fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1796s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-12-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
5036	AnyDesk.exe
3840	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
5036	AnyDesk.exe
5036	AnyDesk.exe
5036	AnyDesk.exe
5036	AnyDesk.exe
5036	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
5036	AnyDesk.exe
5036	AnyDesk.exe
5036	AnyDesk.exe
5036	AnyDesk.exe
5036	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5284 wrote to memory of 3840	5284	AnyDesk.exe	77
PID 5284 wrote to memory of 3840	5284	AnyDesk.exe	77
PID 5284 wrote to memory of 3840	5284	AnyDesk.exe	77
PID 5284 wrote to memory of 5036	5284	AnyDesk.exe	78
PID 5284 wrote to memory of 5036	5284	AnyDesk.exe	78
PID 5284 wrote to memory of 5036	5284	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5284
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
b9cb0310e75668a9148e4a72d8bdd222

SHA1
96f235616e9b1f947112f0fd7800f65520836df1

SHA256
f056e054629c3abd237a13a83c728f85cc5e80edc5248be59114bf8dd5510000

SHA512
b777759683bcf8bb8888237ed1298de3202c08bd23e26b699b635d40e61e8350efc30ba78549ad8fd0e93170ce880e324b39a44ce81bdbd93029fdd899810b78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b0b0d873d75855018b14dac15717f5a1

SHA1
bf3e5a5cc8c09f6b90bfc96b042ea2aa5367d642

SHA256
52ab52348630b2407b0f74cf6fed9952700f7948d96988439b67d656de3e0fbc

SHA512
187b1396b808d71e2d706625b2d62ef2c9a61365998e128cf87cc13e1fa3c99baff575da835fdd9421349fc00ce889c2edbaf6da84446c8358c5063c1f9a84bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a68deeddcb4a5a8c99c5de915a9703c2

SHA1
089add623e88744cc5ed6f92641de908c2b8fa15

SHA256
59c342b86278e3ff1c4356f08bad03bb65e7bba7251810b942b856d57a3d17a5

SHA512
1eafa86199dc8323edf49e9ce4e362fc259cf9f3b96920143fdf460ad888feb9f52d04a8f5f673d7d0d294348b92f921168fea6d8890697b9b1ebfde41272274

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b7e0fc451c1ff030414bfbe380c06eac

SHA1
64609f53331365894b6e797e99246b47efe631de

SHA256
0207108b3f664d6ce02bf0a8d19c62d17e0df11ba0ece6b9e8cc4f198e3e1b05

SHA512
ee6156bce9d4e8680d2f98a3e36efb3822505c6643ae2b2a093160b7f48f5b8ac5974a59ab956c01cd530785e62234c91b626eeeaa305b8d51139d3c3c83f0a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
f38d2ed37378d144a8272428b1d05100

SHA1
563bfa70beab893b90fa34b3739897f001b00e6a

SHA256
f360b1b5dc016d5fb89caf38653fd4c7bc9b4c58237e43d6b6cb3e16c9eb32e2

SHA512
e3db829aa00b5571ef5667370ee7efcd7a3e114e1378ca61d3d84516f85ad25d81bd36ef01efab09e8c30c1281340f47c45fa0ad6348c5e081f202af61f83839

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
b5f2b365c2911320a6ba6dd4185af07d

SHA1
13688b9cfcefb1d68605d92670f584a07bbfc73e

SHA256
bfb6f88fa375cc7e0f3f7c229ea4463f0f5e4c16bd3cafaaf27de78216239d92

SHA512
f73352f867a941a10e5fc315fb27817685c49f53e7c03ee4157aa6398d868b2e5c9567fa6a1dd40312211af93f5ade39d8d9c2a105114e772ceb8636edb30e37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
42d9a5bfefc4dc453dfd58535549d858

SHA1
a5ed50ab1a4ac760a64611d1a3a46a06549990a6

SHA256
d30847985d9e018e7b3ae89b90bff099b2c78481d875b1ec8c8aaa845f9fdb76

SHA512
24651d4cbd98521d81ae8ba0b92c429c26a5ee31dacb4b55e29c9f5fa4c23f98a935268321d28bd6b692dfc391f5fa5a3019a3476e1d4defd3fdd66ae0c64d27

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c6203dcb2d0cf6cea9aabacdf79e5636

SHA1
d692c590b327015e998cc833f208135306a6175b

SHA256
9e81c6a605b04971c521f268b0f5ed7a81e2d11d96204bd9051d865a36e42880

SHA512
1d5f557fc4aa5828de4a21a5f2345f429e8ae6e22b13546c06bb293ecfd65d6d96c1927cbcca854f58013cc31ec32f87cb675196407d675ae506e7b83aa4cc85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
de6066f7fd19a76881171c4293323f54

SHA1
13ea7280c5d4c866f81687fc6579553c312ec644

SHA256
13d3f279c8dbb35bea591fbbcd8beaaede643e2afd1fd2ca3390443dad1a3c71

SHA512
850a3a656061754b96995e901ab6d3c524034c9f68cc1e902de9fcc36d9b9e042724433a099d7f7ef694be827d1029ecab548956af557b29c232da67860d4491

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
996ccb4590ecae9a9f5792116398de11

SHA1
08ab4cdcf52a8153325053cfc65840f891a804f1

SHA256
3271bcbedf5d7bc0f1fd3fa92344449ab397f935aa776259a129f3705900d9df

SHA512
597f1a4b35d68fc019945198f8c335f8018da27e81af084411b57df76f51db117c4036fe9cd55ca3086c7529b02472a8ef387c5f72e6596284b588921f1e05fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
19bbd23d0cf378d4d31c6a3d405dfbdd

SHA1
28f1b89dda92f0d45c03559f86c997bd2e77038e

SHA256
6c383b518b15c5fcd46c6f7a056c2cb85c463a69de617be405046268f903cc53

SHA512
3213762fea89947bb56ee6c185017a07fd60fcf95cb297c4bfda4c0e02a3074504520b45735140f9417d91de43d3ca41e9988a42e7147d7b79b0354c7baa99d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fc296e0588657cec2e201faf9d16ed2b

SHA1
a83eefd4ea7b00ccc4f13e20aee24a205919f601

SHA256
616bda932f7a6bd1caf2d78852fda8f35e00ff30ada07c71381b893f432d7fe7

SHA512
82b03b10fdebb70269964e66dfec08d8d90ed10df848f5270a04727dfcedf56738814fa93887bc11153db6dee89f01fd1e3cc6e1bcc71ae7a521c983446b42de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
65fa149e01746082755d673c12847254

SHA1
485a679f4bf637d5ffe77f05ffdd28dd28dbd34f

SHA256
8d8dbd2e8f3eb50b64558b49cddde0c396cca39c3513307f84ae52ef87761a60

SHA512
9aadb336d6b8fc59f988793c4300255d7c82635a207164ab7560c56772092390e6e83ba16aac7116e76864d4c61f7bde93c6cc3518078b18603519a57d63b088

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6f74dd6c775b2a77b7d6785f057b1e8e

SHA1
631c1a9430972c9470daa785995bfd562280e7e8

SHA256
a911d7286b3e147b358cb14d1078a5dc1bc42ce222e19724f0436e069d192b9d

SHA512
58acf783d5ec0bbe666605c0e289b82b329f6142dddff3b270340a13029cdd3ee45689808aa6d1998e93496d2855b8004dcb2674be1bf6477dfdc594e48d3fa0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
264145d522996b9a27add2dc21db0d66

SHA1
497d6dfdda4eea58e4d0a4b651c7042bb1a8ce72

SHA256
c2d9e0e220d78cdda8bc5678dd37d4f2508f73603e2d529d4fbd86792057fa2c

SHA512
111f7ec28a2d95c2632d44aca11fcad5092bd2076046a4d1ff925ffecbd712ceb74fc33f45a7dd21529ddddf9b43d21de8b4028e1dbd325c64713563a747de54

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8ac58152ea6b3558634059a0d6084489

SHA1
de4f0201fd0a8dce4c3af36d6144a10c12c77962

SHA256
290339810eb4362474747684ea5a0020bfd09a8675acfd7ef32f972bcce58b15

SHA512
68fcc1418dba3a8af0881a8a811ea95eeb2e2823ea501b3bc93c1ffee4003c1293a53d76f349fc96b26653e4a6dd979e99ee3d83f0734e741b9674b9d2366d1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7ff53643c7973345813f839bff22882f

SHA1
d1469dbd39179aef851b5d1b49d4564bcff800e0

SHA256
df101017d3d0c630c667f0dcb548f40872cdc62e75715a8d2da9b6c635029d1d

SHA512
1f88a90dbcece636b2ac3afb028d774eb59c626211d45389bcae46e918cea7afcd98506cc40da83eda1ffdb990930399a2df458e4aaf1834893ee04e26e4b10f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
84c107edbd8224b8f51bba380bac408c

SHA1
ecefcdaf49bcbba7dd085619e64123c5171f4dfb

SHA256
ed745b8b9b73adc198ba4cae4bf6be656f8bc6731f17ffffd06b732d4680155e

SHA512
237a0eeabcf273c20beab926f430cff7eaded06ed900d0ef30f9b5020a8d983cdc2a6b7e73cf40154d27bfc08e0d438cf17dcc287f18e92d859fafbc33530773

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
68746d5d2f8bdf1db32e28ca20c54b38

SHA1
63ef3cbc97efee579838d06e8b52006a5aa8c085

SHA256
c620134e43a99dd74d1d34909671f119cb9de8254dbcc1d316bf0068c874d605

SHA512
c81eb42ff7a1d121d231f8d26db3638ad56cae3370c2db59bcdb9c2c4942536f464dc92a24fd1923bf035511ade7fe3a4b402b5a84bb0ec4927869fea776e6bb

Download Submit
memory/3840-10-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/3840-14-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/3840-42-0x00000000058C0000-0x00000000058DB000-memory.dmp

Filesize
108KB

Download
memory/3840-39-0x00000000058C0000-0x00000000058DB000-memory.dmp

Filesize
108KB

Download
memory/3840-43-0x00000000058C0000-0x00000000058DB000-memory.dmp

Filesize
108KB

Download
memory/3840-236-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/5036-12-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/5036-235-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/5284-7-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/5284-0-0x0000000000DA4000-0x0000000001EA6000-memory.dmp

Filesize
17.0MB

Download
memory/5284-1-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/5284-232-0x0000000000DA4000-0x0000000001EA6000-memory.dmp

Filesize
17.0MB

Download
memory/5284-233-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download