Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 06:50

General

  • Target

    AnyDesk.exe

  • Size

    5.3MB

  • MD5

    0a269c555e15783351e02629502bf141

  • SHA1

    8fefa361e9b5bce4af0090093f51bcd02892b25d

  • SHA256

    fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

  • SHA512

    b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

  • SSDEEP

    98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

    Filesize

    5KB

    MD5

    ae42fb328a3b180bf4171484881e1f28

    SHA1

    1ee38799cfe4a59c2989d818db9e2b14c55aa17e

    SHA256

    19c48bca3297e7ebf441433e41ebd667eba365e94a3c18ba4a71014bdad1a796

    SHA512

    61a9360742f547874ef215d3260b2b2321560bcf91e8e21c84da771614c647f66a0f20bb7cb3675b90185bdb74f3e8b78add78a661957d580a8a5dc851a0c0e0

  • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

    Filesize

    2KB

    MD5

    b4b9372932501861da0d0c7d13404ed9

    SHA1

    bdaf23ce320bdbc627118ecbc53722926dbede08

    SHA256

    6f1dcdc05e34271e9ea8a8d5702d804b6d8ac7c1987c07e05102681d7daa3f30

    SHA512

    7d799ddf26179feee32794c5d015bb0b6c82b0f7696e464abe7f8bd2f33a6dd6b4e1fdf5a2192d4d441f1091670fb0b80289b6e423da45ef3c7a2fe748b8a8e5

  • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

    Filesize

    2KB

    MD5

    e6821052c83ede664aefa24780503954

    SHA1

    711df9cda382a63f104319215811cd62c7f3df7d

    SHA256

    efb913372b6ab19992f6d596896bba688f7c41cec2fa3f8d5e01edf0bbb0b51e

    SHA512

    bb930fc939971e32fa42f69af8a370b22967bc17d30573c52545a8b0fac252fa5ef9d08578f57b5428975ec7671a9f480781860853819f041de10e7deb72a382

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    745B

    MD5

    95d23efe1304e90042fd5e417687c36b

    SHA1

    4b1d58b2707c9324f1f1e2cc7cf897447a7a9f3c

    SHA256

    d6b25365e0484acf44b445014342344298a789e0e5ef0e2f26ed27aee71b4837

    SHA512

    15f4d0180b3b78fce9c1e17a99e76d3138d58662ece6079f67543c80a400fbbfde2f9c4b34cfedb20ab7cb84bf2d8bd88aa99dcd5a101a648fb5d965e1138f33

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    766B

    MD5

    d06d59cfbbfac8479aec097f51cd5e43

    SHA1

    f0a04660061e08c389d5f80250ffb9be6b9402d8

    SHA256

    5b78ac3c8526bd604c7dc3a2d7ece82136633801d3a731726933e23483f68635

    SHA512

    4360e6938f3dccbb444e8b1fa8f1e4fa57dc07f003bd1bc7d526c3750d7648abd3048f77ce9d29a42ed23a942a78e26003af8d206e77cbe63dde22f5751a4934

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    775B

    MD5

    04128c01f8dd1a7345728d0b9ae18277

    SHA1

    a00aabbca178af752d2e32d3d86bee59fb82c483

    SHA256

    739595c91d1d3b6b2c26cb0feac273c138f199616b1524491b3c8ec18b659cf7

    SHA512

    22d90f95c91d126a0d7d5c2423a2dc7eb4ea4373eb95f4dd6ea51bd4857effb3ec0372ac5835e6a7c7d9f1e2a1ba4579c6762b95205a082a93c9be7952e719dd

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    832B

    MD5

    d958f005534d27d0c6ffd9056e7d0104

    SHA1

    eedf6eba7f7c34e1ec54d25087c74377b2574f0a

    SHA256

    1a4e0e385bbe37a12c9ba358ccd02f903a6ef844ee6016e0c4f742428648d733

    SHA512

    8382e43fed6ca4d57a210b0b40fe51c4e9ba4dde288886e8a578c706dde33799097b72050a6856add20de68080888d78a24d55eafbd2c092fff6ed61e75c3dfa

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    312B

    MD5

    0c04ad1083dc5c7c45e3ee2cd344ae38

    SHA1

    f1cf190f8ca93000e56d49732e9e827e2554c46f

    SHA256

    6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

    SHA512

    6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    468B

    MD5

    2ecff68d6ad8a00b0cb4c62ebc54b760

    SHA1

    0cbc6af5e156d5b1f24d2433d58e0743c719ad05

    SHA256

    851dc87f6e057aa4f4d7d5ccf263c51fc965484af270dceae9ade21b1711c6c2

    SHA512

    b0a5e52627c0eac4aa57456ca8efdcb97dff6ac0623c02237d899c41e659bf540921a1cdb00ee49fcb6d96ad7017bd5c80ad6692f834d3a1c928095bd40a7854

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

    Filesize

    468B

    MD5

    760e6eb557598257abc04d43040af967

    SHA1

    1b544f59aac80aad34a42ec5a25191a3041ac6f7

    SHA256

    24bc41735f55b35d19d399a4d41a098ef12731e90c4101f6ddc4254da1d324fb

    SHA512

    0272d86ee2473cf7f1fd199bc07b5560559328ed741ce64d86dde98a9707f8836fa0dc9d73adc9ffdcc86f90317c521684853b452bafba5c717878777007580b

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    2KB

    MD5

    92260011678167060e37fc904277e52d

    SHA1

    54e6f7e0d7321f5f0477ea5e782d83f24aeb5f65

    SHA256

    8f52a6ca53c2155be2a667a32e6a38581c0dc6a84feab33e5153bd299128ce22

    SHA512

    57096397877721851d582b496b963cf6dbbf676972c4d749c6d1fb565ae4d3a10e9e7c6106cc7607e9917048397fd1bb397aff05badab6cf22835b7efd9e0989

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    2KB

    MD5

    5556490185b5833bf77f9a442b9fd9c0

    SHA1

    6d95d1c9ad3b6b240c5f009abce3f325f4c430d1

    SHA256

    dd039ee9ab8dd5224604f82aae0e4c3d034692f5b2f756c580ec71076b1b0aee

    SHA512

    5ab971e89c0c35d5e4dc63d1442ec52552c923e3165b91f944ebc789df1b46535e8da32b1a1df8726876f759abd06034bae23274a53b5b3ed77722e8da412e21

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    2KB

    MD5

    7dda84de57d2c48ce24af75f01cd1f1a

    SHA1

    b4725d76abfd6fe68fe0284dec7803d7dee72597

    SHA256

    22a92966d60e38579c4da6c04384ff6a42d0c53a487f145922e0105dce17bf5a

    SHA512

    e27526d11b3177af6c4bcf310a8c77c0b2afd9b982b594322d2fd396e2b8146a4d8f9d5dd549f36c391c6a80b2c41e58b0e844c29574cc19e01f6e0525011ddd

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    2KB

    MD5

    54ba4442acc65dd960af4216e3931bc4

    SHA1

    62393bb22e6ba6942fe17025ae8db4d2f8a63680

    SHA256

    b131127420e1289c38aaea77159164025524f45bffa16d7fc67f21de1f950511

    SHA512

    e442a572d594a249a5bc2e48e41d39ba052a1e46cfb63bfb353d2493139297ce05c769be80290040dfbb987626a0e34fe46aa09a6a6eb889e371ac713dd8d434

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    7e00b2a9b8013465aae15a9fd8ae92eb

    SHA1

    221749db8af2697aedf4c0e83cc5ee6fb83a5233

    SHA256

    78073695a1996e2e1f2482aedcb0ab0bcd28bbe22a774ecff4cc741d4a94e4c2

    SHA512

    bef34923ab6871369668ae5104cc3e9f01a03e20af3699f940fa69088ee2ca847c45311070f065a4cb66bce291de3bc7de34447a8692f1c7c59ccd65acb65906

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    2KB

    MD5

    cf00c005e309493410e129d5471c44dd

    SHA1

    8a63991387a93390cbf3ec693673e1192483b13e

    SHA256

    4bae73e8d074c6a59a9200de19c6f6f97b7e6e8f1d944ac157b207108e8d962a

    SHA512

    4eaace2532ef9f51bf40d76be5cf0d7d026c0182e15e19577cd5a203441a4849a9df7bc08330995f4de820957d5bade1d7189e83584c0f5d141bad03adb1d2a5

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    2KB

    MD5

    2f13658ee89d1d00fd9e1fc7f7aa6cac

    SHA1

    8bf1ddcf409f377c162af5eb07f40f73f5b4eae7

    SHA256

    0cd37c7cee8e25a43d3d7710d0dc7c5ae71af2f7cd7ba42b4ac904f6e4bd2b84

    SHA512

    0cbbb15c0bcb92123743ef43648494c1c7851f6439700c92fccf5f7bde928e505568c2b31a9391e0711d7cfe4c9a10ac602be6ae3552c28e813fa2ee52ee42c4

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    6KB

    MD5

    c09c06faa5ae09832ce3469a0da69729

    SHA1

    40bbed3d01e951e46743d58a7e78d410b6d7d660

    SHA256

    59e41c980aaf279a188b2959ed5c7378d82dda95164ce51ecddb9d28bc0e7238

    SHA512

    9734c08ee8ac232382d118a9fcd6b00c19bf2db5cac32ca8b7c4ca28b20dcbd2356e72cd6e55b3709d348345784ef90fce1e5ccbcb254fdf4620b47ad261efee

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    5KB

    MD5

    13a5d9d904e9c19a10ecf6b3ac02e043

    SHA1

    f439fc132a1a9bfc3cda4cbcdb768c774d2d2714

    SHA256

    84a10990e520816bf2a1c9c8e3664f95cef6cd22e6c0e8e8142b68edceb93f9f

    SHA512

    14a9c9e3064893132c7d86d032e2801783e8b3cbfb9c75ef864bc005330bb3150247ecca7b6509cec9a613399b3ad1f853cac5c9e4144c7c9b3b11d6b3b43acb

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    5KB

    MD5

    0784d181dcc9582802a61a69ddbb62fb

    SHA1

    2a02f7f2f8523e21d74bac5f23813c2fcfc3a34b

    SHA256

    ebdd0baf52e7360882c18d54ee3903bd74c7ece9af93f275c51ed78f1b2dcc58

    SHA512

    4d7faf95922b84d4781d34b33927c0ede3a46029d117622a05a4198e44294f64ca2d2efee43543e151291373639b065af3ff3ae8ac8f4c7257369d90dd7b214f

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    2ceb8112f1c60573823296718554abf8

    SHA1

    a912e696e2ba188dd17edc2cac4cfc9eab8b21f3

    SHA256

    4414f05273d1fece34db02803cc1043362c8723b2b8b26e1e5b67158fea15758

    SHA512

    2865e979b13c5cb2e88e75b904077ef31bc4434d1e8245e52f46788fec8da5fdfe7316aafc884d90d7e10950fd6edf8854509758553aa406ef1edfc8cee80271

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    4041b01c8272d934b1a51a7c0b1010c1

    SHA1

    89a7ba04cdda2dbe971e88f308d28bec6de94558

    SHA256

    b6f1dd9157601a1f4422f2697903084d49a7356246d93c1523cc040cc1d72ea8

    SHA512

    46f1a8fa26db0cdfc8ef258656f2fc85d4d828fa8fa9d5e6d9ea6ed0ac2a2ba08d103bb08438ed2cbe4a32532a903981dd97004264bd7cd07fd0310c86ead7f3

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

    Filesize

    1KB

    MD5

    98d678dad398979f795f1fc42a716448

    SHA1

    60b3615d2241094c9f1984dc5568e717b2f262c2

    SHA256

    5a303aed231bb43f67b862b172e2fccea6480ee4b7ee7f39abd57ccc0604a79a

    SHA512

    0448077101b62a169c51ae674b28346931e167cd69d286f0ad6fc076540d8a88fec04b76c78ff8f572c54deb3d336ae2afac3b25b5b250faf409989e2e8701ab

  • \Users\Admin\AppData\Local\Temp\gcapi.dll

    Filesize

    385KB

    MD5

    1ce7d5a1566c8c449d0f6772a8c27900

    SHA1

    60854185f6338e1bfc7497fd41aa44c5c00d8f85

    SHA256

    73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

    SHA512

    7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

  • memory/308-206-0x0000000000BE4000-0x0000000001CE6000-memory.dmp

    Filesize

    17.0MB

  • memory/308-205-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/308-5-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/308-2-0x0000000000BE4000-0x0000000001CE6000-memory.dmp

    Filesize

    17.0MB

  • memory/308-1-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/308-305-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/2244-207-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/2244-10-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/2244-306-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/2788-208-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/2788-12-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB

  • memory/2788-307-0x0000000000BE0000-0x0000000002222000-memory.dmp

    Filesize

    22.3MB