fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
893s
max time network
896s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2352	AnyDesk.exe
2348	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2348	3020	AnyDesk.exe	30
PID 3020 wrote to memory of 2348	3020	AnyDesk.exe	30
PID 3020 wrote to memory of 2348	3020	AnyDesk.exe	30
PID 3020 wrote to memory of 2348	3020	AnyDesk.exe	30
PID 3020 wrote to memory of 2352	3020	AnyDesk.exe	31
PID 3020 wrote to memory of 2352	3020	AnyDesk.exe	31
PID 3020 wrote to memory of 2352	3020	AnyDesk.exe	31
PID 3020 wrote to memory of 2352	3020	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
320KB

MD5
dba65c08aaedde2a0dc7d399d0448b06

SHA1
c7ca3f8630cf4cad769a927a3c43d83b012bbf8c

SHA256
5ca5ae1864f21c640c807225157ac04d390c7e917433d4809ca9f478dc6b0074

SHA512
27b9d241f83c926426d39e12402d694908b8be88cdb56f68f9267153cfa754f8bf75f4840c90370b65cdf1c54024116fe974c0c1f7b4a115290718992e878318

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
15de3fcf1fb5d52ba3afd7b01c19600b

SHA1
69808483d50123237d7a80a789c7dedb3d9b5337

SHA256
766f42c492b422a41547b8261a83c69c5c75a2bf1a05258e14129440b9c4b944

SHA512
a2dc0b41aafd2353b1d5603091201a5391e6dba052b69ccb9aa9a709897cdde7b45bbb6d1a1fa6586199dc4b05b9ed043694f2e5c7e81a29f53ca82efb56aaa6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c287c76db40519c0cd515c23fe321539

SHA1
fa784df58009a4be6d30bb839f8dad2ed7993687

SHA256
5a15c50f81575ace603e5782161c535f1bfb9788d8759a6ff561d295e35f5c56

SHA512
75c506b8ceea083b2d470f1f2c8e93b339d9ffbbdeeb23e869da17ca2b99921fb9e93b62a8e6e64f2f7a8de33b9d0e70b0034c559039fba91420c992c17428d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ef87d9bb48ef4c694d7b5be555e643c2

SHA1
34a1a66ac7ef8873257337ea03e05a3f3da0ad07

SHA256
0fe7dcda615275454fe52e709a41d470d4dfc57de6623897ed5e8b302c24bee1

SHA512
a15207f5d6c5722ebc527cf6cfd474cf9defdb915ae155419be9e18ba36e418c0032dc616f398ab8c279b0e058b71258dc6594ab08214d1bcdf8d4185a3b75d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
abe7f5913746aa54b3447081f6ecc89e

SHA1
b0e232d7c616e183e8c1d3782e55b98caea95eb8

SHA256
ea31f3346980da937b734efdfa9c2dfe9cbe07dc4841e8aa8a9ce9e18dd81450

SHA512
1d33fdf51edd60cdab24e22924f21f8e37a0b8deff8113c4390e3230acc1dbeb9427abf3c6fbb22dee2d43f07c0e866e3a2df3eb3f7ccdbc9f2107de1124fe6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
ee325c59732290538fcecdb82df8ba73

SHA1
0189377a3a5ce3b00a860afbdf340b23b5f133d4

SHA256
bfc19068aef30db49c14c81c632c07422cc2b57f11e15f7d4b3cb85a46b1fe76

SHA512
969f34ab51c56cac58b7fe16af8f81b02ee146e05b1b99f93012c4eb9e13e5923cd7a96bb298d43c436df086302441b43c34070118286c0e3c49d729d4773b90

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
b88653f7dd45d2bf0a1d55a5c4654548

SHA1
82bdba1ce0721be4f5779e68614510b71aea6941

SHA256
6bb209f26ab67f805671a90235c458d0b2df8f93ec0f46d3df3563bd488d83ea

SHA512
826e1ccdbd2b93ac6f89a789bf17a11980958a02820017e93c9bf48686e35f0e29ad08f63c98116b4a24f6527ef8e090728ee0a28a76504d020e104a7885b4ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
3e19bcf9eaf214e03856c115a11c5c1e

SHA1
4f9f63a1287968084bddba136258e6bef58f7566

SHA256
314d10da2ed02c64a5cfe7d39a0b2b603af00ffa028f3705d1c7f56a7f966072

SHA512
d9f29f92918e2f80dcad2be9cc80cb44d8776b50cf91813fe96e2dd204c468cbec7fb39d8b0ba4f628d6429aa80576c45ccf93abeb9b3c8b7383bf556a95e253

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8a298d70be1c0fbd5be9c4d9bc125f51

SHA1
ccdff731dd4befe09ec501634647e28cd2650c3e

SHA256
658c85ad64ebad6de75b3a00c4e10d43d674abc38d66ceda8a0ad0440e6e97be

SHA512
06019fafc3ca3c59a26fd4fb1a228a88dacaaac33a43e0df2177883dccf8f50729c386ec7e31f7820116a8e54a5beaa46c863c92bcd6c22a6e88933f0a931e5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2a28c83a12cbd4338ee1775984299bd7

SHA1
e6b1e4fc184c271169e2d8403f7bdd68a4e412d5

SHA256
2543dc427b33f18fdc8f4b73e15f070de41f7cbe506993eb4d779c8e91e92eb4

SHA512
19d3b02a57dd57c27ae542137c0851e869a67167718d1fd0b2a712c85a4d982f21bbb00fb65a727968def6cc04c00c0ffcb694ee345409db167d157aebef518f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
524f654be4249c75932363e8a6170faf

SHA1
a0808e2dc10b31774c7a0374ae2410ea281933bc

SHA256
2c8aebf32f6db9c87a36b5ff8e4412530a1340f4204264f8d823bb9768a3910f

SHA512
209071248d136a5b2de17ccd372b7d3827f4b78b4175d547bde49e5b4aec6d7bc46b6ce08ac6766c111b8cd2510e90fb7547a57a34ae5eeb47813912e6c95ef6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f80341a33deb9f6a61ce01063276e9f1

SHA1
df49ca49a0c7b2b5802c5ac0dd1efa93895191e1

SHA256
d3d3d2287b697a0123fe485840c4d45c741dfd9807b3b321ce0d3c101c3d0322

SHA512
9dd9a346d9a0a22d5afe884475a6a06d7ca01675afb30d068a2371d46a87721a3008615f847c36b3a27513ef98574f82853f2c1804fab9b02ebf919beb083828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ca177a73e8351046da2348ca0ebb333f

SHA1
53e75b5bd880e3f0f87e25355dc9571135bb00cf

SHA256
8baa979a433e89dd2a30f5775f5fb59a8863c08f5c83963ae96548e6263b44eb

SHA512
0bb385cb415edebd86fbba839ca627a59ac1af4261451233d079dde9d009f0b169f15791a8c83a7eab5a9b3f35e2fe2302959e0465f7d655b718f6546ef7ca9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a6a771e176e4262eb8ccfe4c81ee1782

SHA1
f1066e78056b5623c2eef220889c47e552ac4c75

SHA256
400f2b293694f5c567f7d4f0d69c2235576f7323a6d1558cbaff572469e2310f

SHA512
dc1de63ff9de161c1f4c74c3fd32523084af031d48cd8a1176e8ce2a5573edccb201f2bc033cd2480b04ac71d4ad2a474114daf63b53730efefdb1f0993bb74d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
e97c0400ae3c9e6b936e446a43334fff

SHA1
e3691ae4cc09b859cd137fd7aeced0152ad84e44

SHA256
4f6ccd235d0d59bc16ecfe44a21128547e74c0ed3aba88e645aa471984ac702d

SHA512
791b98c40f4a912cbe1df3da853c160eeea63d85e810cb692f31618d8e7fff419b4e2eef7db2ed53c8742a0d976cfe2d39dbae4113793de5178f23bdafe5eecd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
05a817dbce4a1cc1a618645cf43bada0

SHA1
af30b6ed6a05097238788e8c615523e3163e8536

SHA256
cc0e89d888d7f6ede1126c7bf6420ce3c171ee394aeb1cc32cde63176c2daa96

SHA512
75d50099b4fa68b6dab90f2eee928575631d5f90b5f6f3a6095524389826f5b56c5b4ad6ca95099226df1c8a4f5454ebd71dd17a0ccf39432900662460981a5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0dd581d6abfff8c0c95ee70a080522e5

SHA1
83b19d068e8329a34dfcfbf1503415f69ccf7a33

SHA256
04383b30ffa1ec36c1f09ee50a835252743f7f276879c32d2abf11fa8e982869

SHA512
6d301878e680b8e08e2f8ed702d60b9c2fcbb00e1186f49d866d9d852a0e41894541d38e9a1031d40ca6e1fa2984cfd1063ed407ff61e0503fec7451a45b003e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
89bacc3bf7e99a9615e0d46f82fca2c6

SHA1
8b4581c0cdf5146edd919f8931e46a89d7e695af

SHA256
290f674171c46ad765d32b0b8bb6b3941e82f0f5f4b3a15447d6ea56e14fb554

SHA512
532778970aba0d3faa8ce697d5f3268db6568cf6b143ea87a0b56f4b4e4e6326468e051e70297544d969e2a564959d6dde9224ed6c4f90c8ccfad567856781a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
be48bf889d330885cdecfccf2303851b

SHA1
da00c55a03019c1aef2f5aad448003f7c467d6a4

SHA256
97400514d529c0fe1aa8b0f92941951b6c99245168d06a6fd583e21ab699be09

SHA512
02008eb45811885b234b969a26451859e7a5670f3b54b44774ed65b7d5f60736db277e09ce005dc10fe07d02b008d409674073829ce71eda6ad27ff2bcb50341

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2ce02fe99b302ea63faf2be8818fecee

SHA1
01481c497eadaa0ae36c4dc92d629c8d42072811

SHA256
b535632137ef8863eaddb9a10e2ebd0c5afcc0539bf155fac76fcf77c95c96df

SHA512
02d9c3da9e922041268e5e3fdfb85a0a8a39c7e9c4101315abd4b58d1547f83db430ddbf9693cab73f2ecf58e66fca03c284e052d5b328acb5cd1d7b483c9844

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1930b8f051176a9be7988991ce8b8e2a

SHA1
5aaaca366316f568b087784062d7c7efdd8f8947

SHA256
3163adbd8e425b893ff2a9dcf66de68b35d55b3582c891c8bcc831b8081ee227

SHA512
8a08fecc6b8e4f4e09582d8fa1e71b899db8f19b405409ffc249e6bcbcac861a05211afe9713d67b0d32437a4a138593e5c692f1f0dfe3a1def78e2092014238

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f7384f8b65e645d44c86e1d019ea29e6

SHA1
2608b8baced83315c5260b5820066d41c536a41f

SHA256
e28a67d4f8627512668b6993d8a073b04db643e9a8db9ab40210df78a71446b4

SHA512
e5be7c1a7c2c6520b066f24b4ec4631cc33a6f583031741ab06fd214ab1bcd69a04c34dc6deea16941504b11f4b991d2ad8aff0ad4ec6122f65fbfc64f448f3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2bc0f81ee380a4ac0e1e90a3da2806f6

SHA1
40a6b17ee237094c23f8431e7142c862897a1883

SHA256
c4a3a121a45ae28317b6292ed18cd6268167adca667bd8d4b270a68404650312

SHA512
620ebe0363961d8aef20685ece422f881b5a8cb3830cc3b1a362fdf45a48e773f68e8e1814649f3f1e9b8e20ee10331c2755f1c9245c23f8c81cb1950889b483

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/2348-12-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/2348-258-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/2352-10-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/2352-259-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/3020-1-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/3020-4-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/3020-2-0x0000000000034000-0x0000000001136000-memory.dmp

Filesize
17.0MB

Download
memory/3020-256-0x0000000000030000-0x0000000001672000-memory.dmp

Filesize
22.3MB

Download
memory/3020-257-0x0000000000034000-0x0000000001136000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads