fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1795s
max time network
1796s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3380	AnyDesk.exe
3168	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3380	AnyDesk.exe
3380	AnyDesk.exe
3380	AnyDesk.exe
3380	AnyDesk.exe
3380	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3380	AnyDesk.exe
3380	AnyDesk.exe
3380	AnyDesk.exe
3380	AnyDesk.exe
3380	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3168	1060	AnyDesk.exe	77
PID 1060 wrote to memory of 3168	1060	AnyDesk.exe	77
PID 1060 wrote to memory of 3168	1060	AnyDesk.exe	77
PID 1060 wrote to memory of 3380	1060	AnyDesk.exe	78
PID 1060 wrote to memory of 3380	1060	AnyDesk.exe	78
PID 1060 wrote to memory of 3380	1060	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3168
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
ad0cc84f069e17c9fcf11198fb636283

SHA1
900bed3470b7b5361268a95c46fcb4a9dcdf92ec

SHA256
778af2c27ee0f802588b6b03dfa25b8c2cbffb733bb65e08fa8f8fd0354e8f6c

SHA512
c4f128a295770ab2732ee453626714da00c0e631c5d0d91e3434c950b01bb0b7c95c1e134907745d824f2ecfddfec294843b36eac413ddea29e5b0103d9f06e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
cad73261799fe6b68c009a4e6cc6aeae

SHA1
6f4e4a4fbed4b73d6d57d4e2a67b17527f4a1032

SHA256
0b451a12b73953e134aa08ed2953c954a37d95cb725fae7e258cf90104aefe5f

SHA512
054fa33732f62ba743fed03d3c790d940c572e98a3eed903fe1ab058bd8204c54c03b929a18a12775e7bedd1d200433ceb464fabd78cb28c91ea39977ce60211

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
55e800f3405d41552b3918e7b7a0a1de

SHA1
3df9981821c5cee37ae986f0e65513fa8ba5d1b7

SHA256
b87e89e210186182c77d83260633e8b87716933d4b08679403fd29696c1382f4

SHA512
49a43b08b9b45ff4db9c4ec509fd174b64b6ae072bd8a8293a663fc0a75ba0258fa5c4ec4a671930aa3728a328f09d2d3151a58af1c119d1d5eef4df209c830e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5287e54e6385aaa0378cda5acd8c2057

SHA1
363ef8c5fd7992116788f13ac2ee175b178b5032

SHA256
8111d99d350314443e2a4c0c68bf4bb1bf1d2ea48eaa72a0409a6db4a61f6046

SHA512
ebead3e9a13c2ce9c91907bcb9ab6ab5e3976b074d2e4e81ad4067368ed97b82362d69f42c67a4f92467d0204ac6eec3098ece9dbd04fc7af1b109da9b13d555

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
cb14f0688bf326d367e3b908dae3883a

SHA1
57511abf14ef67a221f923f86eb6b18109c3e59e

SHA256
0c25f8984f94d8dc426eb8dd7f32786de18b7f7be4c682b4005065d3cb00b93b

SHA512
98dbb5df054bc53a3c24c2d40dda64eeee613517e4a6ae842c7f2785df20130c74d3c8494114e54c75d45749e4a2bc742377a1576c5cfd374bbb6dc980f0e996

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
db853a4db61e219c4666988fb6463749

SHA1
1dba3632423026f6d8e42ccc3d9241d98585ca11

SHA256
aa7fa2acd9b70e9be448eb73034dba65fb4b1ff92ca96aa494b23fba0a90bde6

SHA512
a2ea6e2f2565f34cd8e8b68909b213026c0726ba9f2b1ac17e8ed31028ac4a566e984faea0186d4091f9c30f555840bb840a1c77cb11703c79f7d079fbeaa5c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
7ac9eaee56ee57cf878a001c58c29dc2

SHA1
c8b2d11cfc4a42750d399705ee9366bce772d22f

SHA256
a891c3590cab94e4272f746a3eecad71878950a0e770dbdcdadee7255500c9de

SHA512
588d990d397ae381b48f209d117e6bc537ffb1b5d6a7a060353873f622af86948fc9e505405a64bf21528113012eed43e64a0cdf308f57d9b3995fbf1ef48eff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
07a5f5b14a3d4923d6851ef7da615543

SHA1
224bdf832f39cefc69e124cf5baba9aa97cf958c

SHA256
19e915237686c7de8e4b6fd372a3c2501713ae69d2a53cf612e1a2bdcb8f25bc

SHA512
35a299b8d724cf2095ee01bdfb117b4f6ee4a77ff84315dc9020de07f8939bc6973fa1812d89c71de133e8df4caf67afa6107ac228fbd37e13f5cc32112c7961

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
40f34373ffc7d2a797c7704da8c96496

SHA1
c3e1e21cee5860d6daa0b6296c00db5238a34bcf

SHA256
b112c9d4f7ca231b47cbd6cdd311f0637b7cc885a6888c6d73f9440f1bf62aa9

SHA512
adcb4f7fb8afe4d87f38079601ecf5c25795264ccb5ef8b99c717679f73d102d5b9f4beead5e5a6e439c90f6c8a9bf44d6b1a7b5cc66c9b747c65088cb520bb9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
8c01f4c6128702ab2d345d3e9c8d2d1c

SHA1
c950ebc850f9d3e599d1d5b348d23658d43f227b

SHA256
a7bfbb311e9bbdd01a9f59446a3a17042af0f6a5162ac48c04b28476e0617753

SHA512
098692af05f1e015e4203008e209d546ebdfa23103b9138091abc997d2790121b682bb2119789d150732869a0eefb10bf6d9b1cd0acd15db085cfa72fcb90e17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
68e58d2d972ce7ed3e38053583cdde34

SHA1
24ddd268d55f518b55747a9bcdc36fb114e564c5

SHA256
5abc895d2f171ceec72c8e4e4b0b30cef51e63ced14d565f33faa1948127bed3

SHA512
f73b4ae2a39c59c79e1e98265650a882b8abbc18243d69e758f0528456c75347e1e3a845fbfade60c24b27e4302a6a04a406af51f29cae21f159583df4dbf0d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8e27c5e06b3104884e40ffaae731a5c7

SHA1
209fcf663c7d08d03c2756634bb4560a01a7eb34

SHA256
05d3513220a48025e1dad2eeceed7f65f9895cf214cb1f0f423c07f0932ac70f

SHA512
b3b796c974efd8d14ebc781423de37159c7660e18ebc0b2575b7caf5df580b3fb6c439e2ccece8ace44623f0bed95cced80396f000227bc1af0a105bce3e608c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4e5a2c9dd16f460e93b1de28941cb7ea

SHA1
38723d2a2356076dca2ec51ee9bd168e817f8c1c

SHA256
055891bef93a98429c4dc2581609967ce6b2c2364c707962c4cc2feee880a9c4

SHA512
a741c26073586c1e05aeb30df401efa1f59836247b1c672ec5579ecea1ed79d1bcea3600fd4d2cc4f73bba5467f6a04410ed192c0541b6abd39f2da6dc979ac3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f41a4381193f112c75c79b4c7320aa1e

SHA1
2e6984e28ae502ef99f8bf3858842573eff4d590

SHA256
70ecc201b8eaef0e175453f3d42a234b8919318814c06af08f71471c917fe845

SHA512
89b4fdbb0f58c1588a2a0dd363cbef0e3ff9abb5d8a8448f5283b359ee24412a4f2f97bdb840cf8c44d83e48bc0f515f75042da563cbc0f796a2a5889a8e1608

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
777bea1906937565d714efebe9db6e63

SHA1
ef928379b710b14c283b537a67dcb9b9afbf994d

SHA256
6b913705847e9c24c5ff7b0253d5963213069683eab64bc8dd59d7cf2c7c811f

SHA512
706a0c1b53053fabc4b880fcca635736d1de7890682ef96139624090d561f73a7881d758332ffe48d4ed21bc95f19fa17ce1d3c98d2330122e0ccc0a26053f86

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e2044b47b0aea0813ec2e56c3c784e70

SHA1
8b49160bea25238abf1d8d5bce2381e307a7abb8

SHA256
42ab26a9b0a34171e9596aa962058bfce104e3a8a07d22bfa86522563ba12caa

SHA512
e131012d8b49e887c0907d01768d8d41b09217b1f166ad6c34c0752104097b1742fba338edd8873a3009cc4f4576aa45897ef21b97c938202c5283aef1500ab2

Download Submit
memory/1060-0-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download
memory/1060-1-0x0000000000144000-0x0000000001246000-memory.dmp

Filesize
17.0MB

Download
memory/1060-7-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download
memory/1060-186-0x0000000000144000-0x0000000001246000-memory.dmp

Filesize
17.0MB

Download
memory/1060-185-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download
memory/3168-12-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download
memory/3168-42-0x00000000053C0000-0x00000000053DB000-memory.dmp

Filesize
108KB

Download
memory/3168-38-0x00000000053C0000-0x00000000053DB000-memory.dmp

Filesize
108KB

Download
memory/3168-41-0x00000000053C0000-0x00000000053DB000-memory.dmp

Filesize
108KB

Download
memory/3168-187-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download
memory/3380-10-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download
memory/3380-188-0x0000000000140000-0x0000000001782000-memory.dmp

Filesize
22.3MB

Download