fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
900s
max time network
897s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/01/2025, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3540	AnyDesk.exe
4400	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4400	2424	AnyDesk.exe	77
PID 2424 wrote to memory of 4400	2424	AnyDesk.exe	77
PID 2424 wrote to memory of 4400	2424	AnyDesk.exe	77
PID 2424 wrote to memory of 3540	2424	AnyDesk.exe	78
PID 2424 wrote to memory of 3540	2424	AnyDesk.exe	78
PID 2424 wrote to memory of 3540	2424	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4400
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
5cbb8e1a112a3986f53b773c766f8162

SHA1
35ca609ccf534d0623d2055049c2a00c32425ff4

SHA256
9f8f9a0e7b982ba5da4f584ece2b5ba20877f7ccc4c1126d9e00f8e9115145d6

SHA512
1ef74ea639c6ad6d7f5c88318f23e1e3791951af6a9c715d794b97e52467be7dfd7186165d9c6e8620e6a1e911f9f9de592f5357ec37d69f3e6b47cd159ff735

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
2928307d03970e4d780a38890be8769d

SHA1
1b24166fcf203f62e559b45f98d2ef7cfaa4aa5a

SHA256
65680eed76dc8175e711050528a3cc531134be727c91eeade27ec75c2cb073f3

SHA512
9f3029381c77847728e9577fd3498deabe768441a4a481380cda7827457f147135751b6afef551017f0cd705b69dbb58123e19929dd8f63bdd72100592c15ad0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f5a457e6b62bcf8df3f0520046877f39

SHA1
e7ab9e0300bba60ebd4658da292f4e566c32f8b1

SHA256
a7773a7f1cbc5fc992e3972b41b51c7e7ed8a8121bfa9559faf9e09ef3c98c1b

SHA512
95e0058a0c8d99782841c93dc3f89d03fd771d859702cf9863c18b1475cdeac6573d5592d1d707f646637a075c2f7c58a85f9eec13c6ec1a83ba87438cd1a2ab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
46faddfeeee4abff7156338d9ba1aeb2

SHA1
1906286779acf95ab38e5d470bdfdb4c70685641

SHA256
41834def0d99d0c466f6c54fcad7457d924469bb81ecb874e498dd2088c0302c

SHA512
8f34f4b805defe4f41d9d3b8c9c5a754f2bf130e2ce6179f3ac2afa3838e33901e1fa49a471506aa9bf09ecff0802882f2b01e756ceca80d7f7961f5e90b07cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
744B

MD5
fc8efbdb2007c229bb1f8b928d45c225

SHA1
435dc3a6f6e4158a42468e469025d13cf337226b

SHA256
9e5bc4cb5f4285a355d39432990a6506a466c34224d25d8288830902b118d864

SHA512
0860eb7493b3b657dfa999e5355e59ac766466e8f070d4d6136c8a3c2f90eb17ba5d468a26e4be0a0d30a63b84c2fb27e4056ff9deb4cb2f24010504d9c82a5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
fec3315e25a5857150aecea5784da598

SHA1
10d8822d521f285c3582440b5253e1c679db2602

SHA256
1e0c34c92a08b5b21d66df875355edd53a43829818a04126249b2e9f36f247e8

SHA512
c958f50a2b972106800a2c609eaf40b92789cd62595137d97bb5746feb6d984e2cac5fc881ca2cf12705e59f25bbcb84c2ac881ce398e154ef5faa5cf7b2ed9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
655831e454b93b4d08d797d186c418c1

SHA1
be74be80ec9d434747becf29a74bb053f82d2766

SHA256
c9f7e414cde3cedc897628e16c96fb4e2b5c574be787e6b12c949cf737a14618

SHA512
ffc23d9b38cf2b917f64935efe89b2581d200cd530d2efa8e300b8b6a954da5721cd5ef4ca5c6a1e3fb33d8f3872829f1500a26b1d5840758ada0d4f853082da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
361bf3335412cef0ea3d0b1dec2de8a8

SHA1
ef78007cd4a49a9c21978ef9b24133c0e748074a

SHA256
2572fe60450c0939a233452595071314ce40faaa809a3fb8390b4414aff3c28b

SHA512
e428e7e82ab67898669284c9776725f49fa993e735e6531a0e77894a2eddecaf54f91645745b22edcc358ef4d4d10d881276dbee3903fa939c40f1c73e1728ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
f9f8c7315c6642b2255c407c2cce75bc

SHA1
d7ac4d63e9c76fb94edf19b124246cf743dddda1

SHA256
f1609f0fb2a12f245ab24d68861f548d1995751e09a125ad2938c1ad338427fb

SHA512
a00fcefaa62520e441f1f0a284924cd419d3ff312c18cfae89b6ba0aa1d1b8a7a359725b6ee848fefdd16adeb29d3e387191cefd02e5f33f2297713035384a20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
59116fca0f81698e03bfc1c30f324797

SHA1
0e753feee13a9caa2996d6bed3a2a61f475d4637

SHA256
09580fc5da3299416922a88ef63070ef2e535d5cc5034b0d3246980603a8c924

SHA512
aab77f9c299736f307add3f21b59673bf167020c4b7fd10ba725a17edd6b9017796f34227b51777d01515c27fdb87bf57a3ec6a11d93d6749aa154b6feb70176

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
73c2198e279db8c225897bff74db0fb4

SHA1
af98cc38af87ab00e27bbfc037100a3adb9e958d

SHA256
5a6d0212817428f661499e9cb9b68d29f645974bd411a8f99720fa394a1a1cc4

SHA512
c6fdd57d64d33a1eef394ec5ed93a1ef548d4dcac9a3ceecf44453115cb2d5d253534a727e2460b4787fbe380ff6de219959f82778f2572bc47b0a401744bc13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
53c897cbf9d86d37b71c7eb2ae2b2e9c

SHA1
b20c3426eaae7a02ed91e21379e9628ec1e527af

SHA256
8802e54cf76e82d2fbee924faf65a79645eaea3f1a53dd8e047f4815c7f56389

SHA512
44266fb6a58359f7bb216106f9e2e12777782dbf9b9eb6a6897c83fde5b618fb886797398141a4e6c57bf1819e2deb73ae3cbc8ed2787997d6e6d6d8658ad3be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e4a6820a6d46b6ef273c8d2531a708ae

SHA1
131f95c12267df4a9281a5f1f5b0088c9374ea94

SHA256
1502380f9cca2fa7db75b0843090788ec390caf6ec87060615b309647057112a

SHA512
b9babac1c968902938cdfaab3c79d2a93a3bb98f654d503849b67ce8e09f1b0357670802734b49b8cfbe0c4a5b847f9798df1abe1d9c0d7aefdddd3486e6e935

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
bedcb3f5c50dfdb9223d8087af07ca49

SHA1
423a7f8528190c29bb2007e9c24f6bfd84cd369a

SHA256
65a8265dbf4e184db7e335364a5557a7c6610ab6b48bbde41ed8633bd0307fd3

SHA512
f2b82622a8c6db4b5d3e1aa212d5c4569e58143981d7efd43a847206f480b5d86abde5baa2e4e188842f99d9437ea16e114d29094cf5865847f224489b9c9e5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6073f20ad415e918cd05b8eba27c3261

SHA1
1dda110e995f0743580028fdf1e48d336942b7f3

SHA256
8af5d1c49e86330de44c0a8240fedcb982eef490ef73302da11d52083132d4a4

SHA512
93e25a6858beadc55b0f4b48a026c63fb007b3655b7de2deb56eabeca8bed9f6af187e6ef7e4089bf254346f43b8b5bcec2c9e612c1521511fa1147cc1cf3743

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6f3ae8a2369a0a1aaad100a2ca0f9133

SHA1
b9d6387190935cf80537a7c0fed3608f5f314bfa

SHA256
f5854dd3393c0d5826e4f53fa839648c1ec65b3a08524499d51d910c711d0967

SHA512
f511c33c3a1a698d2572e2c3d72e03c34e852298b6cdfcbac1062785d24948b933491f4012e0df5da9db4ae8b5baa84f0fcaf942edd46f0c38115a6cb43c403c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8bf09bf4ef3d63e003fc0d60b1aa05bd

SHA1
914475e0690986555e1343532917eed123fc226f

SHA256
c1f4c36c20de4581f17b012c76562d414f0bcc239a97e4bef23cd2f006aefeef

SHA512
4570deea729872127d6184d4e3f81049b790b3e13bd2834882721cc670b4ffbcb7d868b4584af8aec5c7cc8f6e8bf08044d3b7f27cac69cbfcb135f9390bd502

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e5fe281bb908860cb35e9fd9ffdf619e

SHA1
12b832fdfbfa2c68be0b7ebc761a8f29fe7b20e8

SHA256
b693afcac7915cd8cf437ef670a27f1404187f30f3e9c8a864301bf1ebd2af88

SHA512
2147302fe257f6632de41bbbc5391683832898863063f231339defe8c4259d434da25600628efef0738624981060fe858c8e93615c0e44f46846c9722af31799

Download Submit
memory/2424-0-0x0000000000E64000-0x0000000001F66000-memory.dmp

Filesize
17.0MB

Download
memory/2424-7-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/2424-225-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/2424-228-0x0000000000E64000-0x0000000001F66000-memory.dmp

Filesize
17.0MB

Download
memory/2424-1-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/3540-12-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/3540-227-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/3540-14-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/4400-39-0x00000000056B0000-0x00000000056CB000-memory.dmp

Filesize
108KB

Download
memory/4400-10-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/4400-226-0x0000000000E60000-0x00000000024A2000-memory.dmp

Filesize
22.3MB

Download
memory/4400-42-0x00000000056B0000-0x00000000056CB000-memory.dmp

Filesize
108KB

Download
memory/4400-43-0x00000000056B0000-0x00000000056CB000-memory.dmp

Filesize
108KB

Download