af6e7bd0b142bcb18e47ce2621cc15

SHA256
2a804591c7444e4837e635d947203182a8d714a96854a04b5bb16d6166312a19

SHA512
563aca3840067b5d787573a7514a744d8ab8a26713cbfc85483f90fa0e59d400e2ececc5b34f76c02cdbc74dc2974a9b6e2983ea988bbad9f9160ec2d7410540

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a75a89d888aca680b1bbc1b6f43bd998

SHA1
0e89c8e1eb8353d0e7101d675838bd0f34c93f9e

SHA256
10469441a8fa238b3b9aa2204e57ad0a2f67988bb1728009acebd6a813abcc1e

SHA512
64b91e22d3ed336323d31d290496b59b51e881fc49571b66a20d67118634bb090769ef5954f0534e03592dcd01d56701e24fd604691c1540a68a90c552475a1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
67dded95373964660ca3271dcd4ee8e6

SHA1
c4827c24a06bffaeaf4874d7d8df6c5c809f014a

SHA256
957522aff84a00a4c1582b93c7cbd65c75857ce7166485d0d5d9ef21e5876d83

SHA512
631de92ab1795b40918fca76eb5d9bf66f40260b82899eaec5813742e11b92b514333fde4213321cfaa397ecf189a492f6a563362864bc3488d3297cecdd4e8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4839065468e5e866867708fbd4c1b9e5

SHA1
7c8366123400e6f9f0f72836293ab11307fa0aba

SHA256
83a7ea3f29247bd413be7885123995522aa5d69a145738d818b1be60f3d4b6b7

SHA512
53bcbca7348e62b0c9b371feff46a379dca5ba933ff1a16800ccc5d796cfd36c7b546ba48c0f83db84d054ebaaa50571e78e92794057827d49b4be42d64e3b55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08bb2c46071545b65c763e96c17edeb2

SHA1
1ec7a0ab387086e51eb9b545b73efa9d3008071c

SHA256
33ff5559dc3d8102e1c24fe06b900c6845ab2ed967409c76c6b9ff630a3e2194

SHA512
a7c9e4a6f8b8a96d0639e9be6734a288b9af1f66be472b31113cf94129979989fc90ccb7f9f3b346906bb7b8cd746d589916fc27bc3c09c599a112e575fa8756

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
550e2695a5a813ffd3c35cde3ec02868

SHA1
5ba3cb8ef53ceaadf8fcd51f9c0a0ba32417ba46

SHA256
6093c54676f6533d956ef0eac7d33ed39d94367601fd27524cb3a746611c393e

SHA512
e20369499136f47f3c87298d3030e8c680ac1ec2cb3ffbd7d943ac712045b73c1339905ef93e353be2eb45dda6f21f9b9c35d8fca6ccb1eb940b3f4394f00b23

Download Submit
memory/1844-0-0x0000000000AE4000-0x0000000001D23000-memory.dmp

Filesize
18.2MB

Download
memory/1844-8-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1844-1-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1844-227-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/1844-230-0x0000000000AE4000-0x0000000001D23000-memory.dmp

Filesize
18.2MB

Download
memory/3948-21-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/3948-11-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/3948-228-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/4104-13-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download
memory/4104-229-0x0000000000AE0000-0x0000000002217000-memory.dmp

Filesize
23.2MB

Download