fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
293s
max time network
298s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
580	AnyDesk.exe
2800	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
580	AnyDesk.exe
580	AnyDesk.exe
580	AnyDesk.exe
580	AnyDesk.exe
580	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
580	AnyDesk.exe
580	AnyDesk.exe
580	AnyDesk.exe
580	AnyDesk.exe
580	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2800	2976	AnyDesk.exe	30
PID 2976 wrote to memory of 2800	2976	AnyDesk.exe	30
PID 2976 wrote to memory of 2800	2976	AnyDesk.exe	30
PID 2976 wrote to memory of 2800	2976	AnyDesk.exe	30
PID 2976 wrote to memory of 580	2976	AnyDesk.exe	31
PID 2976 wrote to memory of 580	2976	AnyDesk.exe	31
PID 2976 wrote to memory of 580	2976	AnyDesk.exe	31
PID 2976 wrote to memory of 580	2976	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
018ee3a816586d487d56c7da5ee1587f

SHA1
b8671e3954857cb4637cdb075f144108e5047bda

SHA256
452b39d79b61c23c8e366e05acdccde7e0aceb5bfe19c126c73c0a76fc733fbe

SHA512
56eeb225fa4a4607f0ef12009b4e35f861c78a89f5e84366db0a703f81951897a4bfc178a8a104ad7ab2bee2fdccc817d29662ff75ef70d5a1086aa215e8abae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
eab5552d359fb91555638071c7f4047c

SHA1
7305f291ade29d0d1d8f2456213f827b8d81ce76

SHA256
e1f857bf2f68f47935303ad495dff2543ec7135172a625e9476c0e337d3bbb6d

SHA512
bc3cff8c8922483c26f2606ff6bfd3e9dbc7e4e8a6ece31acee53249051607d1da5b8b4d26c6d0d4f702b34f4d12173a0f50b84f2462c661dee28d0e23af7734

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
de33b9eca5f38cbf6ac1ae1dcf8dd1bb

SHA1
0c3d569acd9a1db57d832570ff7f9b4cbe441a08

SHA256
afef922f2b184d6ba05be1030da46a0224f76efefb9c82fe8fcf502b47d4b394

SHA512
e2c82ddfcc7513741ec9f562489956eaf9c2373ff1189d5d6dd948cd91ceb8f3d0af72edb9aee3be5ca9193de2d07412cb044c7ecd064ca8ef79a5e74a7a811e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
b158e21221124340063b9dd12bff4915

SHA1
88f136ddc0d5345f1c9bd6949196ef018fff7a5c

SHA256
1e8360b99cce5141207250a907e990184fa91b337c05eeb434be20a269da2e33

SHA512
bb14738e7a4d6b03a21dcd467fc08cc3cd61804a33cdec80828b7a667526709bafd2c49acdaf67fce0009d4ed16d349c4f25d681eab9fddefb8882bb2f744cf2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
e509ff8e1f6687ff8a1521793369c3a1

SHA1
895468391d7048af99a507626fd858199c8f011a

SHA256
625d2160c69decafdaa69984543f461140d80111b3dbd4f432ebd0d97ab03334

SHA512
9cae60cd6f9b6abc66b1d97f784b5efe887a3387750fd1b5e2187a9dea62ebc185f47c44b5c874d64181bbf4761efa729b4bf648d44ca91a1e5341d8f8eb2fad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
475ba33028b1f4781221ee8f90f10bdf

SHA1
e3d37a2aaeaf151e0f48ca69fdf2069c91c2ca6d

SHA256
960365fb19231ad223a9723fc6c2cd509ec123a813e3df0a865dd948d1f03738

SHA512
9e6712ab10a49415c810529c023c1e0274e61c3ab5025d73c8e2b260dd1c52ba878af25df7e7122f88600efd5b1af590d7b2895c258b7d193a5ce90902ed1b20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
e2f5c6964a8ed5d66057fdf1f4081f90

SHA1
f1376e3cc86ea2b0a73d0003c96e65f49561e8a6

SHA256
3d0082b5e9943a58516e47027d54c9fe9e07cb18dc7b59fa554ccc2b59472912

SHA512
f06562bab403f8768dd3cf21f008d8e054b53884e4d506e522ebeaf9af51b4aebb7d07871ef93e0dea039417e090849d10eaecde68d0d54276b268128321bbb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
dadc302e22d6ac2de1dc92c28d7f9688

SHA1
fb2cc13d86a11006e1e1c208166f498f41872651

SHA256
19b41eadef09f1b9e7e3d3a93c45c292e6ceaa479e8e6834a2f40b99737e1541

SHA512
1516bec3dfa0031213b8e22b185cd4afec11d01fdd7f0f8862d3db7fda04f2852d6315308e5ec02f5462909bc65b2cbb89f8c8f60c2b7011e3abad0ee62450df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
06cc0e5b75cbe7121cdcfa96b14c1060

SHA1
0a9828172ccf6c2e0c6ee386a20c95d6c740e67d

SHA256
600d9d07c457ef34f2d7b5f7e7bb3af1d03e6ed9e9413ce605ef0a009b6bd4bd

SHA512
833976c10a7fdd8beecc49796f431d325ba5c412925db0b3c2b910973f58e248dd54c984f0954b439fed4fa91dbc9eedc59a976373170ef204687e703097b8d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d18d31acd62e5c2c4ae979ff829e3164

SHA1
a2dd6d12b0a658c0d4c7e4243894c3b6c603bf98

SHA256
9d77336242b6b00c6199b96c4bf8c264e68b183262071309e010acb19e0fdaab

SHA512
2af6426047eeafd58cd2c948c95f1ee4adf6e656f487218ac9c44076fc9f4c0ebfa6fc08b336f3899920b689f2f44c6e32fa5c0aa7de32f9defb0bcf27c76502

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f1b676c47d5e42e9af4f373342b33399

SHA1
4c8a34204bdff3250e4edf02646af15f23963e18

SHA256
fe2e21a036a5c7593422e9270e8edb3532a694e9d95b05245f5e9c730c819bdf

SHA512
013e63cb52698d2be74f34cfe9cab79d4088af2c20939e89d45d6e5d62b72f3a23663ebef73e4f92fc545d6a258280f39b21f686a2f8ecb572b647e85190e47b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
20757e3a643070c74c5225fd2c1218e4

SHA1
c576dfe5802465c559f34979006046f4d4e37014

SHA256
2855429f5e851c9f64c9d708431502c29df5d60f9a339ff260c2bacefa28d132

SHA512
d83644904b3662d93fafd38b203a4be9d3caa657733e8d27206e0c0fd5956b9f9b223aaf9803d5f57e7d15863fb21c0fcea4d4694defb9d452d6d8a12f1999be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ba2b70a086ef8510e39af2b25cb727d1

SHA1
e50351f8860edfc0acefa9a32cc0d2435b357233

SHA256
2b1271643645d29c46a468cbe613e77631f0965c2fa5a08706b955185b2aee1b

SHA512
e5fc6a383bf3ac4a091789f753dc5bae24b4d96d09c6b61068b1d533b14d881a117a979d485e00d2116ad5e412dda5d47d750d6d2b30fd0021acf872cadfca81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5baa5e1ecd2a4004c2614e2b48cc658e

SHA1
5bd8705e4b9c98a3afccf9564e80f57a03810229

SHA256
973362539b49bbe7af7d13618df3fecf0b4cf5fbdd99ccc8772d4a67db75bbde

SHA512
d7340661e4c2aafa792e671c549f6ce324d0fe1e9d3c72f1fb7775bbebea837e9d47bc50d3150eeaa65bbdd9f4ecc2ae5ccb0ab6dc34b1b573863a969cea7e1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
496e7ca9ea0dbfa4e404a5940a079fee

SHA1
91c16e56b508fc5d294f89b745cb0cca962e4806

SHA256
1e0e688d4c566c2ab60f30261c3cf171aca8d1ef805a150e6aeecedd8bf7306d

SHA512
3096e29d545eb84bd523a27f7dc8b8a645b1ee0239b313cc970b8f090ec6051f3df83ed31d5151984b0348d2f3cd5373cc2b33d2cdaa2ea4515c1f8688c7a4d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6f9df9a0df5af62b866aafb8228af464

SHA1
6bdbb9cc6b4280dd9342bf317446493c76188177

SHA256
9afc1be345271dc3e3e7c8e547880a84ab1090d6d271ef30b24c499124db681e

SHA512
9fe9042503e997322d22a8dc6592922c1ce7493b04151a8d261aea4b2a1770acd193151e3a68ce64b67174edd8818ebcedc523046bb2485ec045c77e757dc36b

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/580-245-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/580-10-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2800-12-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2800-244-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2976-5-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2976-242-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2976-243-0x0000000000EF4000-0x0000000001FF6000-memory.dmp

Filesize
17.0MB

Download
memory/2976-2-0x0000000000EF4000-0x0000000001FF6000-memory.dmp

Filesize
17.0MB

Download
memory/2976-1-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads