fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1792s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	AnyDesk.exe
2700	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1368	AnyDesk.exe
1368	AnyDesk.exe
1368	AnyDesk.exe
1368	AnyDesk.exe
1368	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1368	AnyDesk.exe
1368	AnyDesk.exe
1368	AnyDesk.exe
1368	AnyDesk.exe
1368	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2700	1296	AnyDesk.exe	83
PID 1296 wrote to memory of 2700	1296	AnyDesk.exe	83
PID 1296 wrote to memory of 2700	1296	AnyDesk.exe	83
PID 1296 wrote to memory of 1368	1296	AnyDesk.exe	84
PID 1296 wrote to memory of 1368	1296	AnyDesk.exe	84
PID 1296 wrote to memory of 1368	1296	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
eca65078848ec592674ac815c7df4580

SHA1
05c1bb856bf66671bff3d5b5d623e9a583197ddb

SHA256
de49d89e59e5d9c610b47f547449a2fff2c7d83cbf917e77c51562752a7f9f09

SHA512
09c98d99133c4e5aa018adf92ecef964f1f2260091d1daa5cf06316f4070442216f66fce7f80878a0735da746c41c1908dc1324e4856aed119108047c37d2103

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9b24a0965af2d5d131a0bb20ea173705

SHA1
459fed22d4e49c89cb63bf572717c558cd52c9fc

SHA256
b5f9249d7261c9af980a22db049868606bc568a4a733df551ac1b08af205ba81

SHA512
b28188cd3c55c7c0806f1e8bf7b652ff5b7452bd921f0517ae8b47b9a3925a0e6b3cf80c98807413f03827cb400bdf61049ee4494168fd0849e0c9d5dafc2d42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2365e668f89b17d1892121ad0db87368

SHA1
8b148f0b208bf76bb0df6cb1d80570cb5986d82f

SHA256
f3a4ec45a688e38b8ac3b245f506073e8f3a687849ad77c827c91285a5314694

SHA512
531143b63bc78aa13836d9b725e0f52590eb358d0c8c67e981bab2d780606b26375c1a338c91cf3ebaea788be9095b2b46d40fdc9ef241f30bd7c061a07ee0b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
e5cf7728b9568dba9aa779ebed3354cb

SHA1
29e31e018e2825f7e983f34c0c4541fdf18ddd11

SHA256
2265006dd7e23a9fd68e43f95000a33734b6c842a752d8c0edfb9163639c1334

SHA512
a9fd7b668ace338d58d9df843a3149e8cc0957be9e499ef73a624560ddd9a718f5282a75638b81464603925d1a9a85fdfd9873394ae8a2f2a2b0279c2bdd1b08

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
d0956f6ea14fe9caacf47962e5dd7cc6

SHA1
edd8057e12f76135612e23af69b9e6b2c1f4957e

SHA256
9bc78a7a3b5329fa7efbc8bbec92203a0b67d271f4783dca40bb43b000fb4be0

SHA512
ed4a3b791f874755e121927f9a3e811b6b87537905f17a85594a4c9024e750ba776acd43b3ea86c6d700cede6fffc20b9f640d1bf07d50e7951917dfbd70301e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
fe1c154ab8ad4843b43d30bbf35899da

SHA1
c659299f14136c27f9c5e76998add0cb7764224a

SHA256
3a7095a274562532bf8802ac8db178ea746e1b75d2a644624241edf058f01d2e

SHA512
d662c4ee545d401501f99731af8029cff79b851f6f8d332b92d6e157f7a3865978d988198ac854acb9eb30fa524fa089cc47733b671d8ae34adc54d72892d030

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
29e961d36b3ef0f05c9f7f6d70543820

SHA1
f083766691b0b476a61fc874f7921568e55bd596

SHA256
22a641673f8191a6f97888714f8c1b6ad1b5657f98e4cb79ddba0bebc70b223d

SHA512
5d0474d824e6809c0041e96b0f8c5cc635efb8526c1725b0fbf6a177531ff2a75310672bc6be039e7f2adea1d6d3144204b07b7e800092940165c394eb96868e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
7718220f09f55355567d5152c3780189

SHA1
58753ed83f19b4a04865a7d7c0f8d8dd6d9b74aa

SHA256
20b0f75c5beb8167d45cb90d568270d90cb6bcf194f91a9f7e04611f9a5dfe3a

SHA512
973ed0b127511e73e73796f8c24d9dbdbddf250d294b1f3cc40cdd9131368799e39833248bddba05dc2967bcca57d6ad82425b3c98fd15da8012b2d80208038d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a7de0527b022d78b2002cbfc4a2e903d

SHA1
5e61b338eeb61b33d5b66c9f6b5541c84f849e62

SHA256
7cb63e713be8c658d50e6e4ee686e957372a7d4dd1b4e06b56f80539ec08ddb5

SHA512
35df619bece601d705ffcb0cf29c5260e36fac325ca396e72b0f7f631ecc8e938034ab246f9de1183ce9a51d6f697d4e63d9f768545546aad7c4b84528058152

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
353c0df741d81f2cf5d7622be944db8c

SHA1
b7166189e74acb629089c3beee801d73815fc7bf

SHA256
66c9d8f0b6256786c67566f1a3a258eac55552b720f86e8833c686bb456ee4db

SHA512
ef2ccf145b5fd3137a18e032f70745b9c104ab3d6b581b5e63b3de965bc37c0c656245ed7419f5aa35bf5721976a73fdfc98fa29daed9a39c789301161f23fb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
eaa24cc1fd0d64a02c61bf451eb89460

SHA1
ea0a2dbf5a7c1db433d9e7ffd27f67372257a665

SHA256
4b9d23ae24b26c839228979d408b971470bde12d596284892328f0e081f6b78a

SHA512
be757672aac84e9d483769b9d178918579b861e42cac957cedb8761533ebf2d48f23347805a3b6102c36462914ff1828fa8ef06a7011160ed3cdb67e91a2f828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
007438cf33baba8bfc7baae1bbb4a3b4

SHA1
111d4d23afc8cc5cde1de5e112d233596c22f2d6

SHA256
359c14827ba396dad89e5a9552409f25045d0f9f0ff62a978c30d1eb3ec617e4

SHA512
e14263e87e42480df9fa971aa06fe50d88b93fd3dab141e12413a43685c275104a9831fcce69943144d0a62f00ae7d0d125cdb42beebe160b3cc3b3ac6875952

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f9a6e19219b6809ab3807e2d6093f7e5

SHA1
c4af9f796adabd075b1fa32ead3d0854804eb3c3

SHA256
2ea0ea41bdf616a6ba377855ac7593d359d74fbb809970f1f1e7613b2d021eaa

SHA512
795997c150caf4785ae333091210f30a6679422be014711b4d9c2670ca735bcd55873f542ed782653bddb6397fa87382a89462bbb300347a30f9a27956cbbbca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
59eb0c78e06a90132e1de8db75de0ae7

SHA1
f7f39d9529a90a79b2b3bc7ba05c6e0e74dc324f

SHA256
4bbd091ddc6d87448e3d4c7841f3514cb968fa02976899763be6ad1e5da1eda7

SHA512
a917b7eb87f53e2217517a31477d6cb2dd7040cee90950da04b545d00ed3db4c4cd62f6aa0a81bcac1432dc54fdfe04af7ef8fc3f0608f7690eb88042d6f75c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0b61412b83884fc701706de07087128a

SHA1
3ccb3a957250ecdd141560fd30156777b3ac37a6

SHA256
56ae5f847e74a524d68227b83a8fa4e50d232d458f33ace93c6f5144c28b8523

SHA512
0be05ace7c3f404f5bf1d2158fa7f9d587bc5d343872dd624e37a7e6ed7d38e3c1a7e7833fb4994971668d2c3ebde7200862041c47556af9ef602ab3cc54dc5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
814ca64051bd9f5f5f0af04026276e5a

SHA1
a9d54669427a5337292e4f526c0ecec7315d20f4

SHA256
863deca24d45dc3d88d88085af2e8439cac5e16c7384a22fb5b1c3052cd40577

SHA512
05d823d06aa44264904487e1105040c6f931937019786df6b804a95b97ccf80aaf52016bf02ec12b85eb0798b312fd75f0f81c809151ed4f21ef0ffa902d24f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
60b6ef97b92706c278b41bb23042e886

SHA1
796f9f6b353d49a177e7873b4318ea781c21192c

SHA256
e17187f29d7451c27790c807a687c41c0fb5403b73ec3126b5d20a5febbc0258

SHA512
7abed4f9d28a4b1d48f50f621317aa9e48f7fda88d4552a23dd2376ddf850c3074e107e1907ef9c6e95a45e0e39e1c7f68cb6be50c870be114b50088593fb703

Download Submit
memory/1296-0-0x0000000000404000-0x0000000001506000-memory.dmp

Filesize
17.0MB

Download
memory/1296-7-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download
memory/1296-2-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download
memory/1296-238-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download
memory/1296-241-0x0000000000404000-0x0000000001506000-memory.dmp

Filesize
17.0MB

Download
memory/1368-10-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download
memory/1368-240-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download
memory/2700-42-0x00000000055C0000-0x00000000055DB000-memory.dmp

Filesize
108KB

Download
memory/2700-41-0x00000000055C0000-0x00000000055DB000-memory.dmp

Filesize
108KB

Download
memory/2700-38-0x00000000055C0000-0x00000000055DB000-memory.dmp

Filesize
108KB

Download
memory/2700-11-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download
memory/2700-239-0x0000000000400000-0x0000000001A42000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads