fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1791s
max time network
1792s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	AnyDesk.exe
2068	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2068	2384	AnyDesk.exe	30
PID 2384 wrote to memory of 2068	2384	AnyDesk.exe	30
PID 2384 wrote to memory of 2068	2384	AnyDesk.exe	30
PID 2384 wrote to memory of 2068	2384	AnyDesk.exe	30
PID 2384 wrote to memory of 2376	2384	AnyDesk.exe	31
PID 2384 wrote to memory of 2376	2384	AnyDesk.exe	31
PID 2384 wrote to memory of 2376	2384	AnyDesk.exe	31
PID 2384 wrote to memory of 2376	2384	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
48cbe3241a00639f1017af18ec359207

SHA1
3f6fad0c4e0592707329a8628668d7363730a397

SHA256
e2173585841c3bbad459e8a7036e41283446e1f3825220b7dbe6c48e98c2c42e

SHA512
ef8d528c4bb7ab382062386f5642437c7d8942da38520a41450874074f34c6576e65658b8520d5886070bc0cb9be4d8a2f4731da1a5a981dce16e14886331be3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6f5143f498696c2f6cd3fbe56c43c003

SHA1
f54d03ea242784355b9927801191f9e9ba193c81

SHA256
e7d838ee396936e0702ab341d7c5e82b83fd79089ba8432b4c8bd98d42d7c1a4

SHA512
91a269006ebbacc06583caddad4bea65d2d375cbd90b280cf7126d1ecfd651898a7c5df47ffe9cc4b1272ba04cf7a3aa0b1b77cccea6121aceed4cf862b9b4fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
751405a2560ca865ec8789a87bf20139

SHA1
d13823b2a3fccc90fa0f653c49c61969ffca4132

SHA256
8b7f44c1bc57241798e8a4d5c8990bd9fae9ecf3f32ebc7f2bfe865d48547150

SHA512
a55e9ae822f1937d62cdf50a25532c82f91688966103064b4685744d97d49c745854eeb9d2618377c114a3ac89603bcb01452e45a0d2326d7062f1df7f428707

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
d7894507f35f58d2d8b922b0cf109ef9

SHA1
792d578076ccada9f50d07ec7f0bd54f4089fa21

SHA256
037cf067f8cf6d27f9c0fddcb6989b1e61ad630060482561394cfaf1fa939f40

SHA512
f55016e5ccdc238bb4f07d7b3b5f288de4cccf5bb6796a129a06b2334486b95edb979b07f9e9f49b390f699562ade58b143443f0cad59bb1a671f6d90d79ba89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
97a9e051478a15bdc43944fc6809dbe0

SHA1
17a7ad48297be51237a707c2e85a4f06e72a6d1a

SHA256
ab096094a9cbce8ed3787e141547862cf328bc77c8556b01457ae4793f4b3ab7

SHA512
313b69b173c3e121bd89f07c8e7fa19e899a9efd449cdbc092cb90e0bd5ee53ded53b78985528edf05230d52c597cb4d3e1d48797767ceb366d31635a62a793d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
0b56543f0cd7c0b8c640e589efbba7a2

SHA1
80e3d0092b9797131eae9b6e3887e0f1a9d19c11

SHA256
213c47a1904a7dc31dfbcbc16e20e3fdcd362bbe7d7f826426dfcaa5f1482491

SHA512
debee554e8d1c57ba33312d544ab78b33a2e481eb7734aa73834053fd804a92199df9824cc04c1d0260dad3c527eea2c0f20fce4925141827c09051d595badae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
9ad26a57ea2930f44cb4eb7f63d780f3

SHA1
989dec9c886f4ef417bda37ee792838b3e2a34bf

SHA256
84195cc434d540554f769a06d76f35c7dcbb34ed59120ca54332e6b89e674300

SHA512
513a389e8c8401f06dd93d187a4b770a16a51d814efabacc21c116d1cd564705252583372fcfce318ae57c11a8ada7690eb3fd7967433cf197c85a5542437164

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
58cbf322152684f0291c25302dbc24f2

SHA1
fc02645bb01f4934b76f9dfe3261aab91b69bbe4

SHA256
e7c4597c34ea58cdc9ed2d37d1a88f63b9dbff4205ed181cea6a82715540b1e4

SHA512
8f85ad1e3155e6700c748cc2cbaca1de5520617744406dde93dbb9ecc88b79a7fd644677c76a09503155f0584453ab2109a740742c0e84ccf0c89ecfb3dcc8a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b5c38524319c69dc0ad988f9999b8a72

SHA1
a923d8a523e8d9e6629ed8a63db48b7d6707460b

SHA256
83d85732374fa06df684b222a562e9c8db1f90559cc807675c46ce7976c6f207

SHA512
53116999de7821c51768ddfe9c45ad5f38387015a455ff48a423b29f550b3015bd27741f80c900d043e4e9da297453fa16a65397caa036bfc315021977b9611e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
672d120163fed6beb1dc93a052a1154b

SHA1
5f4a357c90e7ddf2c4d9c5987a377c8e86f81e8d

SHA256
03d3a65f3c6756d84aefd115ac8e4bf1105f8be44b27cbbb2689e46760aa8d82

SHA512
8fbd8eb265f0393eba2b76f30837cb99cf58924b226a1de501d83249940f5c4e7349300b71ef61ec74143237e84796df193d2a3d9d88234d0544e4056bb7948e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1eca64937edefe87dc5700d78e189599

SHA1
12408c9718475cadecd68a1c9af47f72d5ecf691

SHA256
f51d969817a19e278fca1b68001abd069431ef9b70ab8ba316983e8942635194

SHA512
a926d661b6c9ed0fac89897313fbec547787b6b15465e9e33f732f44511b7e4a9485339e1ebd3dcef420502d297fa131ece95780a9700e5f35ab94277b8359e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f7721818ecc742525995554733ade613

SHA1
eb4ba17cc90f5812502a8b295a2888d11913cfe4

SHA256
0406fa913d10b23d79e8b4c9314ec3f960aa74fd29ecc8b19c097564db2059a3

SHA512
630046b31918e18274cad9a3060e2badd11ae5c22df8fdc00d90d7cbdc2cf6849f829a545168e6a12a037cb8685b030d38f9579b96e06b729e79d0a5aade0e55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9e9320e244870415bb39597fe52cd443

SHA1
67f705a84bc21fb2f6d2401b009ac3507af266da

SHA256
bc9a24198879b07c79ce1893bd2c649dc288799ff7a9dba71bce8c206a81ad1d

SHA512
eefd6f688d9fbb84ab495d513e730bf9381d5510f942fc22d6d528fd80ae0fdaf008428f5a854c63c6794051d3d1acb6c455ee869b0845e59e61ad008e0d4003

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e858211b61331b0983ffc34dc2ae8636

SHA1
f55941be5a0e273abda69ce8ac7ce0569627d9df

SHA256
19c9d088de386d43cc237ac17ffcc23f36179f226b5b3f3f46de474f03cba793

SHA512
c2398625823d0244c145276ebae6bee6befff6625e0f666d2dffb0616c6125f16c9853db10163c39abc16eac3951e8fdc415d55deb3c2d10929811eabcb98c3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7d0d416feba578a5703dbaa14a4fd181

SHA1
ed74d063d7812160ff83edac704c4bbd13062505

SHA256
4623f35be90f79f97e43a3cbfde65be488989787c449b2340e0ae1d92ba17fc6

SHA512
b001770c5a8edfbb7207bf6cde8a58b7810530a6a4ce1dcf0ab10f06389e006edf113c44d95ccbb97412b868bd95b6cd15686071f5aa6ecbb8d249ba694e797d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
645d665f2616ba8102d8e352224661eb

SHA1
5be2b23f011d83bf47dce43d152b441dc8bb8e27

SHA256
770fcd21c5e79c07b6d52213dcc318b898b616cb82195232eb19438d4be3ab9a

SHA512
d4364e136acf24b5505a244a71ab09ca95d00e5b50644e585c7141edd18f1a6bb07abd9e02d75179b4b00679c25c02ec0e7ff9a680edb1caecfc2baecb5f0392

Download Submit
memory/2068-12-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download
memory/2068-250-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-10-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-251-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download
memory/2384-0-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download
memory/2384-5-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download
memory/2384-2-0x0000000000DB4000-0x0000000001EB6000-memory.dmp

Filesize
17.0MB

Download
memory/2384-248-0x0000000000DB4000-0x0000000001EB6000-memory.dmp

Filesize
17.0MB

Download
memory/2384-249-0x0000000000DB0000-0x00000000023F2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads