fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1792s
max time network
1801s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	AnyDesk.exe
4120	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe
1060	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4120	4244	AnyDesk.exe	83
PID 4244 wrote to memory of 4120	4244	AnyDesk.exe	83
PID 4244 wrote to memory of 4120	4244	AnyDesk.exe	83
PID 4244 wrote to memory of 1060	4244	AnyDesk.exe	84
PID 4244 wrote to memory of 1060	4244	AnyDesk.exe	84
PID 4244 wrote to memory of 1060	4244	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
9d250900af503228639cb88ad9f6cabd

SHA1
adc9f0e36d77ec9c9830a413ed0b882829526d8a

SHA256
9f7978395efb742d5b4f033d46ee2e87505c253c667bccd055a480cd9593b60f

SHA512
cf89c51043e1c5d51634a88b97b21981bc323fb92e215574bace6cc541b24659e312ea803595a615b759acf7a44c9883b3fdcc9a2fd7269b09bb0762269b6f1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bceaa1bea6358f7dc2bf4f3034a31c48

SHA1
d7f485ffdf26d20ed39751795fb4c28a61148386

SHA256
d25a81127012d9ed273d73748ee38069eac6b09ee982044d0e5cf00439ba115b

SHA512
6b40d8e01d8c4c81d9de81a49ea23aaad821385566ffcde068463d672fd0ab5901f305766b3c484aab11e424961c135aaeb7bd27fd077a024ad455a3be78bf25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
31384a34a5fa06439d361786ed87df96

SHA1
2ce761652e12f593df074d2eb4ca9b6ebf562a3b

SHA256
65f767f425ecdff2a34df528d235481efcd2b896267a8da0cbf8b0cdc3c87a05

SHA512
e63cad4ab79c4464d207593411dd8806f7174d3d2ee0033ab5d7ad25bd8f9af5fe4feb1e63967514325faa8132fa9bf53bb222bd8f19fc48b68ef1bbdcc1e20e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
bb457e7cfc4fbdd38a0bfa895acd9fcf

SHA1
3a8be04a2e6b119c6b33c06987dbd6f6ba10a7a4

SHA256
d24358ed09d6150b78f0e08a142bfcaee19e32a498ff0be82508801b5f36b5d3

SHA512
ba0813f1aa41a8ebd85beeb850630b5b40d6448f7c4ee455f5c47a5b5b8a2cb000be1c90604c42c77f5edde3121fc1d6f2b7029c0968bb0ce148e2417df54b21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
8a3dbdd878b7429e08c01993bf9c60db

SHA1
c5e7d90c579b7e095d1e408c63e885b748929a72

SHA256
97d077944c8234195324d4c70532a5ffb2bf73ea031e6e3d53f87f51c6227588

SHA512
338801bc42a7c6b4aa8c8f0df1aceefb9c748df559835973376547561ed9467070ecd1b13c050c7b07a785e277e8d0ab9e8fe31f84552cca85ee01b2edb0203e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
12ce90619ea94d4360e414ff93cf946c

SHA1
0aa37d1aac6492014bf0dc06c564204e590f8bfa

SHA256
83ff4561144a7fd9356494ca2db0ca331438e409bac57532ff2d234b47b40e56

SHA512
5620596efeffd9fcd50ae96b7e792bcb81f5ddb690c2d6d7d6bfde080ae4263c6b8e3d1f4bd8ace2d4669751c2e1ca5b6bac1332d02c2e45b3a279c9f82f51a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
0e30abc6197fb89a66541afea382080e

SHA1
180c9289107092886d0d5dd4f544fa3e4fbd753d

SHA256
39037d7b1d12d2d6289772771da0a2d61f5d243bda2b92bf5cff3f34744ed9cf

SHA512
e43b8de10c2de12a0fbbf75933f1b912966f6847b9d90656e76a1db62e28c697c26b29e254fb55828f3e0592fd8784881088de2ca4458304551aea0c2527e58c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2b4722dd5d086d9d9130cb843e04b990

SHA1
7ae99ed5877955eb6803bf1e8fd56ae4c380d446

SHA256
b1d1342814f94f14f0e155ed51292cf0fc308a34e7ba4fec0a1bb4fa3f18168d

SHA512
096b8e8ac735fd0a9df3e5777c1867d9fb8e6cae6db2291fa5878a1b0a602a5b4096df423980dd7cf7cab36eabe398fc972be35c4fd3a2e8486357a6f3f43b51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c69b0110347e5e63e51a042ea9224a3e

SHA1
ab1794a7eaae68b56b2ec236bde17dc7debe90f2

SHA256
144f6bf884423c6e08a7143cc92a1ce9406dfbdd104d047a5bd6acd9635370ea

SHA512
d9174d27c4e547dbc35332c55c3adaa3c14ebee9303b2a98add1e653d9ce8397a9ec72013e61c9d68a4878a9c5b625d6e62563e2fdfee628971cc14dee705546

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cf222b1be7f9e73d638864cefc1bf9c7

SHA1
bb50c1ac53d84fe59a78d9500d451bea994c90b6

SHA256
f7fb49019d04e6ad38b48ea05bfb1c6b8575e0a996c3a2e7f7457a1d7dd99930

SHA512
335ce6bd292fcb13eba889620790d63e2e88db4e09773f5c56b8b1d400002dc7c50b18cd47ccbe4912946870f3647e00e200ff46b4edf46c3acce7571d8d853e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a48300bbf52233cb64b7c436dca697e3

SHA1
a25fc6384c1c7a6d65bb34ef23f9a4bc50cf26d2

SHA256
33c1f4faf30faaf48f911c17b4280e0acf3c8fa4104f1e106e6ad931de9d6bb5

SHA512
9bf2232215ac634f3b4dbc9ffd045a4e3f1ca92032c2c612f4d675daffe45979e2459db2699e62030c7b2644c185ab5df4d2cd6fabb91c2f72b43ae44933907d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f4a244aaca045cfa23f2aff28ed27725

SHA1
9f3f2f8e37a720e1871cef0b307fbf6f2ad9c6f0

SHA256
8ed8f458c6e10b51ce5ec7357bcbfde2d87aedc3aac2307646c5617acbd2d89f

SHA512
cd570f185845aabb9093259fc851ee8534202d153b4045a00c3c6ac699819b8a23bad6a23ba6ac66e414fe438c3ae8aee7dbc8c0197879cd8d5ba097a6f1120c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
7d989f3dd668d2c0a703af422384fbb5

SHA1
33d93f6e4d497f1752d8ffd10e6ea3fd25617961

SHA256
d99776a95e29b59b1e87a3270e31163b363accade1fd94108bcc79fd7f2cf70c

SHA512
42d6ee9f37d606932aa85c49cbe399fffee81cd7ecaace1057ea9210765c6be96a1d3fae3224f0ddd0931c65119768b8108b864762d4d426ff079de34744d51a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bf63579aa8e012edb50e046fed5754c1

SHA1
17438aebad92250fe4a9038c58ee7df82d18bcf3

SHA256
23274e39429b3533eb7631c32e53d169eae5b0420068e2b7f46803b323b6f6d7

SHA512
80d191896383dfeb795409d9cc7eb91cfbbadbd55d25c75373d5521b960ae117c3017a0fd3f9a6f8a47adb72a460ff2a59b2f83eea7bb04c2e92e68b0cced00f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b046cef4757b20af0f69094dde08ef31

SHA1
9a5472b059ff09019b43ab931bc3c41c420c266d

SHA256
b4d984bb6e2471ee9ca5c0ae0386dd0b614593d068dad7aa825a3d611a7c30d2

SHA512
6506ca9f2053ec5b145adc7802ac8e3c0271f577a64e28f916588b291090d311bca1f7fa4ef22172da6d3791a86109a9bcc0943ad5af2b5320137404e4fe3f6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b4988623a27f4baaeaa54de4ec8a8091

SHA1
3b1e02502518543ca9c825b28f050b75cc1c9427

SHA256
2c726ebde97885c6d9f2e9090ae5cb6f4c10eae9f7fdf7fee1477b1a98e08464

SHA512
2697aea54c7d7c3c0398398235403989b5d3c791fc8190ed5b97e69d3684473f10534063ba5db0ec08814348bc7dffe4495569253b421c613389bbdaee6ba62e

Download Submit
memory/1060-174-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/1060-281-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/1060-16-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-173-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-278-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-10-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-18-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-280-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-38-0x00000000056E0000-0x00000000056FB000-memory.dmp

Filesize
108KB

Download
memory/4120-41-0x00000000056E0000-0x00000000056FB000-memory.dmp

Filesize
108KB

Download
memory/4120-42-0x00000000056E0000-0x00000000056FB000-memory.dmp

Filesize
108KB

Download
memory/4244-118-0x0000000000264000-0x0000000001366000-memory.dmp

Filesize
17.0MB

Download
memory/4244-0-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4244-2-0x0000000000264000-0x0000000001366000-memory.dmp

Filesize
17.0MB

Download
memory/4244-279-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4244-113-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download
memory/4244-5-0x0000000000260000-0x00000000018A2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads