d9a3252d8aa1ce8786fd29d68c4d77018a61c51073aaff82db00ae5355704110

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

async_modified/Plugins/AnyDesk.exe
Size

3.8MB
MD5

fe61cd9e702ec1208c13350c00f0732c
SHA1

379520c1ad0541d5a30f214e15b7c8bff6766f9f
SHA256

580f6a285c6c3b7238bd16e1aeb62a077ae44b5061a2162e9fd6383af59028bb
SHA512

504e581026719b31555f0131bbaf9d5655c8955d9382cc53688873295d393028987032bdfccef09cf42e16ea51f8f8bf91543585b2754d5827d7b29325540cab
SSDEEP

98304:RSExf+1CnXTxQ9LDj6eblG+L9nDHPdQod:RScf+8nXdQvPtL97dPd

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4536	AnyDesk.exe
1468	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	AnyDesk.exe
1468	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4536	AnyDesk.exe
4536	AnyDesk.exe
4536	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4536	AnyDesk.exe
4536	AnyDesk.exe
4536	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1468	3520	AnyDesk.exe	83
PID 3520 wrote to memory of 1468	3520	AnyDesk.exe	83
PID 3520 wrote to memory of 1468	3520	AnyDesk.exe	83
PID 3520 wrote to memory of 4536	3520	AnyDesk.exe	84
PID 3520 wrote to memory of 4536	3520	AnyDesk.exe	84
PID 3520 wrote to memory of 4536	3520	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
35d972f3a1fcc979718f3760487be7db

SHA1
30c6ee84686459036d37a9ddf26a5550f1ad2c11

SHA256
b9dbe528952f645fc4ec713772c3dcdaf7235e4966c012dfe8a3284d17a643d7

SHA512
099cec30aed5ac215ff2a9ca3f450d49c5e05c97994de8673d2530f68224cfb2e6c562a03b00ebe218fdeb5ad01126b573fe40e6afa5bc8dd590219a480784d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c36734e674dcede10789a1b08e471a22

SHA1
1709b3491676abf8e434f4c421de18bb8c3dfcfc

SHA256
95329465272e6271842669409ec3b1d753ddd259f3c5b76950322f19451c76a8

SHA512
6048f9c20505731e2ab60817ff3f037c1dea79a85a48ffabb863227107a7bb4f61b6b0816474b65eeee45ff4cfefd4b13430aff9bdb5c7f228286fb9ab082e10

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
21de13ebf88a79dedb3e99c5c605c102

SHA1
d636cf9449c643e70a8bed44010f323a152cc2ef

SHA256
7f175ab60c3893114964651230e8f8a7d93e4d290a940dd366b80e1e0baec6a2

SHA512
6784c0f99610012c23e177b57656c06d70aae2f9d0b66f3aaf06a7f43bb22236771c38be7639a7974c9c3888e29c403ecb6685f255858c1777649e4215195d88

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
f96eea4ebcb5bc3a9142723e070f128f

SHA1
cc1bbd1b37bda9e3b1608b611f89865313ffd36d

SHA256
5a5d82fbc47f94c527e1b1607eebbd9dba53ca27dcc9ee3adab3c6e3e0b0f28a

SHA512
ec01f85e28f942cfa0aaaf610df6d1402d5faf6ba0ce6735ebc8ad36044b2bc51dbcb703c245b3e0bc47948e1f7d46e76a472c816efade31b8b3c1457ce2d8a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
f9f51038477db46ec1a627f50d16f594

SHA1
1c62f183fd3cc5c514007f19adaa6fbb0eb14718

SHA256
807760e5b35bdc7090da2ec3961c4d79bdb9e3a8f923c5c0cb1d9cb66a648719

SHA512
e7dd6bd7f339c96694013a4b15fa248e62cac692c75cf55a86aa44901414087743e9a308e3f3d80f105c7e088ee9445db9a54d463cc2a2a05c2e9cbbc8750d80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
91d8148135474d040cc2d15a082a7e7d

SHA1
22c823a4c8d2f478727707e956465d8c63fb2ea6

SHA256
6dba0139e5d1f9a27ee9d7f65066952aa5ab9c5bbbd35999baccb30e8a47755c

SHA512
67744e33f4531c7e3029c59ede10dec5cb72cb6d7678af54e778155b2a391957b234bbd286d65a7a84f78b24cc3f130d2fe714df7e88e3a3c3573df70a3774c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9db498193143a012688e710e75121143

SHA1
361ddd079c20e7a34b264afc0ac3d9618f8748d4

SHA256
33ed1881f93202b0bfbf84133d964ce61451e2793892dfc3039833f67a54c9fc

SHA512
890ef8afcd1de31cff1a034798188def1bcefba3a6d6b33fa04b92f5166ade29649035d1749ac26bf59699b068222b92564ebe97e54884fc7758db1f7e99d1e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ad110fec21a8248361bad52f3403b949

SHA1
2f1e5a97d9c8998f69d5e3d076b3b543f0b14379

SHA256
a8bab00681c2cb5b027c63ff418e09a86985682eea45a1a09ab5ae1f7faf3327

SHA512
682102b3052ce52f1260c8d5d6b1a472e14d4e7ba5bfc843123fed6411befb349185ddf1ef61a40572f29fa46d05766f5c85b1b0ad599d31e392772fa4154c05

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
567ed235307f1ecab5de53556b051d40

SHA1
c9992a901bbeafdbcf97905c00cf18675d78fe75

SHA256
cc8e6a8688e4159998bec0cc2d3fb5d07df8b1d6803239d31472a4f944b34125

SHA512
6b74719efcedfb4ffc7407047474203353943fc563d510d9ceb2cc6177e06722119a0fe742bccdb44243970800e1fd88f242bf4532b773069c8e3b9645117288

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7db9f8885d3ec714d634ccf925c5453d

SHA1
e5d27c94d5dc01989a9611f35d8d3d90fea12d7d

SHA256
78e0ec55de6a8bbbd91ad98233c74b3e8848c1ea0e9d56c54c354168fb98638e

SHA512
e15ae691ea99c3d45fb7b350f2f5e8fb607a7eb17ecfa459c7d716a9944a561f2d74cf9a501c2efc93208b2f5bd0ba68ad6c4843c17ec5a1069ccd7a4cc3b368

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1003B

MD5
c92f7ac0622d85cab996c62de35afe13

SHA1
9cafaf2720f9cd29c7efea29e413f8ae17c57139

SHA256
00d07a51cfc67d9c5b2fb1210b4cf18063a35e6ac9c3a6c8896746883839fd48

SHA512
7729859854b31fb100c97ec8234943210a9c2021c1716737d2737d0424ccc70082f74339b8a0be72c812a8ace85bf44f02ee254c97aad545367a032696b384bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
06d01b1baf25930efb1a3ab025e138d4

SHA1
b4535c28d8086ffa599469d4dd143e027412d206

SHA256
6ec7b7c4917913d6b7c6f095dd4056c63d63ac84c1af527bc81d45780cee97b8

SHA512
7b71b0c256bfeda95bf650d848f74c97d3ddb15754d3c4d8b21ab604acc486dda181ae54c64cf3d55901e634e59a63846974aeff54cc092bf9899c3f300253bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
101e42290be31c5ee117392cd5d70223

SHA1
3dd4aa1e4e8b985f1c5f22fa59f6bfeabd47e5f2

SHA256
a26f607d3518e6b9d922013411fad321427cc0c788e232c57ccef57d77d3fdc0

SHA512
0b69b388c27543d099d395613dd7131fca55fadbf4cc40c869614323731b999f70c25baedb64e765d21307716b6f9cd945bc12338797a484cbcaad99fb2d249d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e3bfe68e665e1a31dc1f14d36a30b9e

SHA1
cdaa9b21f1c52c870cac7f62af3940590952f10f

SHA256
a3724bc8d621068f8181734aa8b8c1a17e8245338e66ace69f9f2a8da646faf5

SHA512
28d7408f34dd52f770534b4f9bf9ed9b01db07723d862235165515f99dca5c15ba3235379ec9791c74b253c715f15819460529ed77551e0d418dd44cf13b6efd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dc18ee254a1308ea60e8878225abc239

SHA1
7acd66854591538d89bb3a134e205fd34f150a5c

SHA256
71a8d185659d901fd2f81d7b27ee5217719cb8d2c62f1587e2601022b2f15ecf

SHA512
94d8558a009366e06dcf5851dfb9a8564ef7d56a780c0ad873299fa15b55dc652f61dc1f5ab71098bfba09d4e7bcf7e9bd086726a47918a347b4e99374c2c257

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fbd4e4111fe45048f8bb9c19d68aeb6a

SHA1
471bf629e8ae0a8d00edc3ae7118cb2c0fda2c97

SHA256
cfdd345d4fc342bb149cbcd47cd11dd096f8995aaab139511b9ac4e7cbfbe782

SHA512
4b0b6be9f2a69000b8f0081ebeaec6bec90cac3aefaf78307ce3d0380052dfb458822ed47049c72df2953f6fdca8fd936a775f35d0e785927930fbbd3f07a0c4

Download Submit
memory/1468-21-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/1468-9-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/1468-198-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/3520-0-0x0000000000744000-0x00000000013DD000-memory.dmp

Filesize
12.6MB

Download
memory/3520-3-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/3520-1-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/3520-195-0x0000000000744000-0x00000000013DD000-memory.dmp

Filesize
12.6MB

Download
memory/3520-197-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/4536-13-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download
memory/4536-200-0x0000000000740000-0x00000000017AE000-memory.dmp

Filesize
16.4MB

Download