fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	AnyDesk.exe
4204	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1684	AnyDesk.exe
1684	AnyDesk.exe
1684	AnyDesk.exe
1684	AnyDesk.exe
1684	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1684	AnyDesk.exe
1684	AnyDesk.exe
1684	AnyDesk.exe
1684	AnyDesk.exe
1684	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4204	4616	AnyDesk.exe	83
PID 4616 wrote to memory of 4204	4616	AnyDesk.exe	83
PID 4616 wrote to memory of 4204	4616	AnyDesk.exe	83
PID 4616 wrote to memory of 1684	4616	AnyDesk.exe	84
PID 4616 wrote to memory of 1684	4616	AnyDesk.exe	84
PID 4616 wrote to memory of 1684	4616	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
a09046ae879dd6a8673eede6420650f3

SHA1
b5da85886395df0264ac26e45854aff2323ac8ac

SHA256
49697d395755c73b67fa8124b9053da095777c2afd913c979bd3620f3c4aa92e

SHA512
66470e795578aa4a8ce5a7fc0c7971fa721228a794144de97547eb52c55c9c31dabbbfcda3cc50ae7e8bc355815420ad577b0b6c38e94fb061039a45b2f83a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
a132ecdf7f7dc16a3a8ea002cc314067

SHA1
e90e99ebb8d3be13ea563aaa7b939e27ba5bbe15

SHA256
c312c3a004bcab26fbaf4c68f91f13db174a852e43bfe4307baec441b2700c65

SHA512
7de4fa01e5fdff25d5997b5cb528e91a2bf3bf687072d2ff665585b02494319e68ea89abcd54b0ccc15e468fed24320611e769a23f0bb8d1ba7b2274c22f1d4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e56c72065a79448e0b366f1699e000e7

SHA1
3461e609557d5c90b3a5642e260aeebab5a0ec8d

SHA256
9124ccd85243f72ff7fc83e479e8d5a3c84bd1d34ce9a0230924f7558b060138

SHA512
fdf4a17d3b92b931753a86aedcf90d9da1a465df8c2d6ca71a5c6e19eee80107c2e9fcc7d80d6308a0b61e5fd87d1068467efaafd7015b6d400042510d3ed465

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1a773aa5053f6ff204e625200d32e0fd

SHA1
fb98817e0c570a3a80063d9ec3fb122e3e50b006

SHA256
4f2cebf4f5fb374fc0a7dcf437009581042273322e2f4324ac27640bdf4e6f2d

SHA512
ad025a1e42627ce869728a04d47f943dfd118b7ecabf56c52ef4e70306c223de5de07a7718032b90770d1947d76108d85a88beea9dc38bad11cdf97000273976

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
e9f22e2e794c902bfddde67275705c8a

SHA1
13475246e82ba8d698c04f9075453c9c7a63dbda

SHA256
a19ac02f2d0bf52491e9727a05d520160fb7d3e99110b96e5c7db89e4a81db2a

SHA512
a2ba3a61eafc978aa20ab98823a371f6dddf704031a2e9cfdf6e75b31fa35927f2209f453062511e15fecd5455f6f26d1447431f62d8177affe464d761feed0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
bca3e298115d9bfe48dc4ec8bebd29fb

SHA1
a71588a174e179c48941a24c3a8626b005bc8788

SHA256
635f80839682cc3630bc30a1260bfd8a9ade3f71fba8fc1f259b3c9389e55e1a

SHA512
252cd2d024288ab368b2132bcc2ffd42e706e27e36d09701fe7ad9d15be2df6a57ed80cb87d1db77a570a9a78a5ab3c8b94b2760eb3687ef052dd200f5f3bd3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
b81fb703a2c387f93c99f51dd0d7c45e

SHA1
f73af26a3561856ce3ef63669d64b87e4d992d81

SHA256
d5e0c9536e3d36f4a1513623645c07a72c04abdcad46b8460ab3351d6369aa04

SHA512
c04a6d3c137ac74c23bb0eb990489ce435a1e9bffdfa4cf7bc27e25717922560ebb3e622e2b10c1ea6155ea8bf668b2d3c4967525f2aa41f75a882b99ffe9b34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
2a5a03173c8edf17f2ac8ebbe6021da1

SHA1
1438ea6e5f095b517ee574ca5ca0fa1f8ac6fc8c

SHA256
a79a1a26550ab5f4b14ad73a09cade62f27f4a921bd18a07ca265afd667348d4

SHA512
dc7cc0932d09cb884a08eebbabb5ecd501432ffc11b9bce80ede25d9196da47754dd0a68bfa46b36c1e7448cd5f5d99b8d0c61f0e0a2f4ae942114f8724f21ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
ca90bb019c88cb71857452cb2028379f

SHA1
e74727b5cdfcf42f4c7bd82ccf844b77d53a94fc

SHA256
ddc502f8526f90deec33f258c724ce5bd8d077098f88477a9d9fe89235c3706a

SHA512
d1345912c5f92d14569da381d68c1a1a2f962fbabffe6e0a06137ea1161a8bf80adf1b24082df0e64b86600cd83feb520918350c8baf87b4782eb2daee714112

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ee0ab29ff3524bc9c9cce2ea5dbe7074

SHA1
22559068c1ce2b6777ee6a784c53bc1ece97fca7

SHA256
ddfc04e82da45124a3b097dec6003eb819b3d48d5759ac5c3570f90f2fbbc87a

SHA512
5abf55fc049c20c2e1b1b36fefa1e16a966c467a0301419e262f937ec92559d1802b8b3afdb4aba595a3b3ac7a182b527b3918b46f59acfc57ee26de0bffbaf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
969cf2b952931a7d16eb314af4a3f0d7

SHA1
1dfcf697e0edc5515244f857dd789f76ec4ee3d6

SHA256
5a6c97220b11961697ccdefec06c68051569cb3792f4e670be76d26b21958014

SHA512
9ea976bebdbc7a97c37a7655444a920a234555ef9a48856d00d25954fbcfb9d897523ae60e0de87a1b6760bb2d367c34ab1e21972d8449426733e5f4501a9d5b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eabb6268dd60e9fe0a71151c7722e8e9

SHA1
00475a46b35f6aef49d8a489ef4b7e85db3d8665

SHA256
8a1aded191aeb2533da1fdf65708cd22387c17c2194617249a6ec04582af2c76

SHA512
9dd443b54c722725342711efa801da4f94c875bc89665ce2f547ff79488d6b31496f699fbfb8d9ce419b96b9653033f731c90000f554a509352acea106963442

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ed41119e7fad8092bb3effe56d9a169c

SHA1
669ac9647342cf55898cc9971de9ccf953e06584

SHA256
20067fe0d49930b340d57395853870667a0ce69693ea9ffa8e0f42b74ce8865b

SHA512
d204114149a6332d51a84682895cbf229c78139661716349a7557887252bbf2d667cc7a659a40e3f30edc71ad8bde1acd1e92b5561549c81f6de183276b5cae4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b542cf478748a2a5af22a52f090397cd

SHA1
4d52bc5be1e2dbba0cf7cf689b8eacecb6f327b1

SHA256
a425a9cb36a9e6563823c42ea0b515a3b4c7603e4a631c7af60f341e482bdaea

SHA512
3ad3029ae3a5a501d9cc07f3503ab0b0fa7d507e6d975572ddbc578d2ecabe4065c0eca8bf9b4502cd9759c091101f4d83f14a49d5d08079811bd76e95a099cb

Download Submit
memory/1684-11-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/1684-221-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4204-10-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4204-42-0x00000000057A0000-0x00000000057BB000-memory.dmp

Filesize
108KB

Download
memory/4204-14-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4204-43-0x00000000057A0000-0x00000000057BB000-memory.dmp

Filesize
108KB

Download
memory/4204-220-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4204-39-0x00000000057A0000-0x00000000057BB000-memory.dmp

Filesize
108KB

Download
memory/4616-0-0x0000000000DC4000-0x0000000001EC6000-memory.dmp

Filesize
17.0MB

Download
memory/4616-7-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4616-1-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4616-218-0x0000000000DC0000-0x0000000002402000-memory.dmp

Filesize
22.3MB

Download
memory/4616-219-0x0000000000DC4000-0x0000000001EC6000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads