fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3936	AnyDesk.exe
3496	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3936	AnyDesk.exe
3936	AnyDesk.exe
3936	AnyDesk.exe
3936	AnyDesk.exe
3936	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3936	AnyDesk.exe
3936	AnyDesk.exe
3936	AnyDesk.exe
3936	AnyDesk.exe
3936	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 3496	1140	AnyDesk.exe	83
PID 1140 wrote to memory of 3496	1140	AnyDesk.exe	83
PID 1140 wrote to memory of 3496	1140	AnyDesk.exe	83
PID 1140 wrote to memory of 3936	1140	AnyDesk.exe	84
PID 1140 wrote to memory of 3936	1140	AnyDesk.exe	84
PID 1140 wrote to memory of 3936	1140	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3936

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e99b10237a0aeca4e2368ce4250e672a

SHA1
0b5c0702164deef9be911ad20c9ea2e6ae7a5d25

SHA256
6586ebf60b793e0be145c1b7629078468e52290a2a19edd7d5adf43283f831a7

SHA512
13c36b934296dceaf0fe1e9c484764e5ccffdc44fe014b36a2b3fcf9e1b4848f544b1df55d063d8e06ef305233b4e62108bc561a87dfe0995bd33504604986a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
c8fdf6b6b244f58556633188c1e2cb15

SHA1
8339fa274e5d64ce8e9c6660a594ac29c2e1c3cd

SHA256
9a09c8a5a07efe8bd09ed5ee3232c0f9763df0b4ba4437f8ee316136fb847c13

SHA512
d023f89d270999cf500aeff7061b42bbb13873e4d5f554f082fa12137a9a465792041ba60eeb155367448bfe26aaa2d67b8edc3992383a46a15b4b0dfdc06c89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5133843e40880a19311edd1e4157745d

SHA1
eb6e496259db7fa87ec18b2bdbfecde5cd0d7159

SHA256
bc35f10f28283a0be9fe4d890927dff5104140d16029206d6675010845177780

SHA512
01cf72e6a42ad93ae32bb10657320a0a37a2159dbc3c0c86afbdd6f3dff960364863b935031ceffc5f2b8d066a5541e2179b0a1acb3bb383bfc3aa48b401dbdb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a69a285c045f8a580d271fdc5277cce6

SHA1
35c647738576df4de87d81026639ef8981d63d79

SHA256
cc2b5c1f7d9988686879333c7e4aacc39ead95bc13e3df5f168ffd441519e8f0

SHA512
31d5a27d58154cbe200fda4ebc51f2258074d7c58d2e8b7b52bb67c18e444f633e8ef0c5465d77713eef74a2bfab94d8294d56e120e8b90b95ccf0f23c7a5596

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
e358ad7d678b3a1ee30270c54fe3d3d1

SHA1
8563bd921fc8fc256ded6b501a08126f496c284e

SHA256
a2234f8e7f892f0a0810514452d3dd9c2b54dd5c5eee128345ee37b148c57ddd

SHA512
d57ca0de2953af0b84e48053fb1f4630a23a1c6f1a2ea5c5d1d94a670204dc3f1d479afbec9ade9989aa878d7642518df41bb4298023ec727f2542557892676f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
8aa3103582382f8494115e25de970b0f

SHA1
dde2e04fd97f37d266ab387b82b02790431ea512

SHA256
bf6287315fa840d8fb6a98d31a01515cd3d8819a452707047f757ed8fdacecc6

SHA512
30266e7e7f522e87efd693dade081bbf834eb12d7a04901daefe1e2d0fe258540f0113b11ef69ca0b1e52373a176d15c1c5ee5e4dbc3a675c5e8c9bec11be769

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
5e538e09c21909c15cfc87aeb6d47326

SHA1
f2b10cb61269971dae8a42f2b47bffe7ff487943

SHA256
a6605efc52795a8ef3669933a798b8205222bf992a3173fb6a0e850ec951d2c4

SHA512
3f2684549684d68a7b2684fb8812f06d9764d0a227ebdb464f71ce5f7d96753dfa1f09c277dae985bbfdc15a0e898ccacd7fafce9acbb1459a668846491db082

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
1100946060f663dc3e8b480b97579fee

SHA1
4488ed54ae09e7cb85a8cc581386cad5d02eeb8a

SHA256
dfc497fdd5617b6bb957931e77297c4ab0880557cd237aaa887af717b4724fe2

SHA512
fd735a54175cb243a5f6de54aba5f45c494d371e95cc44966e803c240918c8d5bc2601fed8af982936b49f3143acabfc3f41644f6f91677c4e10292b84aff3da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
855edf593d245756c23441d98e3d0b7a

SHA1
d8e3bb1b6961e9963b27cc9d9556de966ba34693

SHA256
d9595b1e28d4c10fec150e213755121d0fb30be78ff64bb4872242da6fbf8abf

SHA512
c7d6044beaa94004821bd219486f952526f0ddd75c90df953d5b061f43104b0edcdd5f538550d2a5f0c7722958867a2272309853f1ebcd31777979fd96a5d361

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
9ac336a23c51a47adb0da623c2f2e800

SHA1
590377db01384fa14918c284e8db79bd60df44e8

SHA256
cb236f9a705261b30e65f0e860ef6a6ac90e6cada54c6c67290a1cb8b7fbd501

SHA512
9be046d5b0bd07bc90adb080569d21eb7defc1c4c8d60c62aee3d1f410567c68a7f4d679dd33b966b3d5c21f5863ae634dcc239ccabf1b664ca87c2d488ac0e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d8dc20c2e147a08f3a60c2e23fb78613

SHA1
9f9b6994d83c8d7e5e0803f036efd06a200277bb

SHA256
ea5a7a607d8299e5bb57124d31fd5d043ebdf031eeeaf23384a760a3f46b54ec

SHA512
12d1dccf8ec1e80652cd0a90e650b36e1ebb48e756669113e03d44b9579316a3eafdd97ce28c71682c0269c952b7dc0a6105b19b3aec00efefeaf0745fb044cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0cc3cfc3725ca009fb7cba9fd63a0553

SHA1
63969d07ff543d7779581e0643068ba39a67a5b7

SHA256
43d28015c0ebb6a03d0d7c9cd9a1a207d2fb973c62cd8cb4cf5cb35d4bcb5bf0

SHA512
3661786157ce20891f5a3c412f72e1a4b941dcf4a5bd79dc5d773dd5233f19fd19e7404f038386175ccfe7a9df3c4fb11262aab8fc7cb70cd7dfec87909ad1bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
84bc0de57d9f7740452f3101f9db6654

SHA1
32d00d29800185589fff27deced8111ab6090e17

SHA256
011584356e83381eee27f3b72f07bae9c4c67b330b47efe723a6374760e0b19b

SHA512
4ac3bb074fa4b7313cd1e2571d01c04121151f85e8131bef2eff638af18da9ff19987e9d5208cf0f725afc9eaa5a6f3e1bc951db450f5941dc489edf1efe4211

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
11e4156402084b99f487d09a6b5eaeb6

SHA1
1adff1dbbbb38d670024e8224e607ec02265d180

SHA256
6e0a330f74cb5c996ebb63de0a91a22b0dc7441b8aa1e79ef55694dee4ec61c1

SHA512
61e7291ab2117b4875f0b12a41deaef8cd54ebd3ac982ae990550fe7bdba514b03a2979af54f473d9d4fb86ed09486a5cb83cd1bd5c70cc92578ae5d268ae1e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0ce880c32c61bea5811edbaab1490e39

SHA1
0b55bcc0457f5b7b7012b72c2aa01e17b898bb9e

SHA256
785b5c8da4a6ffaa5665f0f752bfe4720bf3a6fc9928d8c235ed318b2ef4d388

SHA512
437069966db085842253ad6135264a474626bd78c8ea9b9d21b347535fcf8eddb5e1b055efd758192d6db2c85a5beaa1a0992d7aff03bebcaf2cb7ba870a4c4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a9e865dea31533a143d3d304459842ec

SHA1
e269c7fcf50f5dc44669986342c27532c8410c68

SHA256
79a9d9e625da43d592a453ed41a6108bf5e0780e859316733d088559b64ea358

SHA512
677749ee2d445400b7538b2ab8fe6e820964a7f7aeec830615d7c69439b76e00d640e2884d6e724e12fb27c249707078e4a63e848dca552e57be33b5e0dce219

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3cd148acffc750da2656068086ce40e0

SHA1
c29249ee7ec0ab31a63924bce0cba83dfd3921af

SHA256
5e03cd2d6bb1fbb7e66dabecd5aa73b52785657067d91a8f7002d35f11fe6385

SHA512
22261ee8bf46c51cbfd743c1ce7847147243f02e5eb93c4aa7aaa2381a5e27a9673b7f8b22b57028aa7742818ec2fb881f5ddde027fa66290a19bca24f53a8fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b898176644d6b95e3ae3c675643a0110

SHA1
c49a89f6dffc4ba9048752b4e3b79ca08496d7c4

SHA256
4df45c7dddc55de76ef4184247f95c3dd88c7bd9f1384c06ca56edfb9e732933

SHA512
9aa95769eb0ef36bfb0bd0bc1a7deef4d68a6bef86a6cd0687f1672463412478dabd21e8114a390879ee4f3ec4e2aad514fea9ca71230533e237f03e0566e21a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a7acd5f416a6b12d41065fa216360fc3

SHA1
8bb51a790f1c0ec26367fe1a0dbcb3475f87deac

SHA256
f6e6624acc06bf489bb6c819c8a7db682d8180e13475b29e45667449ee7a32ae

SHA512
3c389e9fdd186bc290679ebf8388919cbef6aa0564af7b46b8bab614a6b66e9b7f4837bfddfb1a35bb30342759fda3d5d800c2d64dc9268e424f1f59a947bf74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
db91a440da538ec9760a2a21ad48cc02

SHA1
f42d714c0a9a8f370718157ade38d395c4f34d7f

SHA256
0d4e8b47d496c5bff09d2af8a18f46799806cdcb0299d32f132cb74b041b00db

SHA512
12a3d964b883dec7bb6a407857c7346eb86ebcb1f3e838ccea5e6e393de93a4661b4efd7981e582d4ea74bd5eb51106dde705457b5e35e8194db2d6b5234d1ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
782a31981725c14808037559e46e933f

SHA1
f51304c0b25e27facc3cc5d14aedf2b737f95084

SHA256
3fdc35018d2e680ecef5c390b7d7dfda6018d0065e4d0251d4e20b70c0febcd9

SHA512
577a8e33a2343a2ca2399660833890e474c3df5704ec8441639ef5b522bb1873c9511d3ca8c280797213eec6a2691e48e5138f49bdf6acbb90ca729890ca75fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bb8d4d4810671c81621fffae3a242239

SHA1
c14d04451e83744adfd86b62f1b6109fe118ceb0

SHA256
c1cb9df579548d182f267aafd801a6c17ad63e82e9fd54914d63aef5334f2dab

SHA512
ceb978d2051f312b17f27cf9bf6c3f4d225213982e4e6705a9c0773f8c12d19dabd1e8019e9a45fe5f7a32d493db26cc1d4ce1a0f90275cd287470dad123cdaa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5816ee88368a15ee817458f64dcce4cc

SHA1
df9ac9c268d6b7783ff82b3e2a481d6d3ebb9b3e

SHA256
39f25ff0c5ba0ece44d913c5fef0edd97130395ca7bd6abadfd8e4baea5f1d3b

SHA512
20bfb8619020cdcba304e12dc0bf4deacbcb91cb0d12cbd8056f3487b4f4f68eacb8e67d718e625861369c3b82fd13cfe2ddcab8c1c8fbd11b95e8b0d3ec5d2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
93e86f0c9823226da80208e3d9d6a942

SHA1
c9543298b034709dbae06311e03f6f077c002b1b

SHA256
6d4b791b0ead8b657065e3c77aff894ccc77da2873de3c8c329f60bf25402f9a

SHA512
6bfacad1e0f32c03910a6dd5fc89d84fb84e980f53e54c2e644bffee1e90eb797f14fd4839b280660627ac478b5fe9836287e4f2fa3e7b4246f487083864e4c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
42f2bf5bc6b7a0e8e14a367e2b017b26

SHA1
3034c627efece3583f476f398bac349ba0908267

SHA256
e16706d57efd02c1ae231459cfee7ccb32f07bb680f3a07d4e8186dafe70e87a

SHA512
bc89f1008a217faaf6b7747b8513a1131ba94d037400b57e9abee5f51fc5630d3d30c09f951ede5e6f18499b88d3e446fb6adea65e80e8e7a88220c96c333d11

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f39fbc90ef4e7eca9a686652c4885139

SHA1
0f93c1d26dedbeb8beb36ce3272b3629d8ba01d6

SHA256
e371680a758b63c5f0fdb18089843fb502997f055a4eb6644908b8b23faa8320

SHA512
0f732eb68db12de1aadcf30cdc3dfb9454b53ca5813bb354b28b2b2673c61c5408b13cdf1d90ca44ba7ac20911510826ef994c83dba3220594e7fb1ebb499be0

Download Submit
memory/1140-0-0x00000000002F4000-0x00000000013F6000-memory.dmp

Filesize
17.0MB

Download
memory/1140-1-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/1140-5-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/1140-188-0x00000000002F4000-0x00000000013F6000-memory.dmp

Filesize
17.0MB

Download
memory/1140-187-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/1140-298-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/1140-200-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3496-249-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3496-189-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3496-10-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3496-12-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3496-42-0x00000000054B0000-0x00000000054CB000-memory.dmp

Filesize
108KB

Download
memory/3496-43-0x00000000054B0000-0x00000000054CB000-memory.dmp

Filesize
108KB

Download
memory/3496-39-0x00000000054B0000-0x00000000054CB000-memory.dmp

Filesize
108KB

Download
memory/3496-299-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3936-190-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3936-250-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3936-14-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download
memory/3936-300-0x00000000002F0000-0x0000000001932000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads