fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4676	AnyDesk.exe
2780	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4676	AnyDesk.exe
4676	AnyDesk.exe
4676	AnyDesk.exe
4676	AnyDesk.exe
4676	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4676	AnyDesk.exe
4676	AnyDesk.exe
4676	AnyDesk.exe
4676	AnyDesk.exe
4676	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2780	1816	AnyDesk.exe	83
PID 1816 wrote to memory of 2780	1816	AnyDesk.exe	83
PID 1816 wrote to memory of 2780	1816	AnyDesk.exe	83
PID 1816 wrote to memory of 4676	1816	AnyDesk.exe	84
PID 1816 wrote to memory of 4676	1816	AnyDesk.exe	84
PID 1816 wrote to memory of 4676	1816	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
72d141507c58bc083f9d618a44eb7262

SHA1
88633cd05feee5047182fd46f0cd8ee2fea0db82

SHA256
8caf7abb45ae57c31b540282fb2c7fc887adab830e562b7a7188e74cded9535b

SHA512
225ca3b91808335e182d3ca058227422bfdca2caeff5acb4701d9e1aff1cd609daf16fd57f9de08473a93c89eaf4263fe59e67ec72a6a41b0bdf603056fb12ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b97f39a22a2407efac00529e92115433

SHA1
2c353dffad1546bdda76d6fef5e07714d9e94e38

SHA256
9520beb5af8b0e37efed8d037873bb198383b1bb61d9851840b48db6c592d12e

SHA512
085141c9860e295d74e859d0e5951c523440d033cbe780dca67cf6dc9af15ad0178524cce4f6031eeedd8b71aead56c9c92a618ca7fbb9d6d99aa5a45fdfdafc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5f9954c0a47489326dc8f962a577ced7

SHA1
ff5ea2044e46b218cc3e656d42c3aa71f15928da

SHA256
3073d645b41c27ba8dfc3306e8580fae318752f769eadb50df5d4d752a6a0070

SHA512
5a481307227615dc5febaef6ff1a431925ae03a900ef843803e567e581f278715f26501feb75c997c4ac42048b1da86a0755c95adf40f895aedc4f1df2eae436

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0d10928d1a4003fca0e3c9b2c38cd419

SHA1
ed9596fc8339d0113ddb17fffeb80c4c21422bc6

SHA256
05752b2642c58f95ebf07eca1c1287d236f3c3b9037107a34d667c65f851e251

SHA512
8946ad24cca0e80f4ed4ba17d4d8b2d3211ab43f5d84fb15e9d8648d9bf70ec8607cef29ffbeb105e0bed5ef8196ec2900885c2e2c2b62856f0b4fa6ca7f6ec1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
ce6a007a1962cfd83fd601603ff3b6d1

SHA1
43315fe06cc6583a4f09cc4bb4825ac4455cebe4

SHA256
4ecac325cf64ae5977f6dfec3aaf88acb5a7b749b203497486626c17aa477ee7

SHA512
c0ee57b09f1ed4d901642c6c606c20efb8c4c8efcbb8312d02d8a5cb4548f96a6186375d430c84f9d7a9129ff9073c53e6cfd75e322cbd6f78f65ad2694b6a36

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
47a234e94ecdae2b8c7029cb81c6d806

SHA1
2d12d5e9d165dda93a24bb168085d4d93e204181

SHA256
3825729a3250dcc05d484cc2722cff76c4c279dbf2781efcd72872cd4cd4ede5

SHA512
6f7471c34d4794bb5457d3c09124cdf664617c8698e230da12f3e340743d7d8cf3f3def457b3761615dbaa38fadef15f44370f408d249e5f1793b6f116005e55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
da15b90c36a608bead14a56edf02efb3

SHA1
88c874cd8015be821c73b1de218ddf714e8846bc

SHA256
f9bf42819a3aad2e47ce9fbff89f7990d2d75ef1a121033e40a71a98e0a4bf94

SHA512
5ace4f40c2e6cfa424e6d8530bb56883358fb2f29abc8cec46173a3b79856a61dc65a385f5cbd8e260cff0f632c5a3c234b2dbb78d9851a14a73f5acc46abc5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
7dd99af70a6b5d314c0df2b75eae9cca

SHA1
b1c21b112a8f148e2b1d1d3bbb4ee676c25fc4d7

SHA256
5d947e324a2984b548ca586083f48de871676b813f448ae3d8bd1a1aaecf6715

SHA512
0179c6e7f22bd40f1e7ca4f75f9a30c67fe661302ddc25f13d004356acc23ccc769e7e406490914082fc73d0de93ec464c1941fa048565b39ace6a0c73e36525

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
5c671ba06812f5d386a6bc29affaaa32

SHA1
6bce0faaafbaabecc69046ca14ecd62631a4b6d1

SHA256
6cfb995c188c11869398cfee86f556aebcd79acab573600bb0ac705d2211d6be

SHA512
2498f523c178a6d5c6511c916b2611eabe4873693f38f451732350a9a2c3c28017ad74deafb51e1f16209d7f468bb7b209b907f5282b702553ae4235b7b63884

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
65cc0a0a94cd46edc42ea86c0cd68e11

SHA1
bcaa6d5d1c9bfd1fec5259f9b7cb324e4f20255a

SHA256
c7e7fd739625711f0b2b7838f3d80ec70aa5461636862b9394c48c6584a5e0d1

SHA512
3976cdddb5fd3b4188804bdcd2beade8a458a7968045e9235adc77def43a081919a872c8c1f19b736078b6c51b7af95f12137424e0c6a9f35015bef5c8818250

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7b9c42cc3bae5f7edd6a407bb6f9a465

SHA1
71e52cfe034d03bba51e25a326852f4f15b3b2f0

SHA256
279a1ba65593c6adb80d1e5cabbd740606fb333a64c17745f836a8b68641d63c

SHA512
3460968cedefb4317a053a3bea0e4592674789d8f51c18b5b65e7b02d2c95ffd1f0fbbf061ee8d8eade3d150ea54887983214829e0c510b061de265d476208eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cc2b5f95c57aeec9c2ce3fdd08635397

SHA1
25c7d3ed21f277301f1f4a8340c8397ac9b8d65c

SHA256
28f580e243ec5dd9fc220429614e7bc4999f66c12fa0e77ed5ae48d1f785a544

SHA512
c01a6b2c92fccd40c6e17d39914cf09b48867b648662de47f4e2f3f4cdf944e77b3335864ce8e853e0fedec9c2b028f038607ac84aa8af65750499b9530d42a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
543036160a665cacfd4a63adee1f3d12

SHA1
9076fb48b902602f58db03d8b9ea9716ddd26ec6

SHA256
1d46fff28f45553614323c1af82983ef3dda217d10fcd9596dfc18323106f38e

SHA512
94f5436477810e7f288d8248aeea427b4b69d7a3ddce731f2ec7b41ae5898b11caeb129ae612d5d7c14129ca38222905708701771f56d1d654d288d5cc11b610

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2af79b1209e0ec15fae7d84d80ed6216

SHA1
d1cc8dd23e2033a28dd256ebdbfd41c03e7640a6

SHA256
42e2de9dcfb939bb5e80f76c3fc7e41f727a836f357366d6ef30403edd002802

SHA512
b3e934f77f29fa8696aeeec1e38e2cd2651fb4f3e97f0275ae43128a66675fdf027c3ea2780ac8085988c38603f40af63fe38d6b2fceeebec6077edee573d85c

Download Submit
memory/1816-7-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download
memory/1816-196-0x0000000000944000-0x0000000001A46000-memory.dmp

Filesize
17.0MB

Download
memory/1816-193-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download
memory/1816-0-0x0000000000944000-0x0000000001A46000-memory.dmp

Filesize
17.0MB

Download
memory/1816-1-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download
memory/2780-40-0x0000000005E80000-0x0000000005E9B000-memory.dmp

Filesize
108KB

Download
memory/2780-10-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download
memory/2780-41-0x0000000005E80000-0x0000000005E9B000-memory.dmp

Filesize
108KB

Download
memory/2780-194-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download
memory/2780-37-0x0000000005E80000-0x0000000005E9B000-memory.dmp

Filesize
108KB

Download
memory/4676-12-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download
memory/4676-195-0x0000000000940000-0x0000000001F82000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads