fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
71s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-12-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
640	AnyDesk.exe
2976	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2976	AnyDesk.exe
2976	AnyDesk.exe
2976	AnyDesk.exe
2976	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	AnyDesk.exe
Token: 33	2360	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2360	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe
640	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 2976	3968	AnyDesk.exe	77
PID 3968 wrote to memory of 2976	3968	AnyDesk.exe	77
PID 3968 wrote to memory of 2976	3968	AnyDesk.exe	77
PID 3968 wrote to memory of 640	3968	AnyDesk.exe	78
PID 3968 wrote to memory of 640	3968	AnyDesk.exe	78
PID 3968 wrote to memory of 640	3968	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4920
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
ddc4ebcefbcb59960c60d0f3103b87b6

SHA1
3e6780ee2d82f699d6a48791fcc160dbb336afd6

SHA256
ca76f5cbf80b007eb9d70be80c69fbc5a59d47d720222edfd8946cd4bc1d9b1e

SHA512
e57a014ac6877d954c263c77d615e1790aac1997237a04e86e5fe86c46efd7cb14dd0ca246a48b42b658815d773ddb86156cf74ce232d6d5fc11920898f2fa46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
39KB

MD5
ec8105a765b6415897816f270d0f7f80

SHA1
965cc2c8ea1fb4339cd02cba8722c5024bf9614d

SHA256
68247d2554512bd02a62108823e935ccf8dc91a019ba9415979b628830e3208a

SHA512
72a5308f6e18826dd34e616ef591e454b519716fe95959f795b78dabab3a7d2e069c53a2646a51943ba6e2d8a00fe18d9103a247bf1d25d7e8e84580dc023e3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8372a48aa560823883213e01a075abff

SHA1
c18dd74ab8a013a7e505c4c2013d5689c8afd1ef

SHA256
e0cc076d048d8280dbe967f9367e768b813f07155304501970a70f2b6cb57ca4

SHA512
4a5d05d46d0aff93c746fc15740a3e2390b4c7cc294bbd21c2e260051896f1ee34979728b290ec30ea01fba9ae9fd5720c2126040c7e882a52ce3ea1dee33529

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
413cecc3e4162135fff6efbae19de9c2

SHA1
b59688b7711e966131c662bbdea6339cd1a9b6b5

SHA256
20fd047b0ae0ce6c8c8a9530299a7481ff0054acc79656344e1d0a99160d2165

SHA512
aad5b526668c855c27bef7cf838ba0cb6f57ecaca1f65af45fd30ad2fb88ef040efe46b42eb531e99ed834b406f1f65c57157e3b8655cc963e952ebbcbb244aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
11640cd6256d38821cf354a2a24d56fa

SHA1
ef2a20546dae03b34ea08941e04ed74eeaf67194

SHA256
e1d290b9863791922680483a754ce27c6626154c4442bf15e8a7e16248a3d3ae

SHA512
4899840e9bb0e4bc9b75deac748245795ff64c0488e59a0333ce07e436c68a120c3fe91b65fbe0ae060f1e13c5d644a4224f671ff6ea255e30e424170dd8eabe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
7eb849fc95c98feff664a1e314adcbca

SHA1
c2741ddbf059b06efe8a6c026d444fc676c6bcfd

SHA256
e40a6c5c9435795ef22a75c6edc1352ef1de3e89f3d95de96bf38e090ceca22b

SHA512
b9724d70337e2fd3a883138233570d9a5d77f23cac248ca8b1dd0671f5bf1357a678255a8fe24649e5296292a36874e981f792f63f07284b62d717cb463ef4c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
c62943854397df7033753154443d076e

SHA1
5e4492e152aec8443800533e307adfedc8e51594

SHA256
070fc67d899ebd229be97191d7f54b1f9191ac18bec5eff6d4a00c4f695b38b0

SHA512
6a16f02fd40c0e8411dff9de2730caec209dbf6b2858b758e07911340d14015c795ad6744f9f3ac4d9f1facc6995c206658514a26ca224a1e4773f251879b613

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
52dadd19a78161d1fc0380429a7d21e2

SHA1
b925c1a98c2e108a5f7bae5b78c736a574d687de

SHA256
8289d0c4de1853bcde6a8d8a6f2546a33866d86dc5029cf50ebd07e26b8ef83b

SHA512
ae96c7eff9dffc2586e56cb800fafdfa60fdd2111b3d4677fabc046481f2328d3eef45f86095b0f6eea5516918ddc425bbdb63b942e020fc8d9c94872d4b7572

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8a01d781c19cf27ab0846529794584d8

SHA1
7375992dfd8de9cfb4c1b6ccf84bb1eb1a2269be

SHA256
67c6f377b5aab27b586dd4aff74abe1673ae9621350c9058a9e7112714871562

SHA512
36efe9d3dadfeddfc7d45dbe2a18362b62eb01e7cfe5155f52c7d732757f384dd9567610be156f4c0fd76f4b5e2e98232614dfec9d92d34b4a0dcb217f249b23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
09aeebbaaa0f67323b5b0a34d824758b

SHA1
287e626c2f8e2234da3b76d814875b6c724d3dfe

SHA256
9426497635bbc48b7ce94cec064d84d0908729aba3d759ef07dc139a25f6ac9f

SHA512
2729cc2365dd342f369601770d02e118b9406c6df86660e1dba5cf7c91d0bed2ae500a3a6ea12b1f547844ffbf01bff4524366bee769aa96d26a35b5b12f6fe5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7bd6cad8e3d93fd8cfffaab253dc00e0

SHA1
8e3db5cd3f7731cca5d92d421ecc8c9d120ea330

SHA256
c826fe5296b6bb40d767b40fee2dcf3c6f1e17a3601185b041405adbc95aa3eb

SHA512
d1d31cc579ce37ba75c02171a8746df469675241b7f643ddfcade40d11459410f9a667ea99aa806052b415ad0414a396fd92002fb53f5832dcd33731f889828c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f979643cb9ac423b25b22c1c58691b5a

SHA1
b7a61b05d714be79657cbccaf110ea0fd3f3faf6

SHA256
cf1c5ebd16486c625254145a53453d47f5c4f5b0b705d007057b30b04dc6504a

SHA512
d85ffddb6eb8236978bc60cec877a7919bff2a129f5929de7f9d62dd7bfa513d85748a3c03606be2e396cc48cc13d2232bd4f30e3f293f204b7012d3dd5a966e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a3541ff4277a8799d7272df0d7c3034c

SHA1
c5aecd46f15bc249e8cee34f4665e25389c21a4e

SHA256
e93987f9ab48ef4d104632ea83ab1450e63efec31ad29daf6073bbb5e6bcdc7e

SHA512
053142588af805af42f08bf1a11e367ce5bc03fe29cf6b243fb9f2791801f17d01b8cdec63f7c3034cff8d36f9d801a7010e4e3920f3a831d618be96fb18bc7e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
25b71b0097355dafa6c1114fb275c3c5

SHA1
337436ee2bf23483f803bb826cb548c7d13309b0

SHA256
30967741be0dbdf2b7c8074a20766e1e5c22c35a54678eee176e98e55a5077ca

SHA512
0488d0f9cc3c2e8b649ee1a6b4ad9f9496030bc6e4f295a41eaa97eae0f4b6d865eb502c0017a80c5807a32a2ea1259482df69a478c1f8729a3c337be8d58b9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
12029d3e67bb9a95d468213e43136b9b

SHA1
d67b62aada59c96c5a59a71aeacff9e93256722b

SHA256
f9c14d34f9cda0df1aa3fb19d5684d5e592080c036f77aa35d6bb6bcf558db47

SHA512
1f2de4aaedcdddaed8cc5c051edbe2833c59f5f801a576c772caeae0ebe7ad3407ff2d00227dd6819d2c249bd02a1ec1a71e02dcc5e691aca1e7e4d570a20aea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8f3348989c4a09eef70b14a533b297c1

SHA1
ed1d743881d60c3f7ef04049d82e60f224c80401

SHA256
ba83eebc4748c3a7ae7b648abe596da604c3cde6e02f8cfbb269d94acea9aea7

SHA512
f782ad7f9c3489aa1c9534706660a7b7dcae6e087ae79bfbfa4903aa422fec43abfaa97dc40ad94ddcc868b78639b286b03bf4ba168e8613fc331cd2ef13a823

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ca0f3bd01fa48bc10f7b46a2f7d7f8c6

SHA1
76373c7c31b90e22a578c82a3846831aa7da751c

SHA256
7d04c2b3c6853d7da275781050a5afa0112b90602d7c2565736b298eb6cbe4d6

SHA512
7b29bc00ac0afbf961dc1633f8a15d5b205b2706ec216843e85a1360d1c1ed4106cf79359b0bb34c0592858681cf71c45def0d7bd200bcfc67598ac4d1ba25d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
db234b0b538b5cd8d82d289b6bbd9dd1

SHA1
3fe04f59e6ded90bdf933e9bc3dd0d2bf49b070a

SHA256
8988b894f2bdf53c45838abd7659aaee2fbd0ae6a5c4c8f0ebbeb23c4200e493

SHA512
da13f63275b533dad4e575acf5dd9b2759006eb35d503e5d7710909a5468d03c8b0fec58f349f1e9d4f38fdad254334c3b845c8f0936a921562319201d47d630

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5c48c13c31cdbcd1038d9fec28cfe47c

SHA1
379f4e117bddf57c9dba7b727e85489350b93f89

SHA256
feb26520d5901ac84ec113455ed94f472d57272e06fe2c8ef0a8d22c26252c19

SHA512
837f56d3ca46c37fbc054d0f251f32f3ee050f416d3287036a7ec4a149fad33ad46389cbdc9e23f2cc894d4343eab09252e6a2904086240adc808e3b8724885c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
674aa07b8deac0c4aa4144ad9a2be94a

SHA1
c2d9ede952d27c9b034f32d26a0aaea0b2e57f38

SHA256
6407b0f4fda481d262232df67cbf78b45e3405b41fe3b13ecfa0f51f078aa189

SHA512
a18a1ab8cba8b64bb1551caec4e1bb1734f49016432363e4193a0e90cb88242f1db48e725c73abe036cf07578888f4874c5c9a34c2b700704087c949ea2bd3f3

Download Submit
memory/640-12-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/640-285-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/640-14-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/640-324-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/640-217-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/2976-39-0x0000000005FA0000-0x0000000005FBB000-memory.dmp

Filesize
108KB

Download
memory/2976-284-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/2976-224-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/2976-323-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/2976-216-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/2976-42-0x0000000005FA0000-0x0000000005FBB000-memory.dmp

Filesize
108KB

Download
memory/2976-43-0x0000000005FA0000-0x0000000005FBB000-memory.dmp

Filesize
108KB

Download
memory/2976-10-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/3968-7-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/3968-283-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/3968-1-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/3968-218-0x0000000000E04000-0x0000000001F06000-memory.dmp

Filesize
17.0MB

Download
memory/3968-215-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/3968-0-0x0000000000E04000-0x0000000001F06000-memory.dmp

Filesize
17.0MB

Download
memory/4920-235-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download
memory/4920-321-0x0000000000E00000-0x0000000002442000-memory.dmp

Filesize
22.3MB

Download