7ab5e5fc448bae685606379dc8bb15a63d42683fd81ad118bc5cc40248849a9f

Analysis

max time kernel
592s
max time network
598s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anydesk-7-1-4.exe
Size

3.8MB
MD5

3e0abb8a339194027c3e5d8f75dd568d
SHA1

f49baeea7d2a1c467a6505f27a0124b45d26f61f
SHA256

7ab5e5fc448bae685606379dc8bb15a63d42683fd81ad118bc5cc40248849a9f
SHA512

f2bce29e4acd6e3027a30d386a74879ebabb328803e84a2df6aff9ec54933ce7c111b8b447325c37ae3f36e236c573fe4a47a67bfebb3f0d3116b6e21a926a61
SSDEEP

49152:SDvwCpukOImpN6XoNU9Ckh3vcAWfSHo6wgXeSdaEo8qgVX6pkmxEqpRMo2Q0X299:S8VBIMeoNLC+gwQPNo8qgECepxdYiW9c

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anydesk-7-1-4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anydesk-7-1-4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anydesk-7-1-4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk-7-1-4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk-7-1-4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3516	anydesk-7-1-4.exe
3516	anydesk-7-1-4.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
468	anydesk-7-1-4.exe
468	anydesk-7-1-4.exe
468	anydesk-7-1-4.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
468	anydesk-7-1-4.exe
468	anydesk-7-1-4.exe
468	anydesk-7-1-4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3516	4876	anydesk-7-1-4.exe	82
PID 4876 wrote to memory of 3516	4876	anydesk-7-1-4.exe	82
PID 4876 wrote to memory of 3516	4876	anydesk-7-1-4.exe	82
PID 4876 wrote to memory of 468	4876	anydesk-7-1-4.exe	83
PID 4876 wrote to memory of 468	4876	anydesk-7-1-4.exe	83
PID 4876 wrote to memory of 468	4876	anydesk-7-1-4.exe	83

C:\Users\Admin\AppData\Local\Temp\anydesk-7-1-4.exe
"C:\Users\Admin\AppData\Local\Temp\anydesk-7-1-4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\anydesk-7-1-4.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk-7-1-4.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\anydesk-7-1-4.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk-7-1-4.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
cec471037b2371cc0ef7f31b24817f46

SHA1
38dae31e664773227ee26ba98e261e9c9a255755

SHA256
fc006b912c4ad66ef91d649a82e06e6772192f43f215918dda0873bec9eafced

SHA512
189825a45dbe54349c59fe86d7d8af9d264419b3cd6a100e6bd2e1201a2cdc6035d54751360f083aad0dfe26b435bb4e16ea93c207b23f6d02e95b69c68bec13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
099d25dd1c529bdfbcfef55bd7d69b01

SHA1
171aae3c12e4e19620177b7fa3b99ba9dca5f7eb

SHA256
48d53cc81550026df0d110be3db6d6b7562617473b2fc8a6cc177af4b25105c4

SHA512
c2f3511ef758b116b362ddeecc7fd322de10ed17dd5793988537e0659193998396966d8cb2be8ca5933eda3c9699165d890b922107eb8da12e225fbc643de58b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
dad6f9b3039394caf184375434941cd9

SHA1
87cf7dc3ca3f59e64372d3d5df53b72deeab8611

SHA256
1bbd8409bab78c080b4281393290b184d5c97d25991c279e322a54511f5da9b2

SHA512
1e31b1a64fbfcd53ad14a4342341033c5cd197efcbc13057ac14a5901df48f7cd6f6b6cdd3d88cb10e5a69ab0c230bf0fc57e18bf1f420c7a4b6e61d8b53e18e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a6fb4579b05e4f34ec38c3ddf3472695

SHA1
64ad5127c8552a012fd5b499f9c8a9a1297e0697

SHA256
4e730486422676de1b89de62f53142ca527a55fdd56c1f0baea2757c95cffa57

SHA512
d39214277114162b51494d4dd918dccf2ac3a04ded278ca962acbe4f7a327b1e83628a213b4f69a1bdd3a3222aa38cf5f6a19af76d64709907d7a181976a33b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
fc42fca86e570c6efb12d12751e8a232

SHA1
d78093d455c50b22a45979f7b9e4cdb0bcae7425

SHA256
bf465e6156f1caac4fdb0391f284d53ce4b5402a4000268643eaf58d0e998e25

SHA512
f8291b30e4ba35516b46ac470f2f3dd8a12f1c5ed1f412c193865b42b1945a36ec1eb760c94ec898a0cdcf3e1a37518ecadbacdef37920bc8a8179399a4da6d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
669B

MD5
11c27b7280ec30e77ef6b735343f6754

SHA1
2dec740fd71ffc7dd82d6698a94b8dd85101d609

SHA256
e72fbeca67b0f0fa7924fb74ff5f649261d7956cc77e1039f16c42a9391da221

SHA512
0e355c7aa337d003256924b78a5f1ee857dc2c1bdbe83a923884455aaa69c313241288ad5b80c5717eba7aea70b5304ab1c072147ebf29e271244c4d9e92f48d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
716B

MD5
9a56d26bf770aa9e29c635bf40195ecd

SHA1
da22dde7f7a1fd51c7af7bd8361112443b7558f2

SHA256
2324f7230f43ae3744307449a67af3cc1c6efad4c3402596bb4bb1678ba94323

SHA512
e9c82564f417801dc40328afb270fa0c4e502fc4b77f0e657f2b77c2bf784dbd26fb2493ab357db6266dc36829786ff66042e42a663e21daa7ed11116ea8723f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
8f19ef2afcecb26fd7e1329ae51d5a9e

SHA1
58aab1acbafca6fd426df9ebf139098bb5bd5415

SHA256
837506b67dfdbb1508107800f6056da8cfcf1c53e0fc6e58e42a52a4c60b18d4

SHA512
91d86e66b2a77fed55bd4c600652d51550a5607bc05abc123778845f99803e1bb2ed0a81f397c8f682afaff173723b157ac2a44f1efff61b5ed792af8fe803e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3a76b9ad5edd64b7a6917d3b12884b67

SHA1
9dfb8495473d15c99219f6ce0f8b97744464b75c

SHA256
9e884a2536dd3e83939acb666fefbb7eed23294cad0c5db6fa64ed069d06cbac

SHA512
6edaf8d3514f28c79936d14bf60f76099eb70cb34a663b0734eb8635dbf418892f0f93749aa9f03a66c73ffecb85815a578a81ec6c82e228f8b5ab15b4b4678f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
116ebd8b0b722a8c77da061a44fe3f74

SHA1
1ea8ea385c08708a3ca775c7c7599dca52dba0b5

SHA256
657195f81d95f88bd5c1eb0e43f5e43a2f373a297ab868ea11ff486ecc017394

SHA512
c484275d64d446e82634e0da92fb5ab37ebff4d1be1356915304266ef8f309489e97c3a2b120b2303aed68138c39320881a16fc9cbd98695ef3311ec83e30c22

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
150aa0d1ed02367fe41fce82e0cd4a4e

SHA1
841d9be3ff9196c031fa414e3fade7036f9dc602

SHA256
18317c00b43f8b40a5b6e4d60014652e479840ac87581dd662ca2629630591ff

SHA512
4bfc1e010e5b77e39e4ac3eb24eefa6573e3d6d3a22b6cd2a8d90912ce0c080803d12f901b564e07128e40fd6a10fc14eae10ebc8f037f3b418aa72ff2ec6189

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cf2fe533e7ebde12b1518387ac8eb384

SHA1
a5c9f102bbba6fb7388725b3e8d18b20388fe893

SHA256
b67978aa7675098bf4e994beba96517fe47a4ecf15a0b6381810613f40de9d2a

SHA512
8400ad7a1472d09a070806b44f121f23b79ed7da086cad4d67e1e6088497fc6354868f984332272a1b83a81e37ce6487a7234c6f0147c1175cc65386307b2c32

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9720ee4bd3731d654ead27ac644f9319

SHA1
73143fd680de89a58a5821397a2833c4278786b1

SHA256
ed61f99516e69ea478016a4df43223b906cf053e9dc200038b68a904f2c5872d

SHA512
b4ec5da25e3975020a70494cc3f1bccde1f2d8a3d5ccdc581965364ca8ab27e092650613dd9d4e2097f6c800514b469267f26241d7fd96beca100b5fe9e07769

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
229db8b712823fefd29696f73d238ddc

SHA1
a001a50d6e62bafe2fddd4eb5b7a54a751f8c3f6

SHA256
645816da0c64b9c57b470de38fefa56af5ec7348ffeb7f7c3a6bebc86219c199

SHA512
7cb979c8b71225f72b6ef16e45f33a081817caa46df65e4186d110f1cb35ea1e7ac898dcdb124607f7577ee4cc6c3438ac16eef2072c7baa592097b5c9a4863f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
980139f3034c0793e74c2f06c12a762d

SHA1
ee16ce0702b97d16653fa6ebe4c19802f45a53fc

SHA256
94dcaef0599afff9e9dd43d6491e5e9cb2d2bd202b22562c0bf0bbf97f8ab513

SHA512
aa72d79c1e188bb2a15c17c9efd5dc4bc8ffca3209ccc0cb26231856d26aa8678781223bfce4e48b5e942c1049d41df9dc6844c024c66420d8676d58ccf4909b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ad90544ea16820f1a81f924818887e56

SHA1
bb8d387627492ef6c142097660f072a5d9dcadcf

SHA256
677fa9c0e868752f2c21bf79e07d8dfddc0bfb9a110c6cbb6da771635716db52

SHA512
69c030b6626074faaad6d4fbd86ffba44c2988c851c93dd53c61d1188180f2c1be1635d8c22bcf19e450503d98c19aafedc3142116b758dc340ce89214430f17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9a0fa113f6f418e933a5a5644fa1396e

SHA1
1c3590a4cf5f6f2866e7f29eee3029fb799d8a73

SHA256
28c18791a02cb92ccd12096ab612ed46b070078e5043aebe3ac79b7c1d604398

SHA512
8e7845fd691c311a0ae4d38c226d16656e693fef35d23e090e2fb603cf205f2868c40cd3212f946dbd15f9acef28f9355b0a0994e824c3ffd47397cac499f648

Download Submit
memory/468-12-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/468-189-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/3516-11-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/3516-190-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/3516-9-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/4876-0-0x00000000006C4000-0x0000000001343000-memory.dmp

Filesize
12.5MB

Download
memory/4876-6-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/4876-2-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download
memory/4876-187-0x00000000006C4000-0x0000000001343000-memory.dmp

Filesize
12.5MB

Download
memory/4876-186-0x00000000006C0000-0x000000000170C000-memory.dmp

Filesize
16.3MB

Download