55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4036	AnyDesk.exe
4036	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
684	AnyDesk.exe
684	AnyDesk.exe
684	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
684	AnyDesk.exe
684	AnyDesk.exe
684	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4036	4324	AnyDesk.exe	85
PID 4324 wrote to memory of 4036	4324	AnyDesk.exe	85
PID 4324 wrote to memory of 4036	4324	AnyDesk.exe	85
PID 4324 wrote to memory of 684	4324	AnyDesk.exe	86
PID 4324 wrote to memory of 684	4324	AnyDesk.exe	86
PID 4324 wrote to memory of 684	4324	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
6012026c34f2a80f856d874652c7d854

SHA1
72d7d34d557a7fada12fb8c02da25639c3498904

SHA256
cbe618f38a0fd0a83709959fbe4cf56695bc849d902fae77827beef000591597

SHA512
af05f4e34f0d82b5d2a7a93dc150403cf18e95402c2c81b632d2fb56b36202c35d51b1546a4e81d406764e95056d6a3321c1a97cc2859b7f1d8f5c06705606be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
2a97a52d67d1ad8f37f997316560e37b

SHA1
64d36aedcbe7b2287c8855c24163f0248d23cb94

SHA256
6e848126096eaad5ba63e334cf9cf23744f561684280951a5a50881b2a5a2216

SHA512
900081151360d9037dc11513557de9f7660c08e1af7618ff219842c95d07160025f2dc74cc030da4d2f3c57eb330e35fdc5700c03e614f0c59168c4573c734f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7e39e82578be8cf78a74dda080674640

SHA1
57082453b25343955bef5693f41f50bd6e99a5d8

SHA256
d6aa2ddcc3e7cfb26d0906e69d6b764eadf24b406769a2239890ffdf06b3c212

SHA512
ad4fbcc67700b205bef2634ffc0e7d7f04311c868482678adbc59669f8effcbe2a4387ddb8b14554630ff9c1dca502122c572368bd402de9c18a2748baac70c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3052a7f5ae7b8aec6bf24585bb94e4b0

SHA1
3b08df0669280e281b63ac00d1a6d7dd462bb8e3

SHA256
e3777483ee75c98c0929c58969b48cbbcf7c68434c819e8bb4c47aa6be8a6dbb

SHA512
27deb54eb953b707d096a5c402697a6637778adb892507977fa3421fc9df0db5034e0c4a680b8012f094cfe3629aa9b7b83269935c253253e9448726f027ab0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
bc5b93ec7cbe04602dd39cbc4643ba30

SHA1
15ef070d0219a3612bd389891ecc24a03df4243b

SHA256
cf49a5d4af32e67b77784c0f1a62e7b42a149e1108d5c3d6848a5437c01305f0

SHA512
06622b349ded9b30af3257fd378de20e31ab7a1e4c4f1150239866f152ca43f1523ff28191bdb36c46d78d108cb4aa695503d37c24f3173d84db08a733f62546

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
92a957dcd120a27a8c2f290ea97861cf

SHA1
83a6c95be07c0dcf60a77d247c812916ee738e69

SHA256
f73e19d950e63732e7a94043d1fe76989fb8e66a8ce33330818ae08c8e1589b3

SHA512
fa92e2b07e3aa47df0a7b184d830624e1ba4ee6021d6983a7812bcb22e0c5c356bc73677bff74d1f8bb717c1cef6d558f6e35a4bcc2b6c913838ed742a123dfc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
2dc6bda8033be2cffde8be8442dbaad2

SHA1
d508a57e5c6c9c0d4509ef4c99499d5e5dafb401

SHA256
2db0b953eaefbd5dea17910ecd46af6cbcccd5ce5f9d7f23ed35b1bc1db15e09

SHA512
fc4f13cd4c664f7077bac778c827ffd82310f219b1f7a9dac5aa1b6e18d0b66763604e8dac0543b56689ae3775f96187cd1dcfca43158c0943cd438c99884d25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3c4f023bbd4d8336e280507c41707d9f

SHA1
50bbe3ba286e302b93751fc13e55f7d974c26cab

SHA256
0d01c721f3850562fef98a33a0ba97d065525b0c5a47959e45c8b48036acef6b

SHA512
ad14ac8d2fb6984c5c712f5b05080c587f922da9156f2a83e0bf4558f9f1c9e06de95cc9e087737dfa8ea3c870a9bf63ef260514ae9f1ec8d263c83159ef3af2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
442d4ce4a20ced0aac2f11f62cddf871

SHA1
7df45137ac467de86980206a83c3750ebe3725e8

SHA256
75b1d646ef56f992a075e327ea0ab89346e3418edd53a29b5c880f265c95ce88

SHA512
852877b6d5dac93328db9f229b3c3fca517f2d84e6b69ccc2627a86b6e522a66599951a69d20e17d8d1ca239045955c35137707ab0f494ec523505a6328b32ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f5ec87f19da07fbf26e307e09db24286

SHA1
6465c008111958cb2d585c3bde5d88688e1d4495

SHA256
5ee564e89fb87eaf8af003636c7e18a4ed6f80d05de7f11d202e6f741425f882

SHA512
e58e66242bc2ef63443dd00797079a012a20a7bb4e9c3b3317e8cf91988174855276cbbb973f17dd638b4419b042760ea271ef3043c98b4a58b552efe5ca483b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
718a413fdabb9026502c821c34669245

SHA1
e7fc1601370c58a9f5affad80a83468063c438a0

SHA256
863960176a04e4789c3b5bbab353a959e4fbf95e3c2af2373b4d89974fe11c34

SHA512
27bfe32155cad88c0584ed33714c9f97138c5279773d8c36d2eb5441a35c69b1d800c8ad1d883f361f97304e3964075c5f9a70709ffe34aa25774e1f4070c425

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
133694a0d84918a6a304a5e0a96d0eaa

SHA1
67eda548aa5e55955b34a14f340ce273c5999733

SHA256
e66ec66b142774907f5c37d8cecaea869ae948654a5d567cbe3311ee607628a4

SHA512
b673544abac95140707be4c014d3a670462e87e85db5cae0cf57ab21769456e9a389415a795ef08cfa9c0c71767b7b5c93145e592ee2f95f3983fbd69e6665ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
0789ee77319d6c52754d0f4d9f335b17

SHA1
0bc8301d8939526760f58ee0d8ccf0ca0fe38c8e

SHA256
33b297c92ef5b70efe377fec90909c6bb241d88176bc4dcc7accdfc1a5b7d64f

SHA512
49579742e55c37ae1e35d665397ee5c654600f11cf5748b11ed6316553c8c5635f139a41f25e6c2bdd38f07d27e073d1ad1292c86a5acc6a0a7e97a46985a518

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
50855b2ce7d04b536462154b32198939

SHA1
d0189176ae09c1699e28775b4261e4166619ad2a

SHA256
06cace6b4e04e51571080e0fd55eae58613e3ce16230db31e38c93819c25535d

SHA512
345df0ce376c26df98bc12d73ba9382453447c8730cce4f5f0a1d85870156af818ffdc4b6ddf9f9c69a00aa79c124afed384a21e9a1d2ebd94c70219dbffd5ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4dc558c577262915d8db9c5fd0514d14

SHA1
f3165fdc73097c82107c8540d52cb435403c867c

SHA256
977653b54bf423cddcbcd1fd74acfba07cfc31776205a9df96ce0c3732338daa

SHA512
a171271c4bcb4cf685eb3db279b3a11100d2d641ac3a38e963ad00d3cfd726cf69618d49c1d7393a103b0bdf0658968337d272f18bc91bd6074210c88d52aea5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
deb82390982195caf176ced559fc7500

SHA1
1dc05de670bc7be6346206ceae8dff9917ff304c

SHA256
33a8685db93a4b3a05f0eab189d363f1535938f699130107f3855652bd2b77f2

SHA512
388ba629d51526c6f7072c374fe2dcb499cef7af9ff6b87c9cec5f6aad50bc2a5055c39a51c555d82e1e7df445093cf659746c36fd636462f205475e90cdc500

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6426aecdd5ca2b12e0ae3004040d33f0

SHA1
4a0cbb5bcc57c416960931252193ac09b00f32ca

SHA256
2277624dcaa7c7866b1c1d68f9ed91da2e6092cafee477ddab0936c97b8056ea

SHA512
88c0cf124f5a74e12c90ea5babcbdba764c1792f61a4d3721f10ed4dff8f56030622c21516ef6330efa182e70ce77a51c5e97ac8ab20505eb1c0eb8ce6972895

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ca948e5093a789433b6ea9f5a4c2555

SHA1
a436af883e437abb4ace22d018844f70639c7df9

SHA256
f1b63109d66610164d14e19b14f3c3dc2fd6ec91c91a88713b9eda88d7be2c25

SHA512
79c712c3fd31d3c2e2631a7c3029537fe65b9caf8c85c15a524c3a55de799ce607e9b2b3e1eb2921befd16de5feefb6eb4e2487a10ac04acf1e02d294a39638f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e1915585878703e50ee90bad86d21168

SHA1
05ce22a52109932c32ef3bba4ebe4872f612755b

SHA256
29e51a20e0893b6403b41c43cbe297b01c3f3cc379dc39490623b4bd14e643df

SHA512
3d23991e8e48bcbf249b8ef3b0d72c52952b9befe19b2259100b81278db08b7c96a4576c379fce986676da7575aec829c7ea4d9d2c01092088809a5bfba9c04d

Download Submit
memory/684-13-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download
memory/684-241-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download
memory/4036-11-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download
memory/4036-240-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download
memory/4324-0-0x00000000003E4000-0x0000000001623000-memory.dmp

Filesize
18.2MB

Download
memory/4324-8-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download
memory/4324-1-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download
memory/4324-239-0x00000000003E4000-0x0000000001623000-memory.dmp

Filesize
18.2MB

Download
memory/4324-238-0x00000000003E0000-0x0000000001B17000-memory.dmp

Filesize
23.2MB

Download