1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

max time kernel
1792s
max time network
1794s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

4.8MB
MD5

ecae8b9c820ce255108f6050c26c37a1
SHA1

42333349841ddcec2b5c073abc0cae651bb03e5f
SHA256

1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
SHA512

9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
SSDEEP

49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4940	2596	AnyDesk.exe	87
PID 2596 wrote to memory of 4940	2596	AnyDesk.exe	87
PID 2596 wrote to memory of 4940	2596	AnyDesk.exe	87
PID 2596 wrote to memory of 3512	2596	AnyDesk.exe	88
PID 2596 wrote to memory of 3512	2596	AnyDesk.exe	88
PID 2596 wrote to memory of 3512	2596	AnyDesk.exe	88

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0bd380c32bd976c23aa9c41de5854a8c

SHA1
a1ae76996e119d1dd56af2c3e8ca8277ee58ca17

SHA256
216b2c42bfb44cc0b86a5d49f00d5309236e62f83eb3853bed8369c039cd55f5

SHA512
b1a7b50a03ae08ae71a6d094a63bb02886b8d847a09eb5fe72031ccb9bcc6fa4bdf98523ff9b1f88ef020ec92247a71cb1211afae40d1fd62000f7217a362d14

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
970b71ae6dc258cad05488f74db49bbc

SHA1
3b73be235d855edb252afe2ecec7a61edff37083

SHA256
5b8962659bb2c230b48a4e406413d19258da2825022219a3c74881fbdcdf62cb

SHA512
31718c7142391421aa7bb5c57db09eff8d002e1a87e7c820e9441c82a96086a7ff5813ec4ef69ba035d752c7c76c99153d86db620f0020cac084344a5189b92b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
476fd5f2e838064d3cf6f21d56433ed5

SHA1
2cb1c728fa49daea19a6a4139c206596b00f2555

SHA256
37f38d57822c06617fb31665d7dd3e3051beb12e9b0bab09a4f2c285688f8b14

SHA512
c28bb8f17e34b7fa8fdfe9e4501d0c001bcf04b7e0960945b4e7c6bef18a2d98ff3641208239f4c9b7b07b819730888025ea5c1b78b83cde6fa650df29637f49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
49eb5403011201dc72768516b45a7c1f

SHA1
35f56775001bdec4594464aafac0a0464a77418c

SHA256
c855e42a5b3d4c492503dce104eef88b8cb7702b996cc605af07b50709772ae7

SHA512
53a7c812c067e48c48d2cfe959db555af1ae580818de290f7c650aab1042345cc77dddc1185c90d50bfb590e647038f46f1c83b3a2597199ced7875d0e1f0baf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
b798832ce4f48fb09cfa2719f0449585

SHA1
01eeaffe9e8e786cc9d1bbc57466f145a21b6d34

SHA256
57017c0bbfcdb8369a29c7fe5a5ce75dab8b661fc7ccb1016c3b61332d1c7e43

SHA512
9b72352d0ecd45c7bac4b0ee0864ddeee5ceaaf9ed6dca0271961518e163650b372592a0c2150e6b1838d0f6e3dcf35afdfd6ba1b49f0125c6e3eb2c53dc98d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
3a4d47b18b560416bec65648638bcfd2

SHA1
f9dce1fe57713c79af10578b211f0387044d5ace

SHA256
dcbd888df6514196079becf4b7189e26a5760160eba545ae301ae38755adc448

SHA512
7cb33836b691237d5175339637fac28565da39af93328e98256804aa1a84e33b961afe7e19e7ec3d11a1c1416cf5da70bac3fb7f6113b454c90dd0a0f5b4c72a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
f0b6b8d0f0a8b4c24d67cd357c15bbf1

SHA1
cd1e28d77a4cbead8bf0637cd0e07adf76390409

SHA256
188b033bcf02cc0d07a7c159c884724f6f5cc2ab6dec373e6d3ccb11a39a88bc

SHA512
377e51f453370a039d311e399344136f8a721e14dd448cb91817c7588a4e003cc8c8fae74994d2c89d34ecc92d0c998db047807501358f0f5df095380d783cd2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
5d94e77cb03bd0a6be066a515e957a0e

SHA1
2db55270c9df30861dc8fc4289b4d211afd0a21a

SHA256
c9787af9f98dda9a6c205e5f320ea50ec0063ea208c362b3349fad8507d62bfe

SHA512
afcc1f511d86e0066ce629fc4901cc557dafcc134954880e234a2e2b8491a40a1fc83d77addaa59b35900b14631ce1b945a67bcdc6ca66f4529d36630d1c195e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
5cedf5917a5fe523bfb8633339be72d1

SHA1
68ca273693852c9ad39e9d3a66e9be7f8b09568a

SHA256
0f99dc48b1059a652271560774897e9b208b8199d1131da928e7404ef2c0f158

SHA512
07526f2be77f7546383b80c2e05d2f4dbdfd1a939990e85f7af3f686c9d4237d5580602d59fa7c643e3cf5e46afaab14f446885ee939416b509b3c7c4e4233ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3078a3e98a88b257bf3e49c5a5850afc

SHA1
e9770fe86328b2e894cd0ef1fb684c9ba808b2b2

SHA256
058bf53c997a85d37c4a06e08392e6c6f0c8c62b22fa3d07f801c93c4262211a

SHA512
92f3b7642e74b8fece8de0ed34c69a4264ec58e00b34424223195bf88a3f04c26ca8a89e8b81f07b4e718b9a6fc35faf50f6d15bfaaba7d5d7690604d6f41169

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cdcf5bd33623020114e7f5baeaf99bae

SHA1
b5f10428453a97849a627364cd2d76922bdddb12

SHA256
4fb898fd55b0ed96617f85b92c99db72eca582ad1f930b71ebd0f73c37bddfee

SHA512
1bde09fb231ecb8acb06cd8ab16902ce84f43978c4cc36143e9fb665b08e89ba1b980ec0f35df6ccdb546b90907ac4d5b60f636586c41c73f85a5b17aeb17cba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
061283b51c52e50c461bbae1992f5227

SHA1
87c6fe57d10ce6791230341235197ca961969ea8

SHA256
4e8b0a2aaa36d3fad6f1566b7e32f6c98a045122739136a7bc8aad64948c962c

SHA512
70f903afd7d52b49da23d0e227cdafe9d7f26304c84a644c64e83e1e78a67f291aa97ef2ddf46c3c8833b6d235d5dea0f349d567bbf11bb32e910e23e739f0da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e6f08105fd15814630e2d7dea5123ea2

SHA1
89a81f61ad29363a1c5b5f04a79d91f8f48a58c0

SHA256
f8efdf0d49142d1f43a6fe5d1da61bb7ce96ea4b274a77847c815b668487e0f7

SHA512
09a24aa29ffb72622b3a659308682b668c6429a75ae3e175d9e38356ddc6d5e349dfc16d2d65322c9e6cfca8f8858d99939e2e3abed732f7570ed46922a34b2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
35abd77b80b41c3505b0a3f1f815ffa8

SHA1
60817a884622b460e7ea5d5b34955ed18ebeefdb

SHA256
d6032328465e4dddf46f9b7c48d07a302f2027b48f49922a93ff8204d4e93cff

SHA512
4071738ec17f529af008b5f0ed9a34fe3d33ca473ad4a3cc69c510798e366bd756f2f6a0c87cb7e45c065770dcef9c84137ba2ff163c5b3624aececf3225d0cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2e323c53ff746a55d6413526ed63942a

SHA1
8f232711d60a9956945179e753aacebac46bf4da

SHA256
b6b595c9179f7ae2e8aab023ee46e6b42b3e87823d516ad166f37a0ada7b3da8

SHA512
b60b497fbea7a2689b84ae1336720e5abe0c3180f9af67788f07dbb4615d9a455c355930a6310d4ae4821503dcca4b8bf85f61ad2e4d89aa9a2cd6a843803e69

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f00fd7008d41d90aa46672033fa21b9f

SHA1
cfca204609f657bd7d52ff412c13f25c951c9391

SHA256
d98bc8550a51acc7d1c1457a590376f97b3e7f4ee979281fa4d3193c878ecd8c

SHA512
2003cc20d727419dbda7ffc1164ee582678316038cd70bf69eb7efb6e5dffd3ae546257592acc34515585637ce9b6494e9668163eac6edf91eead85a9f8dfb10

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1260fed6fcdc623209d102a9e2d3ac33

SHA1
b21492983d6907ae2da603a3b29b38f9f17bdd4a

SHA256
392efe8723fb10f34f3e8a7fa1ebab5aa7f69c0005db03f9d79713be3add20e5

SHA512
9e4785b89818ce729ee7988dd8a62d32f769660c3e566c0ede20b158c11dfec7c4094d380540cc99696af9837a37957f5c535a010e761119a57f58e17f2e9fb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fa05e2e978693b1054c0b08a716d49e0

SHA1
53444bb8755096db435de33b37928a7f7225691b

SHA256
c8d21ef918e5b0886bdad9d94bffed82cdb872f7650ecf56882ef9e06e922624

SHA512
4fd2999ab565fdbec736e7f8fd569602de935cd13e4e623bc4339c1f71a4e115151a779da8781c7dcb73d99cba0c31c7b6e511f2d2f4634db229c1855e7663e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1e4528b114062871752c347af2386e9d

SHA1
a3a1934614b80123372a19f1617205c6105accb2

SHA256
4587f6fa12ac601a9b8b2d0557a9aaff7660915ab73daac76e1809a89d74bf68

SHA512
957bdb1cf5a66b2a9e61848e046b676460a20594280838939ddc6cfad346a9cf6e8ccbf20c13a3490a89e434bd94f0ae38071edcdd46032f001cdff280f5d8e6

Download Submit
memory/2596-239-0x0000000000754000-0x0000000001741000-memory.dmp

Filesize
15.9MB

Download
memory/2596-0-0x0000000000754000-0x0000000001741000-memory.dmp

Filesize
15.9MB

Download
memory/2596-7-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/2596-1-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/2596-238-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/3512-14-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/3512-11-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/3512-241-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/4940-10-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download
memory/4940-38-0x00000000053C0000-0x00000000053DB000-memory.dmp

Filesize
108KB

Download
memory/4940-42-0x00000000053C0000-0x00000000053DB000-memory.dmp

Filesize
108KB

Download
memory/4940-41-0x00000000053C0000-0x00000000053DB000-memory.dmp

Filesize
108KB

Download
memory/4940-240-0x0000000000750000-0x0000000001BFF000-memory.dmp

Filesize
20.7MB

Download

Resubmissions

Analysis