fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
53s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4576	AnyDesk.exe
1224	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe
4576	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 1224	4644	AnyDesk.exe	83
PID 4644 wrote to memory of 1224	4644	AnyDesk.exe	83
PID 4644 wrote to memory of 1224	4644	AnyDesk.exe	83
PID 4644 wrote to memory of 4576	4644	AnyDesk.exe	84
PID 4644 wrote to memory of 4576	4644	AnyDesk.exe	84
PID 4644 wrote to memory of 4576	4644	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1224
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
2b1907f2a075db73e844c6b1fac44d40

SHA1
710df008de480e454e9a76b20252893e88b20ebf

SHA256
20b033ebe80f10dfd5c0456c805a8514f89bb7eab3b2005914f5b311dd1d7464

SHA512
97ddccd04c9633c0e30880faf9978f249b8effb36e821c3ad71831566d37a300f4146ca0d8442beb973173ae78beef4c00617192064a0251b0c61273b4dbb52c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f59574ff7c46d529d2de97b31c0d2fe5

SHA1
f9508a99c7cd31cae8a0b313c4317c38efdd7bf0

SHA256
d94d7e4cf9843e66371e6e83390461ce3a108fa5aeb358cb161e201450971773

SHA512
67cd307b5c7808079a1beca5913fd4cec380294d777fd3e86655cf2a860cfefa67d4eefbb8397cda2c2e368a901d42f502204658a44aefbc709879b14c2f0292

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4c2e571c93c46c40c9a6a5d8ff45e270

SHA1
dce36101ee6f476e08ec0eeb6d8b13905364987d

SHA256
73fa48b86493a3239feb842e677c511086fb0c6467219af0ce794e544824453a

SHA512
b38f5972d5da820f5bbbd59da6a62b407dde8e210ad6292579671c6ce7909d3c2017074b84d120f509df0f7b0f79c877c1d348c96d609ff2618be369531928cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
9ca8f4397e003441c495f8916e8525e1

SHA1
580d33118e7fc6b8d8231f995a2db22f150a1f2d

SHA256
b77ccaf1f5fb784ee2d1c91afa950d20f50f6b07d5abb3aa349f7554a6571ccf

SHA512
ca874bc093ab4ab5bd7fdb6916a5da13d231795e8e19afc9c4592b445a75c33383971c572113cf5e5b44442e67c56ac25324db9659f996a7e647d83454ac4b8e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
114579c7849eb8312f5b6525e55cdb1c

SHA1
83c4ae74b21884f394aca5acfd748a03028ccef2

SHA256
4482e60df2d3a3176b723a1f908880847ba59ce3c589649dbeebbbbd928ad0bb

SHA512
5a004db71de30c00a48fb80240509434ffddafa06ac8a8b4446c81507beda10f9709888604ac4aadec3298aad46fa29ff67b100aed217284089b783128ffc46b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
63bec73629d8e96ea5eef4851718e4b4

SHA1
e382e789cbf8745f525eb8062cdce6200885e5dd

SHA256
22d6d0c17fbfc85520637f01f4f44f2429dd3088fd0d9486afe94b1f1265a4eb

SHA512
0b6c1fad06a66ae8467f1d4aa03ad87dd0ea7d5d213bad4d8e072b06e606bca4bb3a7c8f78520b91a77a32035a2ffdaa854cc3adad78801bec28085dc4c06dac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
47add2222c5c860846bbc38eecb128d0

SHA1
0bd88af5b78261c7c5141d8b078f23eb921ffcbc

SHA256
d693e2a3193ca0e8fed1abd899557f7f5723e3e5517547511c05241c4519cc97

SHA512
2166114badf64e86b1eb1f4601bc46d0b9222f63673d786f61df8d0374aa4383fa9ac73b517aac58abcfe2ba3a8482ad40d793c8ac09ccdc309fafa33ff18d50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
40ea36f9b9ea50c629aa563c27128f4b

SHA1
3614555fb935a8abaac18c038cf6465e8698eb7f

SHA256
94debe6d504e23c060ec4e936854eb290feeb6568c19c9b07aec37d7b0e05d0c

SHA512
8f02b071110c31831e1c3d065b167017bae53c3554594130c9e6b8dc18842f6d63ed83d148f7a9bd270d20b8a60ebb77c16c19c35a7c9e4a49fa56b2f253f818

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
7188ab00159174cef52c5e51683792f1

SHA1
a5a3bb543ffede493f9653206aae633cba0b3502

SHA256
f1c6db3ed380b25787128dafa3210ec10a254c63b17f43ca840a1537e0a59a40

SHA512
b0074a8df5a6ed2fb280659a5c29b47e1a3f74662f902793a3119d3e2985c20f278e8a6a404fe196c5a40f4f7d085a491aa6410ac1c65d65aae1e82e18758d6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
509019e8ea252e2c35c3e800e31de93d

SHA1
057dc462676dc309b8936c1f83d7ad8c8f7352d8

SHA256
058e846727866084ad5e9da9362d4d2b406bf4e1d1ac6f80c416b8617ce0dd6c

SHA512
b39944f405db4299037c3121595eab77e2cf5c6573a7a11304f377d1bf0dcc772de2a06bcb3aba8c514035445ecf8d68a3c28ffeadf3c75149af2a7df1c386b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
530fe13feda6c35a87e2c87e92655b77

SHA1
2dc3e6442ef81a02cda8451a8cea1a9b99b9524a

SHA256
25d8759b64452207357e36171f9e241b2ed79344af412d74ecda1b9209c5cc39

SHA512
7a2e90ec706b69fbc00f42e9b2c99a431ca95e4801683cafbff50813b0947d271d90afac95cbdea3e1ea9be7214f56e19326300704be4c7ee1f850036f49c7da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9c2f23124dffac13998db310e7e644be

SHA1
8224f8ab57bb284a9d0676df0e42f5ecafb8ab44

SHA256
0861dea029fe8dd6fd9313dae543e6ea49f048e8366a4b0b2585cb0fd5fa4c9c

SHA512
02a8956d54ed7399bf8735ffce51eed057427eae8343c91d98474155719d1a6c8d3e07cab70f22756d69a7a1ceec264b85fc3c948832cfc3915734644b72d13b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5ac71f95ef5cf8fbbe38114488ada145

SHA1
be1e0b740d220b86c17f47549c633658553e968e

SHA256
6d2e38fe4f4d5d4c9fb614480beb5a5d196d894c7cd21da41449383bf2407049

SHA512
0de3145a8ae606b1a43acd6d188ba5946a97ef8e9ddc5f9fb305e2af17fcdd624da839612cfb8424f5bb7a6b503160a9a9533f455f90969b081ec66012749d3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2cb97c95def8e9168be922ca450e144a

SHA1
a485b84e740dbe1f8d5196499645412e81b4a137

SHA256
a2cb52e83a41cc5c40d0699c784b200cbffa0a7ed61bf0f39fb57e8c277ccc3c

SHA512
a9d3f31530c577f0b14f0b1affe139f9622029430cdb6a23afdd247e786e25294d6110e0e99e78aaf1aa666cfd1b97e6a1d303ad1305bf6bcae1048cad5400d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
735e385bf2c6cca18d877aede87657bd

SHA1
12e38e488cd856deed1591388fc68177e42c80e6

SHA256
8d79ce52b5649a64d9277863cc73870706331c79f46c3d88464275b37d546226

SHA512
ebfc983c2a8cb515af23ddd38b7e70f80aa970365338fc87689a63dcd76aad44d1d8019add55fd871031743775a422226e3db41f829db86ee3ab2eb255224ddd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0edb7df077fb6b59c315bdfa27fcc8a0

SHA1
e475b034183905bd7abc37f91efe5fdc9f8384eb

SHA256
8366d96541187c7e4434cac55816d7133f4183446fa8262261fff99c010ec787

SHA512
8e6c8217db77b9e16f14b8dd4bab15044d5b985a904df76f3f3560fa685b4e6f548dc1a93380ac1ca6cc934450f4cbff1b02ee30fd1e1abf8d6090e32b1c027d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52232b95f1c95f7f3178d2419abb20b8

SHA1
facd01de072e616b7f7ea5c93e6f79113cc82d51

SHA256
b3e9bcf20057e9f1205dbc5d6d74028bb7245ea36c73cda4cd859ce16dc4622c

SHA512
039e97dfcaf8d2661d3edd60e71566e520ee29bfd3193bd75db526f99d41ef61a23f53320427a13ae462fc6ecf79d3800f6e143360144d805c4585762841a56b

Download Submit
memory/1224-230-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/1224-39-0x0000000005F10000-0x0000000005F2B000-memory.dmp

Filesize
108KB

Download
memory/1224-14-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/1224-10-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/1224-42-0x0000000005F10000-0x0000000005F2B000-memory.dmp

Filesize
108KB

Download
memory/1224-43-0x0000000005F10000-0x0000000005F2B000-memory.dmp

Filesize
108KB

Download
memory/4576-12-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/4576-231-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/4644-4-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/4644-228-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/4644-229-0x0000000000BB4000-0x0000000001CB6000-memory.dmp

Filesize
17.0MB

Download
memory/4644-2-0x0000000000BB0000-0x00000000021F2000-memory.dmp

Filesize
22.3MB

Download
memory/4644-0-0x0000000000BB4000-0x0000000001CB6000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads