55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2852	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1624	AnyDesk.exe
1624	AnyDesk.exe
1624	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1624	AnyDesk.exe
1624	AnyDesk.exe
1624	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2852	2520	AnyDesk.exe	30
PID 2520 wrote to memory of 2852	2520	AnyDesk.exe	30
PID 2520 wrote to memory of 2852	2520	AnyDesk.exe	30
PID 2520 wrote to memory of 2852	2520	AnyDesk.exe	30
PID 2520 wrote to memory of 1624	2520	AnyDesk.exe	31
PID 2520 wrote to memory of 1624	2520	AnyDesk.exe	31
PID 2520 wrote to memory of 1624	2520	AnyDesk.exe	31
PID 2520 wrote to memory of 1624	2520	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
8f55dd42010eae0b1c4fcb7de2fe50e3

SHA1
228ccb309f97c8c5d5685412fef5deaf94ba50d3

SHA256
45a0ab9b2145eef871d946a9e6450e98bf1519b153fd201211d9c0c72707bf0a

SHA512
971f1ccb243452bb60d4d063bc969217058d4ff0c6aa7317001e7826e26e4d68e41cd4fc57da287e050123eb64ef5003b926610898c3301df07342e9da42d218

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2b2c40963a554a3d12186d92628cc842

SHA1
fd5ddd7124d65903b8a7ee6e1351f885342eb3bb

SHA256
9990b9a45762f46b2caff36d3a4c20dcb7c31939b4d0bbc447b515b6efe3b30e

SHA512
a154f7d21f7607768b16350faa076e902b7e137f9050bf6b6cfb4879cd4bee51d190de3e275cfd0f8ead4333ff2f6a6178ca32def60e1de87c465459fdb54e3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c191f189fc18e969da13fd205abe3c48

SHA1
078bb7609d26729573d37740a28a0053e520f868

SHA256
7438728f720152e2e577aad2ee7191e6810ebf5e19aa5fceea54b57d54bc401f

SHA512
4581b96aef30f4647476000848950167b613dd5b79549c1565211a2ffac8dd07096dc15a8c3c357422334c75972bbaead8781a704e35380b43a746c789bb1512

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
b756768f2acd3cb3580cd0bf01f06c7e

SHA1
5ed354f7831ecb5a0b8744a68dd8bae0375290de

SHA256
ac5c624d1ceda397fac506ff51ac2de3a1bf3ea77a5caf14cbe325aab479e3de

SHA512
5de082384ac340c8bd5e0e8121ef05500547173d097c4d1c1cffb9de6c6ef4d9da5aade7a07c5fb16184966f4641626a2b465dc2946cc0cc90d8b3c204bd561e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
c0907324115436de3cf4d77bfe6bbfe6

SHA1
d9550b342f17ddf1688b916061b32350017d09c6

SHA256
62e63a99b650d3e291c5a30dedfc011e86d1a575011d32563034982e89e9b110

SHA512
50ce50f3a3f47c38107150a321d188580e3744f9865bcb96ce582b0d787c0d7ab7b8b5a79facb9c672908ee01557b87cb8c3ba39916e98570624faa108d15bd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
28949c21a584e55f876c018953230454

SHA1
3240d3c633eebe3c2562bf908ff4eb7f758f3bcf

SHA256
df4bfc71325ca7c6b759debf3200659d1490ddfa4907686f18a56da628efa8a3

SHA512
c5d027a753589c67fcad3eb1593fa9a3c1a963df3b19b524cdad00a508e1c7ec85070895b0de85696ac2c27d8954a15d13b44512ff1942178b782bac17ebf825

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2caf743cd9e9cba92bbcf2e4d92d03c1

SHA1
bd6293e6f4c741ec5c00564cfb354dde67fc120d

SHA256
e1bdfb24e1e8a63a8de1aaf53004ec90eacfdb14b0db04d318462a1cc1950516

SHA512
8d4baf6747bca028178facb2a79d6b4ba6939873a1f67b3a439a53f286d35e5c445ef315117e5007273e3a62ddafd86bf41ac7a2ce3b83e6408d22691eeca296

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5fa3b7220787ae2a273246e8eabd0f67

SHA1
aaecc0b1dd4416030d1c054daca895b017bf03c1

SHA256
355e2e9254c81a03de3f29da83499293a0fc5c146d165b5c82c510185ca4fc54

SHA512
1eb69b8c114acdf012fe6a677a4999a45a15df366d03f750459a25676a48950fc7ccae4a5026dbdd3f3cfc0b58d8d1973f5cfb6cdd8ce901ec36619c04e8c154

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
072b6af72f8e9af5e8bd8f7081f13e59

SHA1
a52c170e18c71f912d3769568abf8692fdc84cb3

SHA256
c986f55d1a34cf3383bd85072d5fb244761ef71124b339cf863ad9b818b31f27

SHA512
98b4069f00e04e55fb0f25d494cde590c6097fbb4db462817fbc88039cdb9e9a5bb1775896b76941d0de3033b464a0d3f8eb87f83e3f8406335d3f92c138fc86

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
322c82f4d2cb2644105f5bd818c4a722

SHA1
2218f39a8785c9e87df95beef4fe6e603b0d7779

SHA256
89f378bb17ccff5a30d818aeb9bd2afb4cccfc6ab5224b7c3ebc756d3c360aa3

SHA512
3db80822441b6dd893bf578669158ef31b6ff5e83152aae43dd33222e7ff2d22c0f9f99f2f3f27d5d4722439b13ec2ce3f692041099070535e81b6d37bd38be6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4b1264efcfa5119ba6449caf68c6cb40

SHA1
d4ebe29f22b3f1b5216c3559bfaeb0e17c78329d

SHA256
4181f259643e3bfc4c0e5275c50610eef93a5b840af2fa2d4e47eb492146ea77

SHA512
3e43967677b817b84219ceab1535c5f97027a4b38fd141e306f6be5be4849806c4aa3fa8357f432407300eb31a201749255b254c6d43e1fd828a2fad481edfcb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
adcb6e388fd4bb3f3c3f90889f93c467

SHA1
b3e3fd2d75bb1e6192bbcd2ebd07c5d8e7eee514

SHA256
da64026bc81fc6628a798327b1593af0c87ffcfcc54e047fd98fa13aedc11535

SHA512
56cae907c889be905563baa3f34fc238bb4a02ed6b2c7c14f61f25b2c8cfd820bd966f222bdad305b71ddb0223a54ca778c2d05282ecb08e99ad1faaee9e1bcd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0c7105e22682217d4991d60468fed223

SHA1
6730add22fcdae8622d59abcb4b535d0535f6fa4

SHA256
643e60277eb0ba9a1ba815a98e6289286e2489c8bf433bfc3f550070da24fa88

SHA512
b0e71f8383d1d69ec69b763b041e22cac5d142ddfcb579933b0ab93dac2bb3e6a5ee855aa2c590fda6248e24243787a79245c701c9adda12d685617ded6520cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f8b54253ea0274b444ca755813673eea

SHA1
e7b361aa3acf596821b39ccff57d5745bcf42365

SHA256
fbe896017f6218e97de06821b7611902e974945c5d8c6478f2fa4b3ef4c97477

SHA512
1921240b712f370a65aac8dcbc86ae1f34aaea1f364fefd063d7cd63717ceed31225f7073b0b0bf7bb4a0a09350e1ccb10dafb48f0e9db3a8a69b896679b8e90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d7a6e44ec655af704120dd3666636d9d

SHA1
88d85a1b75f11f358741d0376f9fc03ba787d099

SHA256
c1113ddff46a3871ec37bbd37b5face1742e691c88419a639c117c13939b8a9c

SHA512
6480a19f5602d7dc142bbf98cf0f45176b87a9a1d84e7b3ff0c1a2fa7ab24530ce314139a2ec0772e0427e47c94ccd4150164e4c4769099134676f5d1767cd63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5fbbdbb3c7a52e8787f490f7d87f72c3

SHA1
d7fc6dd5a09096a97b8306b3e6f8542d95c95992

SHA256
6401bc4003755b4a3224a6630b715ee5c1886f8d19322475e3faf4568e37ec23

SHA512
ff25a3b281d578435d92769ba24ab8b840cbd9ee61ab3d8cc2f92affe2ffc732bdc702caea30eeeabb46f59ffb0c84a381df1bd6c83a7b2a37534172579e1d66

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
77090aca712ea0fed4e6797d5b685ebd

SHA1
d09aab20fdbfae844c058d138a350973741e6e50

SHA256
a1f8d0daed2ad86cfb56699c8a3d1755ed1938e77f9c9fa4b5c58ca1dd336b48

SHA512
bf995b7939cf44521cf1096b070b12ee2c929bb785935eb44210fefe6b477a161884c4d065307f6c929a543e07908fa30e2bd0e77bf92756f53cd65034e9cae9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c0c03d65829850c6bd2f945d1653c2da

SHA1
20b1ca835119a90c079354700e01e4d4aa3b197c

SHA256
005e1bb845643c4564c5251e6d06ebb08133e544109c32620bbb08087d0c2ae8

SHA512
e9d213d70721d3b57854f9c61700114f3a05044cfd6621e3c42a0e2df73e2f226fedf960730bde4600a986e0b9ad5b100d3e7985d80aca36fd9cdecbec669739

Download Submit
memory/1624-12-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download
memory/1624-254-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download
memory/2520-6-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download
memory/2520-2-0x0000000000394000-0x00000000015D3000-memory.dmp

Filesize
18.2MB

Download
memory/2520-0-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download
memory/2520-251-0x0000000000394000-0x00000000015D3000-memory.dmp

Filesize
18.2MB

Download
memory/2520-252-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download
memory/2852-13-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download
memory/2852-253-0x0000000000390000-0x0000000001AC7000-memory.dmp

Filesize
23.2MB

Download