1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

max time kernel
72s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

4.8MB
MD5

ecae8b9c820ce255108f6050c26c37a1
SHA1

42333349841ddcec2b5c073abc0cae651bb03e5f
SHA256

1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
SHA512

9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
SSDEEP

49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3688	AnyDesk.exe
3688	AnyDesk.exe
3688	AnyDesk.exe
3688	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	AnyDesk.exe
Token: 33	4964	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4964	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2412	AnyDesk.exe
2412	AnyDesk.exe
2412	AnyDesk.exe
2412	AnyDesk.exe
2412	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2412	AnyDesk.exe
2412	AnyDesk.exe
2412	AnyDesk.exe
2412	AnyDesk.exe
2412	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3688	5012	AnyDesk.exe	86
PID 5012 wrote to memory of 3688	5012	AnyDesk.exe	86
PID 5012 wrote to memory of 3688	5012	AnyDesk.exe	86
PID 5012 wrote to memory of 2412	5012	AnyDesk.exe	87
PID 5012 wrote to memory of 2412	5012	AnyDesk.exe	87
PID 5012 wrote to memory of 2412	5012	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3132
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
dfc86b314486cfb4c8c9d282244727e4

SHA1
517b03bbafcf83cdc6e52d059c1b56a01bb12962

SHA256
90346b0f3121d3801067407c636aca825b90562d50dfc2303945924a6d3f254e

SHA512
43d4593d493b96d37eea993bc2d670ee4829480d7b4c950518435a5c6ee36ac04819c69d6915a707400b308892dd8d45560009c1fb9a37e2f020813259f65644

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
9e74d7ce92509bbeefaece8c60726e1e

SHA1
58ab1e132bb85ecbd14bc350755d7891e500e647

SHA256
e7ba8e76830cab211b535bf247242eac0bb8e4fb20329b6c92595c9a4e535235

SHA512
51186db77867ba32617f996e3fb94334cfeba78e95616c3f3b4fcd4d0f5086b7f2748ef2457bf7faf3d64f67fbdde17a91a7862a1d494f97a2b88870249369f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3defa5eebe9bdf81aec426021417795f

SHA1
7927272d7205d8f5b187fffb949670763c72b15c

SHA256
5a7e7c37863ad8f47e05bbe20fff1708c0244d41ef249e7187c8fa0f9e77ddd6

SHA512
27bbd93fe79c65486756345546da35a33ff6034ce711ee73fbdd6f908a1a4d1149d57d2a897ddafb739f1de5f7daf66b6303b9a0cc755d2be56df84cd7aa974d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
697B

MD5
77d97c8340a582b548f56e7b4aab0169

SHA1
bc7c49fe709224038f3ec274aa1230339cdbbd03

SHA256
f10a102f0c64c3361a1b4706ec3c0c97550392366c857c9796962280977b178f

SHA512
d282d4f84b8635096f072f982b33f4c58214fd8b1fc0e1a46b84ec063ac50f37e307b19c6e7a936ee4b71f5b429c42895715e71e65d52b05f8294fad2cdc27ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
763B

MD5
f4e4964138f5b900c984affd343b227f

SHA1
2674424bf2dee650966a73554478f9abcdbb27b9

SHA256
b99efff34c32c8c50377301c8356bed437e27c0ada07d67ec5f1add2231d305a

SHA512
aeea3ecd3da46400dad8949e5e7f86735169807c44622c9f64956e3187f3d1bf140134c37951fa229b7388a9abeef542e4f623faf2688b82cf0ed35bdf831702

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
79655e56486dc3ca130b2c84707e06ea

SHA1
ef43ab9ce10c5a54dbca49875b48f0f9fe7bfb27

SHA256
009986fdff9bd1c03250f1ca65a4854708eec246b0a8164886c411284dd5544f

SHA512
6dca0e8e85beb89f60b63c56e795cb06741b61c87e3fa3c78fa123ca1211fd5edaa4146da2af326339465f64d3c273a658e76f068b8031e3b6cd66406cbaae13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
2ea3d5bb7cb2edfd613caad5d324afdc

SHA1
214da874c30f0d460e22c6c9f9d77665fdbdb727

SHA256
abd973793eed22ea27e9dadc604494d8ad4969a7d200269653016d2d3b76aad2

SHA512
d3de189d7afc930b055540d2f02df9ac1a37be28f378eba0d64082ff34a600756736feb5c6ab1de50861c5614ac1159a4e1b3c980352d65533b7f30381387a28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
7613d70d12ca7f2d71d490beafad7068

SHA1
064ae8920e729673a6128e7df72290c6aa55e546

SHA256
379d3ade4599026531d8d1123af6a9e7fd5b8d093f5ca56339e26a647585ec02

SHA512
5affd1ebb7508b7a554e0def3f5fe7dd554ae9b2b8cfa5adc3e860e854b1494e679ce7c1427d3bc9418018f411512105d7b330f6460d89fd80c49434799f0631

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
16c53897fbf7469036413ac44cbc0b39

SHA1
1eb1d97994b29125b5ce02a497f166c8bccc7d10

SHA256
8c384cc6f70a8a1655752eba33b860163ea11a4671fba137ad3b51e25de89835

SHA512
5c3fc76aec15e03ede85c2a2fe718bc00e07d42193aed3cf6ca03c617067f892a1722ab4b06393c2a4219335393cb85882e53d30e56bdef2fa4364fa809e8dd7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e493acf41d8ddbdc3b962981d6f965ef

SHA1
54dcef6833a9e79b5bd5380fa67174df8b61be35

SHA256
f399f5c99c67d134f6bbceedc618b5afa55f08a5ff210f5511bd1e4db5e9210a

SHA512
f88311b5492de3bca9f27c6122a4e0502e0773ebe515439e98675e0fb0650f7f09f0b0c904ec7ee03609d4c66a83b28782ea5329ff104b140c950320015715f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c0f35e8ead3e695e479bd71d88f2049b

SHA1
2110a926409a947a83c73ffdfa8c6cb8f8cfcf91

SHA256
d019cd304987f6f6428d2ca9cf25f03ed2cb549861461e862e0b2e9df558c393

SHA512
2ac8dca1f4c970b37654302a6525e7b49d019ca769c851524ac727315fe320787cc3b3016c5eb26b8a673980c9833c0c5a8c4765d87265981524693fad09456b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
735d7c0a3bf0d08438151c3d2d5f5e92

SHA1
2278f867ef6237ef5c5d80e7e5a609355e8e3780

SHA256
6b5cb93963afbcfef30b70c8b749851a3cb52627d3f2a9ff662b60897ef14898

SHA512
a991e8cedc5b632dfa3587f9131265ca23ea7b78195a752e3c464b91e7b616fcfa9fd2f1c8ed4da3e00c2849b6636cc8e1679e1bd8dc19c55a89b739920c8404

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a365f246c3a4a50baa62a401e09283ba

SHA1
5cb9bed6706ca8ea53c2fdff2e89ecf47ab60d84

SHA256
d80625758b6e6c9d9fe04cbc4bc8cbb056dd88dccfcca100afed2820c53075bd

SHA512
4fe31a17ae0a738af23e90bbb91eee296c41f30988e7546e27b11f90ee874ca22f74168c083c4f6fca279c4db8637675fb4627056c31468f59cf7db514a2de5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2a25e41942dc1609d283a19425cd42ea

SHA1
e4cc0589b8b962df7268196f2c57e101ad50e249

SHA256
e09d3d3581626f17f63f7ed6110325eda6f91135fbae40592801db705d94efa7

SHA512
de6c8361bf383853e9b08da5b0580929a746a0ce9f29ae9d65a0cfe66743574e94abaa9c45cdb3f47e288723520cc7fe6969785e45f191953cf720dcba50b54e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
84b0ce7a25cd6be84870555440536539

SHA1
4b92314239b711cc71f79e10b62772078ba51d96

SHA256
e58dac3eff348cba3db4f632845a5d3603ac8ca7fbec3ea61ce7e72745b2ebca

SHA512
bf0b2b4de48279cfe5c70c747306dbe4cc15ac936b1eb4a85e77153f4aecdd53e2407093b7a4172b0c424b869570f672cae2eadbc04f58758a15df7d14293842

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
4a7f8f97d21cb904ee895006f7bc3247

SHA1
9596d66a7074b572033c32fe8716bd85de3ba22d

SHA256
f18304c2ca48682412edac6bbc48927f1b1e7d754d2545ae2f61ff9e7b0fc09f

SHA512
208de0c10e66457c4d54c47146ab14a0f812280a2224c4192add0240baaca26c172ad48513d7b9dcc2a1ba392e507b10fb8f1becdff367126a500ab795bdb087

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
73861e3d50d5c24767ef91e4230554fd

SHA1
a91629596b308c29a96ff7b540b50dd18603aa44

SHA256
44f10cdbcc5e8b8e8e34c37e822cfed6cfd0dc8bb3b216e1dbb475a4dbea0134

SHA512
cbebb209dc25bc23caef32b8c3137d029d0cc47326aa8eb081e7645d072d2224169ad4dc23a1c7a0815db9fc13c1afbe47021202274a2368c09c0b273cf995ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ba979a23ac4d69e4187e15c23e5db27f

SHA1
3f57dec0691904cf3b732a4c0d5bf366017cf06a

SHA256
baf2cfff1c9b8cdb4769d30acb5429482ffd6ac65cc0bbab2c07f7c4e9568ad1

SHA512
e12e2ce6b6a66395da6c125ef53e5596f115ce056d5e043e918b2fec9fd8aca7e596814be6481f64ebc0b2d033eb09c887ab1e5030b85e5f44f9b0831ebbb1a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
85a3076e88e71d5cb2b0d01080da9435

SHA1
335b6c24d518705e461dd4debd9cc1207ad349af

SHA256
546633cbed998aa0046a63f67720d2a22307d97b9b923c71b86794729a34e4b5

SHA512
32e8494ad6abd71ab90fb33401f2c0173e3745d13a1c04f20c903ac2b94ad2206b177f234ec64f40dfaccae297a23748c8cf70aaed8e01f42c8738adf3a08c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2fc6c3c9e533e7b5e52db54966b9da33

SHA1
4547bf81ec8280c25ee2de85033848593682aef7

SHA256
a5f6cd3099276dd6205b2a033d7e17376f386198f4b40e1929d659cb5eb8295f

SHA512
a3dd494e2d304707ae48201d2e1f3a915d39b72a3b1baa5b1d9440eeee1b97b4e6633e246795694da1125844cfcc40c1aff65fb779514462bf3917c4bb72da8e

Download Submit
memory/2412-13-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/2412-330-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/2412-194-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3132-198-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3132-331-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3132-209-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-10-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-12-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-207-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-193-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-211-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-333-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-39-0x0000000005450000-0x000000000546B000-memory.dmp

Filesize
108KB

Download
memory/3688-42-0x0000000005450000-0x000000000546B000-memory.dmp

Filesize
108KB

Download
memory/3688-329-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/3688-43-0x0000000005450000-0x000000000546B000-memory.dmp

Filesize
108KB

Download
memory/5012-2-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/5012-7-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/5012-191-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/5012-192-0x0000000000C84000-0x0000000001C71000-memory.dmp

Filesize
15.9MB

Download
memory/5012-332-0x0000000000C80000-0x000000000212F000-memory.dmp

Filesize
20.7MB

Download
memory/5012-0-0x0000000000C84000-0x0000000001C71000-memory.dmp

Filesize
15.9MB

Download