fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
592s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3968	AnyDesk.exe
884	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe
3968	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 884	4004	AnyDesk.exe	83
PID 4004 wrote to memory of 884	4004	AnyDesk.exe	83
PID 4004 wrote to memory of 884	4004	AnyDesk.exe	83
PID 4004 wrote to memory of 3968	4004	AnyDesk.exe	84
PID 4004 wrote to memory of 3968	4004	AnyDesk.exe	84
PID 4004 wrote to memory of 3968	4004	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
7b01bab46919f6b622fdeb4be7a8838c

SHA1
36deed36dacb45ce61edb9a838c835e8adc0ee18

SHA256
fb78c5eececd08504e3b161f70bc632719f9af495b51b00d7fc0312fd7ae4f2c

SHA512
f5638fb07d1a69a2c89b9256b762c32abd56eddffbb8d5d26958c157e20c6f2bee28d909c0b4296ffbc3c6e27622c68d663f83c200057bda9a5c36b008e8f805

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
6a23008146c4e16118f70b89d0fecd79

SHA1
ebe1071ef41a0403eb3ea11fbee6addf5aa74a34

SHA256
f19edd49ee02c7ef82245c22d45479542ff42b7b5b6452a3ddc666abf9208017

SHA512
19284c3b6f0c9e36def31c5b72bd67456f8b3d20691dce06fab3eb906215cfb40038f0ea95266373c4af491e498de05a509549f8638aef2bd72156c7d6c343f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
aaa91a9d10b8037407a87b790971a339

SHA1
781f69c384fefcaa55f4b06795e3bb02bb8a6bb6

SHA256
a202de48938b80e69ab6fe76c3d56cc8cdaf57d36edc090c512c381f66f2f061

SHA512
8c30f1b93b07e4767ef312c3fb1cd99cc5953fbcb4cf8c1979b26b2c8a345258d767647a6cb4adf4c3b8dc0eafd64f48e7cd9d384dc336d75ed6a4dc87839f01

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f5559458ff0270ea821d9de80e3b67d4

SHA1
08e4f8ba02f032b566e79715d15fe53e0bb399f7

SHA256
1252e9a405f69420e1da4ba1fd3c7644c0bad78c0a0bcfbcdb31b77e91a18fe1

SHA512
45b282e1762a2203673ecf31dc1dc65542c40f61010612b886c993385ddc03ac00e0f59f9309fe3d1aad4d0f879f6624d9d9d60efd1560a6700ccfee63c6c639

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
d736d41b25a559b711ce1061a01082a5

SHA1
be5ecbf89d046ac0a15deda694cc6858c2a5d3ba

SHA256
dcbc345f28ad8612d33495bbeb2699dcc56474b4705389042281108e099ea484

SHA512
73b2d56901de1391972cdae50922cf39dae7f7314bcde913a9a62ad57a375bc6a6000c83714ca55cd62636a45591b7867fe5686d0ef6eee1c8812215a233e9dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
7fcd2e0e4a5117c3c9afaba9c2165dea

SHA1
6997290f01eb48004bf833142904b933e316739f

SHA256
11a23eb50e73c6d6aaf12be05b8b3ed5147ba6b54f3208703671239beb79928d

SHA512
823ec3ab92c899034b059c529d2c87767c3e91a3f823caf3fa4cab31f34966b1ec080e1fee4cdf3440ffd0b2e16d0f6b4fd12a8d1036dc570994ccbc86a643d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
53c3cbd56040379712bb8056709497b7

SHA1
e55c3f1b2f6c0d7cf208af9dc9de56e88e5032a2

SHA256
cac77fe50bb0fa863cca0f3972252209c56fc3bbaa0282d7d58e1c185fa62e91

SHA512
b6dd5c32a91c61997875873bd4b4e23e8a4d1044ff6451934b01bd93389d799e456009ef73e19fd72b6d4cfddf21b6c67d28d20485b123149e5b53a0b6f0dc73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a5320c8ef07fd2e5f1cb2062fcdda6cf

SHA1
802dae33e436d6aac234b1c4101de8f6215c8ffc

SHA256
2a63608afab67983cdfa95b6d8732f7d18f32ef0807ac370616441c35da22569

SHA512
ebd00de6b4bef8a4db7234a676f96e4d359959f3fc4e910b4507918179f49cbd7845a80cb78ce19e1ad444212a5ecb107fc4bf85c0431a35ea50570a34ae0b62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
36af7fddeebcf09b58963ec2231f8071

SHA1
e99d3cf0edfbe3e6377ffdfce2a7ce03f818e2ce

SHA256
0e1ee73994e5419eeff2a7a0a69d8171835aac49b801a25ab14c1f253796f62c

SHA512
6f9928e97adff35842b13f5fa7e493ca6d362e1c4066bbd9608698739a0fe6b6100e1137a83fc6a3a88dac92c15a1dc7dc2a56f4dfaa9e1aa03802f6c2b6dc37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
5a15f58603cffdc3b92fa9d15008b30f

SHA1
e416ad5f49a398a2c7840466e152e7971085340b

SHA256
fa2f87ba3c5f8bf726705d4817edb196acf004222a71fbcb4e2ce7035a490f70

SHA512
95bc95f8c902d1a1e1e32c5eb0a03bad889795cdd78e7f5dc6ec27b635e0bf3c0ce86784769baaf19b4c63999f025772309432dc3ccb12b90122f06cc2b4f236

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b49b6dc3a2fdd108e995d7c298c86ebc

SHA1
9f8261835a69b4a6ae23956a535fa83f253c49c8

SHA256
4c6903f2f930dc193856a0a1bfc4c9ba0098fed0ef2fdef4419f12b2ffdbfd14

SHA512
c98886020f7006ca1dcca1a6410771619e59ca2430024f7fa94db0c1194cc19a573a1435b7701a4fc220497474f24dde06a72c722dc586f6c2386389fca05625

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e80c2405bbdac8d9fbc8aa22780c5f65

SHA1
8a4ccfbf3d4ff69d721583d9b71e031c59b33e33

SHA256
03e5b8d414e7f51b5d73fc1abf020052fcaf83ce4aa9cfa03c396b4e35cfde6a

SHA512
8763a538ae1a7e1a3e9d85d938caea2b48d7c5dd6d4007356a074b79c27bf75491114d7faf02507c0408f7324382b4e82c34ad2e591fb4c7d571dde04c6b0211

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8cdfa8d02ec6a565bf01fbf4c495c195

SHA1
c2edbdaedb700d020d51830c0211d8d50cae6788

SHA256
9f6e60d9ca72f7521b801f3714852144052769f8b0dfcaf4b7d64f123fe1b852

SHA512
bfd2de3fcf0cd41f5b2d2b7cb863ce514b37c9106042f32bfae316d46f9b607483ed96e50723347bb765a0f36672d748f2c8f1728e916e034d348a2d8bf86946

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a176dba6ad3060ddb20539130222224

SHA1
f5b4d5583416c65dc80e6cd643f1923b74b5f76b

SHA256
611c8ff0f9e02d15c93515c83e1df465b9c3bdaab9695e1015032274cd04e735

SHA512
849a3ac91cc2b57f99db626f690954cc7659c01aaf99fd56426a95475dda0a927b3e9f8e3ce682633f5f01dfbdb4f3dbc95b4e0caf87f28162254b7ecff08875

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0743e48c4a2f0670c420469f4f49c12a

SHA1
a3b192221d6f2998aeed7945ad610f6cb5f322e4

SHA256
92d4ea809fe1d5efe77d5ef05e9d64dd5698917f4b9442626e13f20fde63dfc2

SHA512
5097d665f9808c66b0d8793bad44a320313c3b5c2c06e16992fc19b06c8efdbc401cab766bfb5449bdb96a266d21af8fac7841c7d5af5542821b14c1f42a90c8

Download Submit
memory/884-40-0x0000000005470000-0x000000000548B000-memory.dmp

Filesize
108KB

Download
memory/884-10-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/884-41-0x0000000005470000-0x000000000548B000-memory.dmp

Filesize
108KB

Download
memory/884-37-0x0000000005470000-0x000000000548B000-memory.dmp

Filesize
108KB

Download
memory/884-225-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/3968-12-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/3968-226-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/4004-0-0x00000000007A4000-0x00000000018A6000-memory.dmp

Filesize
17.0MB

Download
memory/4004-7-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/4004-1-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/4004-224-0x00000000007A0000-0x0000000001DE2000-memory.dmp

Filesize
22.3MB

Download
memory/4004-227-0x00000000007A4000-0x00000000018A6000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads