fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
892s
max time network
899s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	AnyDesk.exe
2100	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2100	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2100	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2100	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2100	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2468	2372	AnyDesk.exe	32
PID 2372 wrote to memory of 2468	2372	AnyDesk.exe	32
PID 2372 wrote to memory of 2468	2372	AnyDesk.exe	32
PID 2372 wrote to memory of 2468	2372	AnyDesk.exe	32

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
8694a2ecdfcf0c83ffb5de117e33db24

SHA1
c755d68bc625b2daaa549f36007c4f2f29861c3a

SHA256
22ffdec14e9e9adb2b511b2031be260469d088db6fd51ca5570acd2f598eaa89

SHA512
6ba20459a6eaaf03fc27f95b35130d9fe4abfea372d88ecbce7d5869b26bf59d0ba268fc40bd05bb0ee864ac2c03d78083ac2869e792cff8d65f702ccfd97f8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4b94e42237a8061dee6a5a5087275ef5

SHA1
6173e4c93273f1aafb1cebbeb6427a60715db1e5

SHA256
db110dd35b2470bd2f9cf0929f72d89bb2e8d807ecd8d74faa087bf27e627930

SHA512
f2566e82afc44a96ff86ee11236bc13e8771abf319d8e2aa3af192473076e16cd29856913f98a39bf2225a802e3b773ac0270367158b2920fd492e857969b549

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0542eee7373efb7a987a39df261e6b3a

SHA1
aca952ee27cb0a9d48a6dfa0b3391af08d47777b

SHA256
af34e4ea37eb4d596bdb7fa0bddbde71f40bfe92d67fb02238b6011fa6146bdc

SHA512
e0a30d2746c264b1ad8c4918cd2626ea4d713a9672351a9954309bd593cd94a9303ec90ee02f3b49d4ba9f12e17472bd4cf1efe7ac2f1aa1cd6d701701fd9b76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
3bd169d518eea5de91a53c52d065c901

SHA1
31e5f5794c397dd6c72481065e7a2597321b0e5d

SHA256
e90812221db531504e441b203baf754fd1401634f79df71b70720982adcd9544

SHA512
5e31d7769019dbb9f3e029c73c7da76f5fb7ff68ed85b4b3643678e408237c50891c35d654bf437f43fe1fef1d881cb66935b67225ad0fde791a8210adf2d2b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
12a5325e80559dc9646520fc68664985

SHA1
cec506023871f1dc98353f1111286fb161873c1a

SHA256
753c7c0cceaab79dae155e1797dbe61bf9e5b23e68d4df2b735226fa20e132e7

SHA512
e395eed3c7582bbb43e39545c0998741b8f3211055daa8e55791356d1285e30a05b63925ff7f3d006b37a3ff7574da80fd8ee6d7c6e6ee040531a2f2a74ff7e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
8516f76aa86c2c0a611b6dfebd1379c2

SHA1
02629ec0d98f418c0709072cee8ceee1b7e4633b

SHA256
40dd6fa4a6b6e88bae1221482a51ab4e23dfdb2eabfcd0ee27c834507ef59832

SHA512
7e901e3304f1ee5104d46442502beef0a346235e31064bac5effe8382eb2abb4ffdfeb370079641e25ca629d2fa88396b3e36cb56e7e52fcd3d17a341e3dd01d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
5fdd3d08df0ff3392262a4a992d67ebc

SHA1
97b28608ad4260450a308fc3208c82c167450a83

SHA256
89458687cc30af60b1b1aa89f698b36c7fd86f39cd4167bc749d3537d7ac36ed

SHA512
dc81769ff38719a3dd3be8750a6103fd0f0083e30af9105947c7e14b66a531532a51c593ca0a961f6dbea97a2d22130ddc185d2430051b8c30fe16706a07c4bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
ec931180dbd4dea29bd71785d49a8ab6

SHA1
6b2d7dc393f3bc83829742f4f1165d06e80ace0b

SHA256
89ddfab02a46cb3dba5002cf37b6ecd65c6d452c71a62800221bfba135455a56

SHA512
c4fa9b65a8da132218c5e82ed7065aa7d57ec2da91c378e89e7c7c5a4dbd2b66139ae44555578d70519509c8f15d8bc829517bd3c736f541339add8c0bf5d490

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
e7c8f86f7e7dd12674043396fb0ce5f5

SHA1
f7f9876d86994eeed589bf4a46fec01aee3d6714

SHA256
a4ae7afc9961b5e6fca8e1de72ae15c72d8f6ea437ffde69d8fc11a6bbead8a2

SHA512
cb8f796e0d64988a2745c5df03a099d9b019ec5621487acf7a5e16716e0b90ba7fd94b14d67d187d38ac902b6e5768e810f83d9b08f54251454feaa7db6a0543

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5cf36130ea72ab38c3f2a7f484bf353c

SHA1
7c7e3ceaab97f7f17a476a9fd4b2072d6846b0f5

SHA256
ee1ef1540a5660990bca9f843baf657be8ac4fd4ee74cccb3324bef270c3f974

SHA512
480256e2b1a2dd9017264035dae1df2ac651d4d8dae8dced7eea181abf1312d40b52568f86273ac6e71252e7986a3dad818d59664335dcc6ee104b8c8cafbd6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8d623232b270bab40ebd9e721575378b

SHA1
a303a19647913d14f6ea13222f63e62e292344c3

SHA256
8b85eea90a5bf7379b7538b8270754b9a4215a70f8aa41f27f40629722eba1d3

SHA512
f622f59f6d2b5c710bdecdb8f8994998b7e948cda0416a6c062a9f19a14a4ed928381fc18f4b77c39a5868dce09cde61bce2fb2b80cfe548c5d1876cad7e0f60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a564f115fb093f99bd061b5f97a2a573

SHA1
074bbd1d4bf9cc197d27e9247c3e5dcb922503c9

SHA256
ef9ed667ed77d1aed90896f4a231355d805f0e4274f5e04bd09b5937dc3cdb28

SHA512
5d0b1f409666e85175906483b20db5042b8f7f41cb6e9ad3de270e73a17db91d3c80312b3c6f4c6322ad5fdf58610d4aad881738b96dc433a63c0bcb3fbee16d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9eab615e8f2c9a3c81307167bb19d2c0

SHA1
69e367e754423ffac5e6621254c3c53e1ec2a46a

SHA256
4381b20a3d388b2f03654ac5b4d3c710eb3f1e24e9848daf654fa95bfa905d36

SHA512
cd1f6319e4f5078f93b0ffdc63a89e96a76d573a9bffa7ace7dfa460215de6918c93c039c5495b7385c56eb6f7c290c7e0a122b186d2f0cf89eda1a86e56ba92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
62201ece5d01f1c61dbb2e5946963c9a

SHA1
59f1def1e948ed5d506b92015e229cee9987bed2

SHA256
45f7fdd783a49cf184255365c87a046b665e5b3dbe04fef1f437d9890fcca1c8

SHA512
4772390f387fde3744f2af73592edefa0033b0e69d3176c027ce8ac7bedf2513a89e92d787d92d2067fec60e739ece36b9f0439b1a71a67adc3000b37bb5ce33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
184fba11f8d4e335dd461ff23ae4ef57

SHA1
41dc9f26e649d1821705d3bcf98fb6a21cf7d3e4

SHA256
5ec73042aca725e68dcfd74f83dbfdd3c39d28d18b1fb251a4991557bd7b4cd6

SHA512
2b90c6a2d379de9a404186a88a2106bcf526202e76af842f5f6e44fd6e7be63db60495bb22f7e3edbf37949d448ea73bd31804c31fd58e282df4a3ee7c032049

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
79f89ac35bb508800abade67f6b7cf4f

SHA1
8dde1f92313394cd34480ae55a0d23704f99dfc8

SHA256
60cd26184b3426497f2e8a2be97015876e92e818ac71a72532dee58b69618323

SHA512
531b440c19c11eb8c3067bd9f68a2d50280efd8e5bb8ba9e1500a14db554ffca7575eae61c468e98e1e7ffd42c569fc7d3974ecd16f4aaabf9a2111417af176b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
600e64491741bbdac84daa921bbd4f99

SHA1
1c03043806ac61ccac8aaeba1be8b5bd3acea503

SHA256
2fa503eeaf0c82a7adc2afc30f07fc1412651416a7cc23f2dc849f6e72a92558

SHA512
0d202f37085364cec6dd25f97606d00a67d0a829d0d252b4eeb580a9a70d2f1a7858f2ac443c64164825fa332b9a02b9f2fec70b234e1818ce88dbbe5fd6a7a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
af1672bd6e037bff2299e1ac7c5426ac

SHA1
96a0b123b9d8725ce9d0f2b37c6400f072438787

SHA256
9df9c2893688bc36b2baf152fcc5f900968c16303e48a475a6ca986af67cdde7

SHA512
bea9d3f7bd15bbe6f7b93477de3087e64421567904992109bbeb338d1ae91d7723b9ba070c7c3727236c7e133a53bc827702513410f67f0af15d7c297b9501e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cb50593d9e2bc901457d9fcce9249fb

SHA1
093a2ae6158bf8f3b906ff520a748e9d47930726

SHA256
ce208de89975421a2133131e6842a53668cc5792fb2f7fccad22c4f1de016ad8

SHA512
abd25650bf0310741b5413c7f9b44be4ecb204df50ac7f31b8fca8bdee0d70b015bd16a70e77dfd7f6a55f179a25a4b497614284a63a9a33649b88a41f39857e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7e888fd95ac2f0e4eec6bbfcdb3d84ef

SHA1
b1ee63ed53dd08eb8b1bb4f9a644e55ef7b7e7bd

SHA256
769804959088894f0529633b8667c7a5f298d8ecfab559b3fe8a28c6583edd4b

SHA512
cf2ea5288417578e9753017bd20ecd613dee4ddceba9d7d4b615114b8ee43b21041871ecb591c81d5d3b4b92e6c3adf3e1e8775c68a9c6d7e4b7acf09cb9dc43

Download Submit
memory/2100-10-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2100-240-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2372-2-0x0000000000304000-0x0000000001406000-memory.dmp

Filesize
17.0MB

Download
memory/2372-4-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2372-0-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2372-239-0x0000000000304000-0x0000000001406000-memory.dmp

Filesize
17.0MB

Download
memory/2372-238-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2468-12-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2468-241-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads