fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	AnyDesk.exe
772	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 772	64	AnyDesk.exe	83
PID 64 wrote to memory of 772	64	AnyDesk.exe	83
PID 64 wrote to memory of 772	64	AnyDesk.exe	83
PID 64 wrote to memory of 2288	64	AnyDesk.exe	84
PID 64 wrote to memory of 2288	64	AnyDesk.exe	84
PID 64 wrote to memory of 2288	64	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:772
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
70a2325910342faa5fc45e2b518759d7

SHA1
3b5754881b7630cf6e4cf68900d633c15969b42f

SHA256
ca5c34a9b79d57d723fdd5b24103040767a02d989ec699ca4e9e63cacf5e8d28

SHA512
b233d581fff993ba1051437775aac7a7a1701e514613c9034ea30c9f88e4b184d01b0326a8202f05fe6f69e96d7a2dde10884d8d2e1d1926e17402171c63b390

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
63673efbf024146d119fba75344c671b

SHA1
68673d2a8598096067ea25a2b1157ebc572fa69f

SHA256
fac08a821eb5b30cd9c6ad6c5bd85947873a29b1e39815cfa51319ea97ca6853

SHA512
b748d232bfc65a6d3268233186b30dca9ec1644e5c45443e2c1cad1e89e1227b53d7009dbe29d4b266d16cbb5f9b2c26b6f1dd7bf007b8f958de42b6a199f3ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7dfa7924a5adecf324315e50836f7d27

SHA1
1f9cefd4fcbd0f9cc81a26f807756a30872b28bb

SHA256
3ced28b581d963f81e67cafc1da7e041a170393f42d7793670a1acb6928bcaba

SHA512
6cbb2e750e7eba6aeb56c61e6118e9e4096b232ed468baa508137e92bc96bccafc7eca67396ab64ff61b20f874ca573dd3fc4b77748c8de0b9d08b105b7db179

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
43d5000e5a63fb243cb7e312cfc77bdb

SHA1
678f3ec6755166bf450523196c301c8682233680

SHA256
c36819cfc646094d7b2ba156a71ff1f1fa75f9d5766c3761326bacf85a644757

SHA512
903be300a1225696c9741ac435963c8c3a9f01155603c443e947abf2626799ba077e48b10ad7860cd6b9fe95ba912cf4eaad28fc609f6935deca10a7986770b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
f08512c43cf56423a0ccfa4882ca1583

SHA1
aa23279868ffa1a8a607cc5c691625dcebc160ce

SHA256
49be2cdda6d79ef4e0dfa62c5a7257e6b91ae894ebd3ce8d4934e143f01ee08f

SHA512
a7e9c4330ec6e53a66a10d6040b6fd19cdcc3269da563f6166efeb849a9b61e77002b890aeda6fd840e528219fa1ece4bef225a60038dc5c2a05678a981991f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
b35e846aedb688e6b61c8b538ca3f4ac

SHA1
92c17898bf3836c22081e9ec4501df3d539a0541

SHA256
2f69b0df487c0a8fa6c67a7be00c27c8c7acbe177fcbecee7c6225e7b13bfd55

SHA512
0a80890a675b72842251132008d4a8c33eb5e445c142cdd3c5793bc4ec8a5e7a246b6f68d07df91eb2ed929c55fe36a1e56fd985743ec279e357cdbcc9487e38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
051490eb908267cc2ee14ab21afb7288

SHA1
873cbe9b14f7119a1b93593974799e20b3e0ed20

SHA256
6cef92ddb047b8a9c0dc47e4c8e1c7fdc104e11d3822c952531e9056572ce5c6

SHA512
cadb20ac36b5b2678d5a9a0c0a34647308b9741d583f9aacd00e3a02273580edc304187329911b4d86bc98b8fabe1ef03d0c9a9220b8d90faa60d2c15e49f4ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
cc1e4faa1cb01f5b4739fe03af2bc1da

SHA1
0277d8278324a4cd38fee24fe88cb0fb93c2475d

SHA256
9c2f7451a6c7b91bf0401b7b7843b38995a0e428f2f76bddbad68b1d98930d01

SHA512
62f91a7a7ef2247c9d51f8eabdef54890b9621e1eea5d4bf56c7445e69404af86523ef1072c1f53f8edc1cecc40500e516f65674e0c44ecb1bbe301631b559e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0548cc511fa4cb6f8ae1091b60a747df

SHA1
4ee26960834cdf90d2e156d938f544148ac04c4e

SHA256
397a4f0c25d15b07b1696653af479cab8c7d2d4619142a2489af88ae632e758f

SHA512
1276d46460ffd11d02004dd60545ca3c6d14f51fb42d0aa131fff8bee979b7dfbcd4265fc8faa6aebf72f25d3d9710749fd4941ddf421047996877d714b51369

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9caf76f158413ce4f47a498feedbfa7c

SHA1
c58a92c03e90ce3edba23829f264d61a39183be0

SHA256
42bda72a7396204a00be3a93ef118b347491d8764bef0e4c39915a54b9875637

SHA512
080752790b3c0441fed6de0e28a72c1d7278e1b3d4c54dca28f891cc1c47e4ba63d00a398b305a80f2ee000a1d5126b5baa6550d64045fb300ec220186126021

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1d361edad4580a6512023b6111cb49f5

SHA1
6667f81c9ff13548d75202c4f7cce7c4a4c994fa

SHA256
042028227ddc5cc9ecc04befbed879bce3425675ea307d01f4f932937c87664d

SHA512
4fae913a899a331b76f57e6189bae7b5b0eac40fffac53caac5b62fff7fd9a6a91957d79a3fced8fed9a2302e353ffe301004c5814c640d12bac1b87ab01bb30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b5f18ff6f2b4ee25d978f92a2f6a640d

SHA1
8e2959569842af914b45d5fb90aaf3a19e989342

SHA256
2354a15a27d1d2b6b2029051b67cc89007b6b2dcd5bbaeae3c1ab5c153b76fcf

SHA512
3f676fe77eedbd0b5ab013f896f63056065fb187bb438adc278dd9ee5c80708ad18ed2aeed4164ac1eb6c91ffb4622e05116ea32c80611052f35fd170b4ef758

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6a122ccfe806f4cbe1b0f64963b8a6ed

SHA1
453b56246582c62f6251927378edd4be7c883acb

SHA256
b37c3dc9fcbdf327f56be2fc3427894c201bf4221f91e90dbaed01e26265cd99

SHA512
ceda6e4cc5865c1703f05d67bf94a5fd6076d7299583340ed5816f623b5f0aeb79ecd727fb43ac68999037c8b06dc4340ff672604bc0c066f4dbdaf385feb399

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f4d63423db40c848200f507064e60922

SHA1
4bff1f897d332ab56b2aae16b10f7fb3667dcf55

SHA256
f3148824966d940f36f4848aff6b497af9972c68b2069f4aa874de1119df71a1

SHA512
ea86a975ac4184f1151a679a10b0dd2fd187f5bebfdd7e9d71b3338a766f8212b402b0c576d3545c3d7ed32ae7989b942b9827ac674c0530495fe36f412c49f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3a3a57568acee5356e17934cea3e8c94

SHA1
3b15fbe1c45cf1bf2a6860cb66068f6334fe47d4

SHA256
68ce7c6ca994069ea06ea4679db170fce67c9060a4d268174e64ace4de0199e0

SHA512
2eb49a384d797de62310b7ae133b355486d6067f800ee3c5b07a849e095b0ec07101d0b2c1494c435a97a3e63ac1cf23f4356fc5131c3714bc0fbbdf50366e89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f69663f1f856bb740593bd98129dc61a

SHA1
4a05b7a73836091d1379a17389a94270804b70b2

SHA256
eb38569c23e989f3cd7f4475d1d2d9f0b6b795607da60e18b24fdc9b7d51c3d2

SHA512
cc0d2748d3c5695cb60c40780546c82bc558e0d193fcb23952bdbf7eaefdc55e33a2727ff7e56112f42690a642452a27872798068a161ee18d53767409eed62c

Download Submit
memory/64-1-0x0000000000A34000-0x0000000001B36000-memory.dmp

Filesize
17.0MB

Download
memory/64-4-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/64-0-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/64-223-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/64-224-0x0000000000A34000-0x0000000001B36000-memory.dmp

Filesize
17.0MB

Download
memory/772-10-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/772-18-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/772-49-0x0000000005340000-0x000000000535B000-memory.dmp

Filesize
108KB

Download
memory/772-53-0x0000000005340000-0x000000000535B000-memory.dmp

Filesize
108KB

Download
memory/772-52-0x0000000005340000-0x000000000535B000-memory.dmp

Filesize
108KB

Download
memory/772-225-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/2288-12-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download
memory/2288-226-0x0000000000A30000-0x0000000002072000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads