fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	AnyDesk.exe
2604	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2604	2480	AnyDesk.exe	83
PID 2480 wrote to memory of 2604	2480	AnyDesk.exe	83
PID 2480 wrote to memory of 2604	2480	AnyDesk.exe	83
PID 2480 wrote to memory of 1696	2480	AnyDesk.exe	84
PID 2480 wrote to memory of 1696	2480	AnyDesk.exe	84
PID 2480 wrote to memory of 1696	2480	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
9849bddabe1324ade5f9607109b031af

SHA1
2e0b4c00f9e2d06c8e982ee6f78743a075cc1425

SHA256
c7f124a5d7bb34ed998377e44e7d2348b66691b20ef52655618cb8d82330ffb3

SHA512
8b747b346ed09103af8bf863fa1ae42d6fbaa11254e6e4bdb10c1ee1e8a786b760595e4a5e45925b165a60150d844a57e61854466a653649da1197fb9a42a801

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
cad897213765437d359ae5985a71e838

SHA1
1870a8fc399fc1aaf51f9e63a1fe0cbfff4d0575

SHA256
fe82e66fb6d3cf50472539570d8f3fc36e603531db9ba89c8f8a39df74bd93ca

SHA512
75ec634108b01f8d35aac407da4840580ffc7ca330ef357efbabdcb13b791e467ceee2fa5d5d86d0be84491efa230675700ee25217ff2aecf1ffc072cffbb1e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ed2c37f56293b28b8def45e4c848f3d9

SHA1
dbf95f21f5fe97d346adcbb1116da94718026068

SHA256
e0484fa8d045a7b58405d20bbeeb75791e35c1b6832d6262fd0f1c87bf28219b

SHA512
45b143f36114fb13e987598e481ca05c33cf6b945b0b4f50ed2e0bcb7499a1c2b0f29a5e60d28c1be4897cfebb61281ef4cffd8e6b5e011206e9334f6c321ae2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5e92432aabd27dd724d2d86a8ee97640

SHA1
97bebe89cce4fc4bd64783cccee9640a53590085

SHA256
c525d5a52a33e7daabe57536c4dbdbbb8099301e6d8c3e055f81bb66dfdce4b4

SHA512
5ac959b271f200074fe96e2e7419538c051d039a48b9fd19382131aef29aaeb750e67a1e05655e5d1af0aecafc147876e03c89180e560f7e5565103d7a6af25f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
6bf3bbc840b76a3417b9a8b8e186e088

SHA1
37f131057f24242d05d2b44f340154c3ae428425

SHA256
542cb0cec103f5c39a2666831a613ef454a536e5105fa99e43adbc159db372da

SHA512
443dae9bdb4ddaacdfb0edb6eddb1df8274b225bc188b4d37cd7b79b9968b5ee96453689ae97b6e28ebda80c0f4f70226d37fdd1f01a2130758337aafb4c9ecd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
5f06c6e251170bb0e20cf8bf98add199

SHA1
403f2f519610ff971aa0e941b29586ce1abe5099

SHA256
60e75898dfb6fb878da928d3cdad7a36ff848231752412f493d2212ad191bd1a

SHA512
ad5274571aa2711c9e6919d8245203a0f3a2c36b34b822785cef2248818560a30ba0e74bfa4fe8f5ef49ac042bcdf2325d20095bcfa1176b48add0abd24b3437

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
26ae8d10767ab9800889de52ad390637

SHA1
7135ba2f5dbb477d3ae7e3cee5a7f6f9c7321a9a

SHA256
0573483ef0360ed786adcab82becdbb9b1ea0c2e8b8c239a6258748e79c2d66b

SHA512
2c8539131d84b4c822673f61c2b413c87817bc63f5f61208af2c9e991842219b3da14ea20960c1f3cd350ad2a10dd0e40eea6a8090daf7e299b9818085371ccc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
64e37f5e25b8b5f22b27b97ed6990459

SHA1
1885f6b5d367261da3cfa72d85c8785cda5028f0

SHA256
f12b0f5884c0e9d25c0ef089da48f98bfd1ad878f3314ed69f8bace212057c8d

SHA512
fcf75c840b61838d1e93a36b2a42ccf5e38e257ded691e98d02f57eaa5aa88ce818227e885bf47814652b6625202cb0cdfcb04b1572eb0bb479354f3d8f52001

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
6bbfce63a79bbaefceda6cfb2c8652c6

SHA1
c9cdb34312c2db78044936dc9f90d198e59101c0

SHA256
4325a0b1555ecaa72878794e42705cdc87a0464fbe5673be41adccf237a7a8da

SHA512
cace2a3010059d33777be4ef705c3bf34cc6f97c5da54361c0dcb952860194d82dead8abebf137f6b2964dd0f1a88eaaf81cfbae08cd42b7bee7b7eb2b6ee711

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c473bd1c93ce5d042d7053bae6496a72

SHA1
f1790047594e9990363f3050826358bbd28447d6

SHA256
30d0a3b410e25a60dabecc9b647f1cc0ed112c48b9d83a4bd744a534cd3e8993

SHA512
eb5efbf0d72e801f9bd79f55355ce7d655e8df94d4272e6a83cb8fdc7d3e84d75d17698efbac6e988a5c7b84bd7d7024e1b9c57c0bf1c9c68931fc2132284bca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b2e6f2ab834f999ca6752d5d6648c9df

SHA1
0b7f31fb9f1688d619e87d96b07e8adbf96b967b

SHA256
0db0b366f3674ac3a968f1ca2b83b6d8244a92f6c7791190536b1a71ed93da8b

SHA512
b8d4129609a95c71c4feac144ad66bcff3cc7756ac1b0fc30d5bfa8b5c7ad1d7fa16babe291f950db019c26845a2c77cef3818d1849ffb5cfb1a35b4871863b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
71ba16e9d92c038787840207440dda78

SHA1
49b8af1f065012cc8d80a4a2b434a1c836f4bdfd

SHA256
766ef439de9ca801d3ed0183042d81aebed8b745f0356ddd556a752920ccd75d

SHA512
9ca6d63cc0daad9fba1efeaf9024c7a20439fba183596e24cf4d11606a1705a7e9b1d07f0deeafe3def011feb11103c475dce90804ab0bc50c0e7c7ea81c4630

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
59a4fe410fb19f90695503facfeac8d8

SHA1
fc6bf3338c06ea661e5f75db3bcab5020e188ef7

SHA256
e678ca18ad23267aa2f89e758ffa702c853d2e1f4275d2a52da5256ab4609137

SHA512
5b5c7f3738147727aa7e29e7aced78604e225654aad35cbf9a1495375643d97c5192f10f04a889edc14545ec768d9a2e104b7ebb1dad17ae32b2ac0da17680b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7cc083a4b7659f71cbb1fbd67dccb4cb

SHA1
d5063ee4535e365ff0261417db4c6421ef110658

SHA256
4a94545db49ac36f3d08281411db7f7b96f1de6201e43aa5d2a0ca4e5727fd52

SHA512
589ab9c394535032067be256baa233bf5d54154002eb906bec6eede091751da9945284d74e3ebd5f555579c6b0845aaf0d87a87a22d83e22681828a18917f828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
39881e088eafa6be2125ef6d9064e3ad

SHA1
f77d916dd3b52e36a4eb82721658e63221ffa32f

SHA256
63de6155119d0ee9c3d6c71ee1d6ec741f825170e09185634459477482008af9

SHA512
c6099c5eb2060cc43bf6f5b5e0f0cf90a691a2fc29257032b0f986beeda0e69e2ff72d68867c372098fe70a2b1077b57f0c62db2c9af0f266d7b7389bdff8a71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
84bb482167257157c4bb61bf116ee384

SHA1
03a72ae6e2c13e2ff9725893f37552d991a19fd6

SHA256
f4d78e1f7d3f1220971661fe5164e7cd6bda44169ea3283f569a9950925cc247

SHA512
e1d1a6c5b50448e0d9d243daddd6cdb4f3b914db2c7dfec15d9d010688a9ff2d238bdb253993fc6658416a14c8b1815d12fdf26b01076ca1c5bf621e7d2e237d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
26c3c96f0c32b591d000beb96318024d

SHA1
353687e9213587652e0cac7ee184caf2f9f3510a

SHA256
a1af8b1bf23b7530d28d8d0f46c5a77c74c721c2fe4a26330c6be36e3d175d41

SHA512
0324b367a2121e514198e3a018630952a79796835144265d017cf3c4a7acce2904dae49c3ef39ee64ea3dbdd89872b8f02c6237e42384b6402b060cedca40e6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
207c3df58e93ee55bf8bf787186d8765

SHA1
cba8e4e4e76069f8e45f9b4210b760892776a50a

SHA256
a5faf3af34eae3bee85ef07f4309019da8b0dfbaffc00811a7a334b47aa1dc11

SHA512
5894aef97d2676987cf983cf833050b9ac7bab301a6b7d069ae8d5d0dbf17d945298929f5e5b55a9db4642e9cea84ee4c26e17a7151bb7df5a2a77af572983da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0ab02e044b19274453a6d8c0ad562787

SHA1
55b4e53622fc4a2657c16410a393c6722b9d3937

SHA256
e84eb4e78853258b4b68a935752d35b7fc8bec988ea05babf2b3ab0d057cbdf3

SHA512
db5e21f9d1852b33b0af519b7e271a3481d54fb0979d1b0cdb5170143ef22bdfe6e88e719598b4318529362a7078bf0a04ebb116616a2ce3165f5c613d19a323

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
39a3f79d3a0df001fdbef45e385d11fb

SHA1
2b09ec04d6175508a4437a88f5c438867dedb432

SHA256
35b7f6b4b27f9a74a234a1d9b61c92aa8e4912be9d902146dbf5d93cb33d5c0a

SHA512
78f39e9f90f4784958db71d9c3093f5bc89e0733ca24e66c0dec9dc35ae52b6e45102c1c88f45f5343b8e0beef0de431ce794e45b734c74c214b3a655c9a16d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ddc95130819989d9bedfc1f5d3f3b3be

SHA1
fd7885d063b0e1bfff84916267880fdff0ea557e

SHA256
283098c45d0f5e27cd6664b6a418d811458ebc9defe944ced1d67c3a8fb56455

SHA512
b65a30c0faa1f5c24a1a449cc94d557ca030289c4892d3fe8720ba711fae06b7fbf4736f86228c181382e36484aea4901d6187c45e530eecc94b45a8d6c0a030

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d8e4679e5a71ea19acd89e006209b573

SHA1
60a2b8ae0488de340a55f788adb71d041d8060aa

SHA256
879954b6b475b83a90fd8784caae9197701a9d91c447f7bcfb302158797ec864

SHA512
42b812321b35a4f59c55545d22a975b51cf1de19c740b63e39d4505d42930c50d929feb1e85fb43892e4b5a116fb5aa6d4f315027cf4b9550b8e211b443b2723

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
629abc0e849212ef698929d5b3b87d2d

SHA1
37128b173c3390a648ab0303fdd39f4a6eedc718

SHA256
7aded3cb8a71a7141325f6eb924791cff352a7ba160fdb3bbc3808d476d02b7f

SHA512
c795438b7022dac5570dedf4fb1684da3db969556eb44c71b2652abe8a5b2adeda84fc978757d8a65ec9a57cf53cf1085af8dfbd18360ce4b303e8665b9ad6fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c2edde3552087753559714f0b4453382

SHA1
10085027f5bc88fb556737da29a8e6e3d5c212c5

SHA256
417ee5fe3b5a555ce982e8af864fcd31a5d48f441319682837ba589760a43ba4

SHA512
28e753ca61ea0ee7cf358419e331ba43614a6aed68f1ed932d0fb476f2bd89885f6328a65e9cde7c7cd9987417d87c8ee5a3863852adc94c1821551835be2fe4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dc825923a83c99b99e0de5c7706aef3e

SHA1
39e99414c23b95769754dfad6d7a16cec7aabc95

SHA256
08e9f1a20de7a2ef321dde6b5091f9d76fed0a754deb5000a20eafa4e235121d

SHA512
5022682862b731f55c22a3bbb24508aba70936217adb5107362c84c9627f1363067ce1ddc90f9dffbd0a450c1c07708707a3b995275004329ee57f1fe0e6fc87

Download Submit
memory/1696-186-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/1696-12-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/1696-297-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2480-295-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2480-183-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2480-184-0x0000000000DA4000-0x0000000001EA6000-memory.dmp

Filesize
17.0MB

Download
memory/2480-7-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2480-0-0x0000000000DA4000-0x0000000001EA6000-memory.dmp

Filesize
17.0MB

Download
memory/2480-1-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2604-185-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2604-42-0x0000000005D90000-0x0000000005DAB000-memory.dmp

Filesize
108KB

Download
memory/2604-39-0x0000000005D90000-0x0000000005DAB000-memory.dmp

Filesize
108KB

Download
memory/2604-43-0x0000000005D90000-0x0000000005DAB000-memory.dmp

Filesize
108KB

Download
memory/2604-10-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2604-296-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download
memory/2604-14-0x0000000000DA0000-0x00000000023E2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads