fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
900s
max time network
893s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-12-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3216	AnyDesk.exe
932	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3216	AnyDesk.exe
3216	AnyDesk.exe
3216	AnyDesk.exe
3216	AnyDesk.exe
3216	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3216	AnyDesk.exe
3216	AnyDesk.exe
3216	AnyDesk.exe
3216	AnyDesk.exe
3216	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 932	892	AnyDesk.exe	77
PID 892 wrote to memory of 932	892	AnyDesk.exe	77
PID 892 wrote to memory of 932	892	AnyDesk.exe	77
PID 892 wrote to memory of 3216	892	AnyDesk.exe	78
PID 892 wrote to memory of 3216	892	AnyDesk.exe	78
PID 892 wrote to memory of 3216	892	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:932
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
22830fcb5508f43fa0dd23164263ca1c

SHA1
7b71cf172a83542f67da8dcdae1e76ba9b0672f3

SHA256
6996bb02a2d8aa5b142a786c7f39fcd7e2f7163c086f45d0e8fa30c42e3fcb08

SHA512
9c5a6c2f9c818269fbeea4db1ee9cfa407f47be1a74de1b98a8ab030cb3c918e4b02915c523e45d36d5b82ac60e22d00787a385c86b6e6d0d39926ccefdbb303

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
203f9ecf672284f821092acad9bd05c1

SHA1
5d1f364f065244f0ddf36ba1ebbf14e0e1fa6ec5

SHA256
acd821090440912428fbd2bdab72c06a1b378a15ba099c1df6fe4919c7ff0911

SHA512
e6774c84d601e8a275da438ed5e0b4e91b6a79609d1c7d00a90bb37a462ae4e6ac090fe2f0d5e81fa15b3d12b69eba31579e277b2d5ebf3ee462dcfa5df8bdc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
35b11425b8443d164175a3407d0a80b0

SHA1
912a4950561915909b38cd5764f0cadc4b402629

SHA256
e37ec6dec8cfcc3ffc57c1f0ed5b9f69750cb1323566db5c53f46886aa0f7a0a

SHA512
2be7e117152b36369c79ec30d746214721add13664fa592de4d61e28a2a3719c16c02a34436f43ca43e6de6f5971644994cbdf286c6acd4bbdae2cea6df5695a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
10abca5d4b879133f0f1dde36844a8ed

SHA1
59aa486c42cafcb103bec62ac30f50bfe213f56e

SHA256
65d00d587c3a732429e36254f5474d72438f9f9618b03b520295616cd14aee36

SHA512
263df56a86294e463f5abb01e4bfe347e624af3ef9ce8bc5998ce6c2f187659333dff78a4e9eb8e09527c97fb3deccba43c1b75da12d44b9a798c44b506c0c7a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
ebe2c8e408582def54b4a247a5eb0efc

SHA1
cea94f5f04894745944ed64a528716130bcd20e0

SHA256
2272edbb29c9a41e0a1a998fbd0816558687fd1fd8c651a3599fb292a63b69ae

SHA512
4b253f340cb99f47dbcaa954523a5b341d251880adb1a993a9d29b76e06b9b6855478cff1d93e7595c29ef75a452c05abc35991214b752bc8ce18a2bd07d9024

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
e2a0cc1cc20725b9eeb64ed85d08cac1

SHA1
448e83850e3e0ec7b1d1c8114c243b3aeed10cb2

SHA256
c1917091accab13f95cfde2c18409e167bf82f1daa77d492cd241617b34126a8

SHA512
de412f6a5807d1190ee104aa1f2eb2bec207e456965398dfabb27bdb2ec72040d81b170a2a28a504f575422e6c07f92381f132de21e612ae627edae08d69cda4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
56b4b1f549382c70b3f5cefd04609c1e

SHA1
4f5bfdb35a1a41c0c9bce649a1558478178b0cc8

SHA256
e54014a81b42cd1598a0b596aeca606f8220032c2231b87c7f2efa56e1c119e9

SHA512
d2a93dc662c6c448eaa040b4b6afa27143c21fdb3a1d63826196dba98f69fe2114afde60334c65550ffea49096a65243ebb95c894d4d304bfcf2be6733536e66

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
3af221734c8cccb79e4e1d5ec1fa4c14

SHA1
2c4ff2ca02bf6ac997b6ae6eb22bba82bd2b6ab4

SHA256
845c3d7898b68a798ec74b58e1cd7878523827ef82e609c810710ea9d45e6896

SHA512
d78959242b08be5777d88bc1c1a550fbd0c75d6580789ac5a6c7b7282e5193429556d6ff04fbacb6fb7f75fae9d0b0482f98c4e6896ae3d4e30aeca6a7dec765

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
bec38c1188d4ba233b63f6c8fc74c667

SHA1
94d8c0890599a16f8b2c919eab35771fa34a520f

SHA256
00fecfddb7ca4dbf2d5ec9a6c7e80c3a7199d6ce1e849d39bd1fec3abccc04fc

SHA512
3c329a91502110183e972da704a3ff3fc5e9b5e9a56740e58d9517a38fb3f12a39fa3fe18c3475c72ac0c7ce11675815219891843d2f10c40270ae7ed24fcfa2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
653d0f3b214f7162e87ca033078fd4fe

SHA1
df872a3274f915dbf74971e3abf62d41d298f021

SHA256
badfc360e4bb2e332456216221d60e0c01fc3742d471a6b1a3a8fcb0e2bd3abe

SHA512
aed06fe28a3f3c83677ea6788267b95b19c624d28a6a16116d2474665c9211009d87caf0ba7a27176852beff9ba71e09a655c34272e0f0c9eac7686ec10da3b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ec48a9786d7f91f39b9890860536918c

SHA1
9fd855d8331da492cc36f6ba98e6d2e6474378b2

SHA256
3a0e492fa987b115876047a697ad07913c0b2a8f908401fb944d98b7cc0667b9

SHA512
644f39d82f06baf944bd4bf912a7d9f903a8ac5d8353810f4303c860283c8e841c9e7f5386ba9d2db5b183e01bd30b64eee7b881dd7342b38212a84d8ef1cd64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08f54bebfdc417bb7f33a191745faf11

SHA1
a7bed8c564addd84d93a3be4bb45a169d949f1ca

SHA256
ea4fd80ee5e35d924e28072e5280a30eef57f3b04b448c2827e20d1377cbf7dc

SHA512
3ab68d6c89f467be5ffe1e2108cccfc88a64d3194dca7cda7adb645c839f56bfcea1d5b77a13d0629956b5212281b0e53492d6e0170650e03d5fbfcc7633b278

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
db539cc477e131800b2e07e3905e6c3e

SHA1
9ff139011971bd9a6dc71f77364cde132efa8e85

SHA256
4098c5c8afcfc0fc676a2b149ae757be6ac4a137c6795ff6ee6e28d571bbef1e

SHA512
a51ed0a5b019739a0086de6ea59a1546039c566e97fefee5596edfb7d8b4b5c49222450118f4ef6049565fbe5c1d2e13da16053aad5391b2b02c3ef4dfbc8d45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6b2b64e6449f3fe165fe98f4566ed619

SHA1
924626587027aa91728010855db6bfb1917c5b41

SHA256
8f3258df1cc32e60419dc731e40cbd1373005471e9f11fc7d14476140c4d02e1

SHA512
964194849c16af44dd15c07be0f51af673646edfd58bcae638455024d604027b1297b671459f9a7c5cb347c72326f91b345187eeed372e96dce8d6a8c466c1b9

Download Submit
memory/892-0-0x00000000008B4000-0x00000000019B6000-memory.dmp

Filesize
17.0MB

Download
memory/892-226-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/892-227-0x00000000008B4000-0x00000000019B6000-memory.dmp

Filesize
17.0MB

Download
memory/892-1-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/892-7-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/932-10-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/932-41-0x0000000005B30000-0x0000000005B4B000-memory.dmp

Filesize
108KB

Download
memory/932-40-0x0000000005B30000-0x0000000005B4B000-memory.dmp

Filesize
108KB

Download
memory/932-37-0x0000000005B30000-0x0000000005B4B000-memory.dmp

Filesize
108KB

Download
memory/932-228-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/3216-16-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/3216-229-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download