fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
291s
max time network
291s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
312	AnyDesk.exe
5020	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
312	AnyDesk.exe
312	AnyDesk.exe
312	AnyDesk.exe
312	AnyDesk.exe
312	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
312	AnyDesk.exe
312	AnyDesk.exe
312	AnyDesk.exe
312	AnyDesk.exe
312	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 5020	2548	AnyDesk.exe	83
PID 2548 wrote to memory of 5020	2548	AnyDesk.exe	83
PID 2548 wrote to memory of 5020	2548	AnyDesk.exe	83
PID 2548 wrote to memory of 312	2548	AnyDesk.exe	84
PID 2548 wrote to memory of 312	2548	AnyDesk.exe	84
PID 2548 wrote to memory of 312	2548	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
35e9aac0014303e32568c0fd7cb1fc60

SHA1
219c134ba66cf9913d1ab5306b8a660897ae5272

SHA256
75961cbe2f902135b2cb09b247fbf7013fcc77d681ac2158de548e025031bbb1

SHA512
f7d4c8caa036b9e82147f6ad9f5b24c86d3d32149332b78040a8a0135d4d5b2fc59eafeb6a50d785adf584b585c6348f39cc5daef29b91178d3b54b44a5601dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c704c1ed15e4b19f73d3b0a8c394ea38

SHA1
2547748067af7e662f0032e150c2c822748f5a00

SHA256
966afd8fdb41fa36a165c554d6cf044ccc7a84a1278f4cc4ab4e566abcc59e5c

SHA512
1d977d62cba44a675e5fa878d72dfae9160b013b2345c096ef87330f8a10236281575a4c28b0634d8f5896dd8027ad3aaf630f2f84134033144aca9ad44372c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8d6d939f0a982092e15a43fd0f684b74

SHA1
d0240631fb2ae50dc8d0c10c1c6942ce51f84573

SHA256
151b6237caca2a1a29c145f3872874170b7c1b5f7a0ef22f94a81ee4d5005a51

SHA512
5f516777d32116545c182aef45119ee56c3894d3e4cb0222ebd9f7698399eae38f6012c46e028e75af953f68c02ec6b28b6376d8f6578a24c74811c239c0deb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
1af8bc708e28052c2a82f38bc7fbdf88

SHA1
2a34a16b826fd2780d8cbf7986c043b01a33c451

SHA256
6e765d737727e85c2e03cb35b386cc0209fc2c31431423451bc7d32f53ab79c6

SHA512
d2630eea0f6e472ace69bcb16ba6ff718bcdf0cb3f088e2a6d7513edfb429489145dfc63d9994167c308d1bc29d3f2db698a23dc03bbfd6b3576417e00aec782

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
6099eb1921c00eab0c5e773ba156c944

SHA1
7daf8f304919d9efbb842550c439dafacce2b544

SHA256
5546ab06443d3e69ca9fafd50fb82b90cb0a4480ee50cc155638cf8d0fe87004

SHA512
82e1b993b36ed886ba8452b11f1a9e302f6a65563f6c0fcd886bf51ce5c4d6491ba86baf8c337c1e5cd354ce182189aa4aa8c0339976b6baecad25971056e1f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
d583255184920d4f79c9cdc471194577

SHA1
37731e1c99014d96eb7f4ab22813e2f1c5796686

SHA256
64c7c443f992ee4a6433373c39b6cc21003e6781765a37e064a71de255f9d7fd

SHA512
46888aa5feb4e1ee5f3778096c8020e3c645e96c9fdfc9221ad632d14c9c7176b12121fa691f9f4fcd4c71bb1b084d6ac3ff263fe60010be486c107754069b9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
e914d821fe45f0716403b9304a6f844c

SHA1
b3709a8e08a67c7601605d1428a115038fd48cf8

SHA256
aba5b8439fa11bb3705560c7a0b15320bb067e132cd28e90ad7297f7233f61f5

SHA512
e360fc2409cb2dadc6586c8420d81ce0e5c5a289ceb50eea4b9ee5dfe86b0c0e05b4d9c1e0b9495518e5b50d58de568cfbd392b9185cee55274d2ff79be83da0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
959403e204d308c7d5df2b0f5a371c47

SHA1
82748cda2d868eacdb038e802cf19408ee441d12

SHA256
fdc40b493d745f29a6b8741602a2596d32fa7e80c507ec2a7469b358391da4c6

SHA512
090ecc28556dcd9422b6907d28fbd526b2198983f71c6e1c6380d4ea893ed7216e6776905008f77bb690e5700b152abcb43613daff94925fe91bf3e8c0808ee3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8a04587b0dacfd998104f5c0dfe02391

SHA1
1cc3da2e6833fba4c1a55d7f9894e1447bca8a92

SHA256
3944d9ad1d24cc3e05ee5f7faf06090f3ba64fe129c89306b67b45f60bb7091c

SHA512
88e8d715a0af3bf9e4cba97fad8305042d98a641e7dc716dc1366ae4bfdff08c3f1a7414b2ab78c70fd2bce0f05683973f519a81dacadd5e7741d00ddc500f10

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
055a9bcf15a8266f179a5fd4209fe6a6

SHA1
91a8c479a3d3bc9ca705cd26c950ec235ae8e891

SHA256
30ce92e0c458571f61c0541ab3fc5676e272caea5a24b9b33b96d702a0c11e72

SHA512
388358fc5a944748a109243e4eacaf3e15cc34b84b916f447419abd6e5e0c02c4f169f9f43af775a9a35483177f8944df03196b5e52c640aa79adefc440c0d4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cc0974adf99c77be389371f4ee08ff1c

SHA1
911fe05059f9482b793928892512469edbcf2913

SHA256
100720f3556bd65f829a748e07c157fb0bb0ea0c608f2924b86e576e514f1ef3

SHA512
d6c6e01c586084a947947cde3d631d69bb829d250e7a0f3a5e70334ae94ce5146ea1a54e0632395731c89e1471e28951bbdd23edd035cbcb00a57c7499450902

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
65af2879034478f4857b089036cf6f47

SHA1
50832941aa131a8dbeddc5da36f1b84a6283c701

SHA256
1f1697f967f081c4ea413563f52e7eba4f40e5b56cc1a8e4d2ee48b604c61dbc

SHA512
c97aed8b4fc6cfa529ca63d1131b66ec4b1dc503eb9a3a1ded8029b083f54f3e5c62b88dba21305e3f5d754dc53ff7c43df9f4418e6bbce69f3aae24f1967456

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7aafdfe9233cb0c2ac5882709e51f3a8

SHA1
c3076afbf46db400ea87b6fc02db5c94ffd79201

SHA256
8936c6f3da0fa04285a79642bf85d93286a5513413a7508fece2bd5a030b52f0

SHA512
3cac3c590bfaf4e536f1deeaba663a506b701627d63b5840d1666141539a6258537c7ecf097660650b80777b91ed966f562aa13d3bc1022130874c8980955437

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a067fe78c49e646edfd39805802b5b87

SHA1
f0443fafbc9bab74a92b5d36e31dbfbebae62856

SHA256
ef6d078916b42c17b8184c4021dbf971ca7872e1130e13201455b9471c9b808b

SHA512
755bd40bd8a2c82b8e73c72450b1a0a214c77c5a2f0293dd79d8dbfd0589484d5973274ffb03bf9a343246b07b30199f95932e6add03bcfb1636f4b1b5f937b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c63877cb9e970f63a9f2d5438256dac8

SHA1
a776a2eba2ca21559ce6328c70571d8ab83aeba1

SHA256
a8129d23d742d59d19d9d4b52f5d196eaee58c187cf7a130d9b453fa216dfba7

SHA512
388d15d4a35eb21118ea9220927d0659923e3d2da5186d1b4d62696cf2f8c36fdd0746600b1a3fe3981dc12cb990583492d19f8e08e7071015506e8a60081bd8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4a2ef68b00754a5757a7453fbbb6d689

SHA1
cbffbcb9e668c1fdf1b13bc1b6b370d9def6b1af

SHA256
3d79f7be076c045956e6e74f2ca5001082c1f1328d5e3f6d09ef0c17be62ef4a

SHA512
9ccfba5b4bd5738df4c11d153d2661bcc95f576dbd20348d19b8bc8670a39f2cc4bd7655d715a825b6fa82177b292181b9b92fde903f5bc826d4ff445207895c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7e5fb1262587f94ba87c9f9817d10068

SHA1
59ba66d9edfde71e3b252745f3ad90487e8c9654

SHA256
24270c00afca3bd63660140f1a2a47f4a28db523eb1f09ac8946af7f3c7e1b74

SHA512
ea89196f3d6ea2ee113604ba941e34078cc9d05c983d353402bf1c6d2a08cd53b37e6b1cae8f45e77b292a9db2091d79cd0389fd5cb8b81780a0fc561b983938

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
37cd7d94df1474c1b8d9fa6415dbb17d

SHA1
a4e6db3aa9fb7770a0f9194cc1ee2154f9832e62

SHA256
b498a757c7e5b7f01ebee9c47a73374d91e47de3ae6e3661caa9a0413c7fb143

SHA512
cecb397fb52c935e88c290b10225d29013cb7086a4ae6c98528d944e2466d6231da76eae28aaba77fd8a9063155fcbadcf3dd71cffe51a4bdc90b5d623558911

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
db491f7b5cb49019ff444c2d92b24437

SHA1
c22c4f25679afa2cb2b0dada5e05b525a42a5c17

SHA256
30f7d4270c5e1a61070855c8f3508c59c3a4f010b49cf3cf315958447e43c6e9

SHA512
6ff93e21f6d2d8992d388ae87e9fcdeec0483bdffad5c3e8024d8455c7b67c2444348fc5f758ae99911ba160e1d7063044773ddc38fefbad3907a7f1863367e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9644dc08d97b3e195ecb89cfdaf0d75b

SHA1
e654777abb26715bd5cd107d1e38f8ef1e564364

SHA256
2c693df0e218826042cd976ab441774dd32f32b62786cf1d7b259f3be5538484

SHA512
6f3af0a6de6638eb7408b91fc1831e84933d6a4b9b155f3d1c1abac8fd8913ea3086d11149f90c135e4be1d73cf0a482ad676b0efd67cc5c3fdea4937415cf43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6b2a39847ed42b19769db93e41d5cd69

SHA1
073989d25609bbcea3d3fe1d44e57af8cb940f09

SHA256
73171b94db0fd61b3cfdbf3db4b14251e519bba2f34aa64e7e0d69ab0eb15b1f

SHA512
12b04296476d0c457902985420f02b82d190824c378ee430e077399025b8eb7eeaaabeab3f3d4effc54c94686bdc8e58a545ff5133585ad77c2311f972de72d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
967abc2202367c7621688769703b049b

SHA1
8e60e04d3a2bd2a064b206d8d5fb8f9c8f9709c9

SHA256
42acddf1805f5c28c1f232e37f9cc1c731bfa061b38c5fd27d0e863ad83cdeb3

SHA512
a220e46152b2d3b4fe399ebee3ee3aae340759523752174e5317564aa93bf7a6a8825936e72c57237c4a3808d9ae6d353b969562b9ea01275a59379416fb52bc

Download Submit
memory/312-249-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/312-323-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/312-17-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/312-190-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-93-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-188-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-191-0x0000000000CF4000-0x0000000001DF6000-memory.dmp

Filesize
17.0MB

Download
memory/2548-7-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-14-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-179-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-247-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-0-0x0000000000CF4000-0x0000000001DF6000-memory.dmp

Filesize
17.0MB

Download
memory/2548-1-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/2548-321-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/5020-25-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/5020-248-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/5020-189-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/5020-15-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/5020-42-0x0000000005B60000-0x0000000005B7B000-memory.dmp

Filesize
108KB

Download
memory/5020-43-0x0000000005B60000-0x0000000005B7B000-memory.dmp

Filesize
108KB

Download
memory/5020-322-0x0000000000CF0000-0x0000000002332000-memory.dmp

Filesize
22.3MB

Download
memory/5020-39-0x0000000005B60000-0x0000000005B7B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads