fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1791s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4984	AnyDesk.exe
1916	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4984	AnyDesk.exe
4984	AnyDesk.exe
4984	AnyDesk.exe
4984	AnyDesk.exe
4984	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4984	AnyDesk.exe
4984	AnyDesk.exe
4984	AnyDesk.exe
4984	AnyDesk.exe
4984	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 1916	3164	AnyDesk.exe	83
PID 3164 wrote to memory of 1916	3164	AnyDesk.exe	83
PID 3164 wrote to memory of 1916	3164	AnyDesk.exe	83
PID 3164 wrote to memory of 4984	3164	AnyDesk.exe	84
PID 3164 wrote to memory of 4984	3164	AnyDesk.exe	84
PID 3164 wrote to memory of 4984	3164	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
512218b6ac139fbc84199a21911007b7

SHA1
d423ad9d51e27d71212ec5f38e516b6e090a7c1f

SHA256
f392567eaec8f457faa7bf28f4279f0d438c2227307a05a18e744238db727809

SHA512
ed192bd15953e1699cd7d8b20684207c8f4f7ac347902be1d2dbb495642d328e0542429fd7e3413feea8de36d06d6678829877d1da459f6327801c732b81235c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
55633021a694ea116ff7182ab09c66d4

SHA1
b81a1d5e155a1f936fd1a7f0fce141e3b3444cbb

SHA256
5d1ac2ec3898e49f4857cf4022935fce6d7c94904d36d098ec0071844ce47667

SHA512
b05e4f2d6cb49f563c15bc62a1238c6299e538a6cc64bc4936461280b836a8ba420b81aa536d1dd4706e5d5c7aebe17288211f316c12e9f814a5d45bda0557cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7aea93c255af8b96664a117b852cb7c1

SHA1
ff76e62470da51198a41651e78a64713417cb749

SHA256
11378f4aa1e22fd71ce2e696caace4f746dce0c471ff487955d4d37582931818

SHA512
900dfb7cb0444b76eb6ee4f6edec99d424abb236c112ec1c67b3fa26b1a7dc5f2dff31bc6f73bf271e03da4af305b718fdfd04602386bf2b75fba7a487a92416

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2bf6351c3fa8460a2612420524e1f34c

SHA1
a7da20abd646a36b6f8deaa40044e61d241a3c74

SHA256
ec04fb7bfaa37cc6c356dee2e01594957e50f03747e2c182a9742a38fc379313

SHA512
1ec33b2c70d4bff939c89dc700d2315afe7426b0fad0ee35e4eb456e0e11c650b3e228604b68ee7d9b903bfee34c9c0a358b762671325429656a94754328f27b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
7c42e84ecc3f7d16a4c5d2479633ff57

SHA1
fb4eeca97aa02d1cbfbd5d1ba204a2535ec60f70

SHA256
5a760e859dcbb34f91ec49b47f3ea1f7d86e8b6cbb786b228096b6914d1193d4

SHA512
0553d6a9e9a96091468e3240413401fb2f65f514aa9773c95c1fabf7ca94bc69edf39f25baaf6b5e90cc63b2a45e95b6518f15368870222936edc4f5434fb8bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
fe77dce7160f4254757eab38e7458ea6

SHA1
9ce5ac06ee22e829ea2e78b4dd7bb86870ac37d1

SHA256
72965e64573bd1a0fd632080462715e11d53bfc0e45a46e8166e39d547f59e28

SHA512
a6ec9413318f6b7f9330de924cb206d9915e2d579bb2a47f0d904a82e296d253224416291856774cc3b538060541ccdffc866afd598c403c5f9d896edf3c7b04

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
f72fa6ce8871cbd66e1ef4c1cac6724c

SHA1
cbc57e29aa65befbecbd135bd2bd0a5c70a37069

SHA256
1a1e2305ec96abe4f926909985b50a0bb610f534a15fad672b78063c3ac60816

SHA512
49e509574ca1fabb03ba57a51c1e3ff2ad21ec14085e8c23389e2fbdf112f145c1ca7f11aaaebf114f2541035dd26670a3320473ffaa845e919da34067ea3bf9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4b77c42ebb9aef7a2edf2000fbf807cb

SHA1
029acc0a09bb2deab2c3c59711481a4f0c86a289

SHA256
0377f8e9e0f85c7edb77676b00dbf896cb9c2a2afbf333b07a8719e08e730f64

SHA512
329bac99240d522084d1632b87383df4640e5c76921c000a3934586820d8f31475448c11a23e83cc294a3733d6bec6630ae735742b0e7d164e7c8bdca6f32f85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
ab5b7b8a87debdaa5c5660063aa55a39

SHA1
a1175e87d4f3e3728c8b8cff9bcf476a20904546

SHA256
464bc0f5c7cbe7956a0828bd0940b20115a9a468e47f4fb937d2de5e9d668ed9

SHA512
d779bd8fd8054eccaa7e3872d7f5208ca642fa667f8a75ec9a0f7b3e725c13c9528befcb9be745ab09783f510c1bf3ce16b7b22e034100a80915785199602416

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7705aace9ccf567a8918862e189123de

SHA1
04489660259fbdcf2ad9a00fc553d9f0f2c45c30

SHA256
e935e972e8addbe572a2b016fc713c08381c1d2d40867aa5f91b47d7d5668697

SHA512
05dfe1851475f24b518d45e54184f4c6942620eb9f4a4620d0280b6eecc727e8c295f73bf269e3b41f2946d414c85b797976410be923b630073b97c7364337a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a0beb617b8308d794ba3a818a2b2c2eb

SHA1
637dc4d43cb8f214ac1bf92a474bfdfa8ac94bd8

SHA256
3a46b7432539face1ef5cdc36b3d01a6b4e7769c2d02cc29965177ed3fb52d86

SHA512
63486d01ad30a23bd0c533f943531910e0975837abf71ac764ebb03486e26dbb7449bfe2df8bf703a3079db0b0ba10fd2ddaa969101d665bd18a585629587e28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
babfbda02a96d7a1cad4d442dc0de036

SHA1
09ebe00ad58d27e5af1a1ecad5a9a58866fadb63

SHA256
f461ca4e1465fa62267f857f908f849db8c50012577b694b72c7e1747cfc8f36

SHA512
8d5132b74a12a97a5291ff6a84076deb3371d92af23ce542f4e19581452b1647376ee9a34bd6d9f196c0952e3f0feaf9c3a74bbfa148fdcfd3461987539723f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
53d0fa27c2a6549bf53dd984782e670f

SHA1
c7068b5e6208135f28cc012c6648947e406263e0

SHA256
f5009ce3082f34d1024d9890c994f6cf2cee152da506845bc27970572d9414c2

SHA512
41aff60618bb938270ff84cfff61027517aef652f735321f6c77a265b06aea04656325ec167363362cf0885c0a007671da7eda93681fda192c3bc54b6097f01a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
864c24ef70edebd3a8b3ab7aebb2e6bf

SHA1
aff35a5db64045d711772b565673e7e87b662084

SHA256
2559122f17627e73463a46fb757833acd06b9f65107a201b034d98c6aa026635

SHA512
129cac744117834ffee35581fc9252e76fc4b368f2f7cf02b1ba100c4af80042df260938fd5beaaa12ba4937607100663aaa406956aa00d8f2cd0a70bcf61fa8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
46046c855d284aefb27ec7b960e7a083

SHA1
c4db5e5d291dedc98c379734f9396cc525a1088d

SHA256
11ae50c74da7c7c25e872f493e92087f926df1fb8f0bb61d737a2fddf0c79d9e

SHA512
5c7ef67980e103606b31d06b0e855be87dd7dd751452cc5c0867d32b7599460712cae35f34e5231c439754154d7d07f5698a76d0ddf05d62c84c5f7287be9e28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a9a2c75f4cf800719376ef9d57ec5988

SHA1
084b0ca41d2dd8178fb03a8ec7249e580b7df1d7

SHA256
1219ecee31d1f632faa2e691bf8802c7ab910d0940a49d6b4e78008a5df21fbb

SHA512
c5c65f82bb558ff545828d50a275b97b6fb17ea89a769d5b1d59f7dff5dc4c9971d803ad5aa17d3c617608458c1f431b7bbc1c1cf482c85c3ede0ca7019a62f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2f8d40fa31685af37f630a9a46b81069

SHA1
359f73944daae86f70aac103cdda4846f3e47945

SHA256
ab35bd556b8677c72595fd01d9a99d0ce3d25006a7fe668064acb01b29a93f2b

SHA512
04534df7c446aa9f506d86b28f9d47240b217768629cb85b69c346df95425c0ac1ff715ddc75ea41a81dccaa5d05024595afd0ad2193942d08b1fe24b4bf4955

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d4d70ae010516d84f67eeb3332b4c364

SHA1
2782e097ccd87fc946dcc9cc9055634c902bcf78

SHA256
c7f5134a222f17b774385f9d9a3bfe892423e98261ff2ff9c4adb95d18ef09de

SHA512
ffe78de92509398d7d21795b46266c24266b73138115863865a46c106778d3675649c7cb35553d542acf51635b76184b2e2863a3c51c3a6847e3056edaf32402

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
449500335eab32c3a6b0a93c9ef22d0e

SHA1
dc45e9c39bb945303ee17cac8a998818511789c6

SHA256
8c034728266c1bf0e4457dae9b042f52e316cb83d675a653046723525f2332ba

SHA512
587196f88fc8b3a1c973ee6b3f09b5eaa463bf55550ece9f9d19a951a8335321412fa1bb78823d447dd541f45449a9176f09bb10603c6865bd0fc80cf6bbb34b

Download Submit
memory/1916-18-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/1916-42-0x0000000005CD0000-0x0000000005CEB000-memory.dmp

Filesize
108KB

Download
memory/1916-38-0x0000000005CD0000-0x0000000005CEB000-memory.dmp

Filesize
108KB

Download
memory/1916-41-0x0000000005CD0000-0x0000000005CEB000-memory.dmp

Filesize
108KB

Download
memory/1916-12-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/1916-231-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/3164-0-0x0000000000894000-0x0000000001996000-memory.dmp

Filesize
17.0MB

Download
memory/3164-5-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/3164-1-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/3164-230-0x0000000000894000-0x0000000001996000-memory.dmp

Filesize
17.0MB

Download
memory/3164-229-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/4984-10-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download
memory/4984-232-0x0000000000890000-0x0000000001ED2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads