fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
291s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4148	AnyDesk.exe
4744	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4148	AnyDesk.exe
4148	AnyDesk.exe
4148	AnyDesk.exe
4148	AnyDesk.exe
4148	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4148	AnyDesk.exe
4148	AnyDesk.exe
4148	AnyDesk.exe
4148	AnyDesk.exe
4148	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4744	2640	AnyDesk.exe	82
PID 2640 wrote to memory of 4744	2640	AnyDesk.exe	82
PID 2640 wrote to memory of 4744	2640	AnyDesk.exe	82
PID 2640 wrote to memory of 4148	2640	AnyDesk.exe	83
PID 2640 wrote to memory of 4148	2640	AnyDesk.exe	83
PID 2640 wrote to memory of 4148	2640	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
8f5766a9a3d88a52b3942162216c209e

SHA1
66f4fced060327c4cd28682e3efd5aea369238db

SHA256
bb63696bb2eea20f963286986a48168ee846247735559e7a93375c5ef99a78bd

SHA512
8a52d5e8da3253b365a0cb2331a261cc5e24412660fc9aed1cbffd2717d255ba83c16ce5a9ead176c08ff36349f40c90cae08d4575404ef4fbc12eae85591fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
011106a3a32646c6bd3de033894a7d49

SHA1
5413bced2a62824709b8895df3e31e80e76be4de

SHA256
ee7ae79fe05df152d3791a17b7ca6f5861c6761819b7eee175be806116405da7

SHA512
834b3c4a1787477606bc4baa95a479cb3afeaa7acbe6686c167ce3111b4065d2ea9c31d103e8304c3bb515add3ec1bdda04b2b2ab534c60abe68cefc9eb4c8d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
374ee360c3d6b20e0cc3308dca5b6f77

SHA1
47b3db9789f94a188b444f9d491d8a3637563b2d

SHA256
160d1c45722686d1134f7fe3076ff30fb13b23b8c1e7d7a7a8ea40f52037afe4

SHA512
b1de7c6a1ad882296c44c8d564305e967c5d1d78176cbb2844bec87b7a07ab0375431250a9d438db28ab09eebd6d78a605f44f7e1791eea82cd969e4343a67d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9bbdf78212db0bba746bdf14ea3604cb

SHA1
bed14396107b79dd72a8922cef30f0d66a4cd067

SHA256
7d16d15092e47e9be639796dd03af2beb3426f0b31ee9c5b180d99fb2be8a557

SHA512
b28ee265aaa131e0e21546ed8a14ba2d591f2778c56e8db7c3904198a7b6bbf23eb0fa8128e1e4f1c4fb8adb409a6a3ef20072dacc9b9d81b5f6f16718839f59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
ece29fbab4b89e3511cba250d3074df5

SHA1
a6904bbfd677fac4de105cc574053a562eecfada

SHA256
cef91f7987713433adeb1763a20e513a2fef2a8336dc07bbc0d115972525e80b

SHA512
cf51f217928aa4ba76366b0a0270552646e887560bf23d3c3c85381809c6a212c49322a45dc3deac3176b0aabe05665628cce07765dcb7f7cb1512790a9c2621

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
5cbe4e2c311e247cd9f56ad204c72e95

SHA1
05fd90863e8fb188238a8de0e65ed138cc5cb6e7

SHA256
4f5434c5e5b4088898d94b81ea71260a189483ffb153d87f40d078726707e493

SHA512
c83646dba5f9786a6511a49ecff328f97f4da54792de75b211ddc53172e7f86b7a25a57f75c21dc7f0c1dec481a27def752f73538f0e48689c9ecd271edd1c9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
6b67c4b83ad4fead35487eb9f03f5af5

SHA1
92f30016fce0f495aad3b57b5256cb5697fe65b9

SHA256
246c1e6f8d8dc756a1eead7e6efbb6835e461e183af22bb80b161c9ba1e5b008

SHA512
84cc0b07393592da02ef6fc492af9cb166fd52d0b7ba5c0c9482c5be8212911b539ef1a7b8f599accd3f9f0eedb58be1fecaeb9be2487b3102c798a9cd0874ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
e5170405583282700190de0378cfc6f3

SHA1
061250ed3b5ef29204f362ce65db9247beb73c79

SHA256
2a31cfe571dfa59afe29d20ed9b042008a621751fc7921bb945f151ca789358b

SHA512
8f6271cd887ed2056eff3b707d242b9af6f8076fce06ac23d0fdc0b1d9e8580cb45c6482f87e995279796236827fd07d10ed34ab60d6fe5abdb26f49d17c877f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
17833533b8db424a44f722c2c1f0b609

SHA1
d81dc6a0d28285518299a07a447ddffaba5e7059

SHA256
a8239eb561ac7d5d43ee9461930d9c22aae012657fe839956557f19af00d1097

SHA512
d6a6d9af10091480c9aefe2e61e8e0ba8c2f566845b02bebca709b88283f5524bc88282bb8e6270a189a98a78e90a45be7dca0565edbab8828fbd06bb4d10c37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
035e852f0262e5ba5f760dfb5480e8a4

SHA1
d9b8f0aad8050fa1cf6e89c7390768b60d1637f7

SHA256
c1ed06296786e2fae49d7d4d8ea769f90d4586d90243112617dd582f6c72f3b5

SHA512
572bae16503b3cd399e9d82a44f0540d05282ae132221fd4f2e0d42543079672e37dd229dda34db2e75587fbaebed7fb9231f1a299dded68d111efe36524ce73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2ccdf711652fe3c8e6bda93cee76fbe8

SHA1
c6c0fd05af521b220c7925052b39c8b65aefcfe8

SHA256
6b1582e8a413360d37f65289cc045c17512410797f4f97717d1e3a9605c2d0e4

SHA512
660007e2b8d78315334f12b1a7823e9129ee11ce877b159232d2cda99cba67cddb533e3210df17262ec89150d1a9ac70726930eddc810dce45fcdfb430a2d253

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
70f1992d6797dc32e84ff98c8e4c66fb

SHA1
4d403ce84df30d69df2242535313d3c3813f0d8c

SHA256
e7b6ce355d899096c890295ccea702a24a6cf71aa739465a6220c49c849c3294

SHA512
eb2a054979a44ca40c139b5a2fc468d1b9c709466df1bb06b85b89dea48022488b1b2b207dc35f58c7e22d43d5aac7de10cc6bcce8cdaafb9b10ebf0ace9f254

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
676a8a38257fd7cedbff72100aff20b1

SHA1
dcb8da9095d28b06ae201c89f759f15b751c73b3

SHA256
eebc7d7798f7e8094c98269b11fd412e20d9d412364a05ab2216e49a4599927c

SHA512
73a8655d186f9c3653aa104e3462f8efa64a243df51e7c1b6f41550367e94538d491cefbe9e10db337233a1a9db042d0120a67f020d660bd87b05241e450b6c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f551acb03472cec66ca4e4cc4ebc1367

SHA1
34cd8a5ceb6981bf74155920f42f13fa81abc855

SHA256
5738c04f7d6922662fd507c9022098e4a90240e8553c12b04f0c0599dfbb2ff8

SHA512
874a81e21f887bf288993336e158185968bf6fcd11504628763bed5c76da9a63a88670934560de72b666479e2141ef84a9e56cbc428320a462717502dc79316a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
94c2a2c647f00aad044525b0ba9f2568

SHA1
17dbf414e30bfd49586fb447c98ad8db48cd1b7e

SHA256
2cef2b24a1f7ba295b418579f6a4662d007263cb9762e11bbb7e4b6195dc171c

SHA512
4f7939789b6e2ba74012466e4cbc904c8a631dfea786c540ad266c085380a9b12c38b28c9ecd6407c0dae8f60d9c1ad03830c00925551b816b7eddec791a3e92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
629a94061ed4fdc308d7e7e0b789279b

SHA1
2eb113a3a410a53bdd0ed95fcdc6cf08ac229d76

SHA256
c8a26308ab29b301e4712d013fc30dcdeffbd749588de26523c22c6b939f250d

SHA512
6bf6f75ca4e84804f90413084271745b48fe0d3e70782e39cebed3144b0e503faeb0296df88c057d68f5a11d3344b82e86d7a55057ebc4f3d03d86e0a1571de7

Download Submit
memory/2640-4-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/2640-0-0x0000000000344000-0x0000000001446000-memory.dmp

Filesize
17.0MB

Download
memory/2640-2-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/2640-250-0x0000000000344000-0x0000000001446000-memory.dmp

Filesize
17.0MB

Download
memory/2640-249-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/4148-13-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/4148-252-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/4744-39-0x0000000005500000-0x000000000551B000-memory.dmp

Filesize
108KB

Download
memory/4744-14-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download
memory/4744-43-0x0000000005500000-0x000000000551B000-memory.dmp

Filesize
108KB

Download
memory/4744-42-0x0000000005500000-0x000000000551B000-memory.dmp

Filesize
108KB

Download
memory/4744-253-0x0000000000340000-0x0000000001982000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads