fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
293s
max time network
291s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	AnyDesk.exe
2736	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe
2856	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2736	2388	AnyDesk.exe	30
PID 2388 wrote to memory of 2736	2388	AnyDesk.exe	30
PID 2388 wrote to memory of 2736	2388	AnyDesk.exe	30
PID 2388 wrote to memory of 2736	2388	AnyDesk.exe	30
PID 2388 wrote to memory of 2856	2388	AnyDesk.exe	31
PID 2388 wrote to memory of 2856	2388	AnyDesk.exe	31
PID 2388 wrote to memory of 2856	2388	AnyDesk.exe	31
PID 2388 wrote to memory of 2856	2388	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0b3d27d6afb0e1b3ae3a4643821a468e

SHA1
d31cf3b89deffd84c8e00efdd0136d7fd0946d1f

SHA256
0b5cb40cc1b3076f7e42a62e4916e71694ac7f790d87b21f58409d845a66b0fd

SHA512
7567b8564be6833636bfc29febe168b655e4117b4d42be8d208c5ac53fcd166da43a8f478745e7401db5ad6e14070821bb81d4963cda56d03fd047118ed5e2e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5cb3c3f3e271a373dff00dd73c99e765

SHA1
60f7b1014cba74241b206f57d6aa07e758ecf21c

SHA256
117df1cc179c9c5f4a484a6fa4bd206e274af7ed847504c2739e86c49930f7c4

SHA512
8c2e9c032a0fdebcd61058c4eb23efec46ad8ee790430aec1d5baa24ec50377a0be39b6bd8bc7a753516b67a19ee37ffa8b8405fb44132b4c4392e7296e9c663

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
69330742c002c34b4e8946bf54eef759

SHA1
2cb9e08b2e64e886ef9997ffe737b1ffa5b06ede

SHA256
48503422c36a9b4f49be27e46c5f87d6c1eb773717ce3f62cd708ff991ba0489

SHA512
1ca88cd349fb4a5efa1db5b75fd7fea305f912d8627db94a5599cd0ba7e5150675ff06c0ab988ea213836838c05eb46cc8441c648c06bbe7e99fd79139573fc7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
4fc24ceb74ea9cfa4c94550d956376b9

SHA1
5b9d74c085ab5a48d37004904860b5607cc0e0cc

SHA256
1aed8cb527192550c5764381ac11c5573d4e909a098d9044e3e79b9230f64f4a

SHA512
9b669d17faa1e4f95a22ebfc030da95606c55eb5aef584419a034769d19d82791070bf258291d17781afe525c7ef2531564a9ea16bf805d398054de09db55f71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
6c36741a30d8287370ecf3ec25c5d1ca

SHA1
29ea53c61d9029c83a9a6306dc1fab39fe5bb19e

SHA256
831abd35e5dd4afaf123f0f482663bbfab0fcc1e46f5ec78577d26ace0c16bc2

SHA512
916311fd7eb07c26925c83cb71ddcb11c4e9cad0b5f0fa6be47cc9b9dcc5634cb5508667311ba181b231456447e9877c462614f356f4bf433bd303ada8b787fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
a216366ac9fa722f247e1f474068b201

SHA1
9fad90599c4666d7e0013b613040ff2c306b1335

SHA256
1a7ed6236734ab01ecaf615010deb150f156edff0c327eaef8cca000eefa1269

SHA512
957eb87d3afce6aaf0d7513f6e8899cbb6330b4c2da4c528d4a4929c35ad6cf9e6bbc4b44600091e02a7464ffeba5f60fb9a3ca0d9b995c666e95d15c9d2fbb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
b0364710693e918b42a8e222682a6a63

SHA1
7ca77a3f8aae09248db2f3712932e25f3364bfec

SHA256
f17028acd723602474811c4a7837cc293797e5b77e7ed168e624ccec7c25437b

SHA512
b01cb676b3194aec8160de8ac1f2cbedcfbd13d5e5d64024aa2b6de267e1d913215b155150e596aef44817e19710f23cb61220332d4b36a83170a1b263c624c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8795f2d4644d2a07902c867c737b52b7

SHA1
58b7a7ded71675740da73fd239d066f07a223dc6

SHA256
af0cbdc63c1aa743cb35ce20a7dca4ff250c78a91afd6e6fad915e70e000f46f

SHA512
ab949e99aa05cc43ba91e61b35983ef83c5af5c6bef73b0683877c7e72283dec308909ee78f70e4ec5b86cf7933425f06decb807e9ee89c4bc8589bdea310eb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
aa3ade543137c2ea44b0958b50f5e90b

SHA1
23ca5de8db3544099a3d2aff25409f35b06d3309

SHA256
a0203ccaf343d2a117aad5130aba963071786f425f4b1d75b4cfca7c0df6ab6b

SHA512
e44dddc6b3b59ac1a999cf69e71a11a12cbbd2174773db556d40fa4912a830a415237d2bdd877d403ea99ab93a2d8d583d4478d58cda13ba6ce685d8211be18b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9c3065057b88423dbe0af3cce9061220

SHA1
5e100541ed2dceb44322bdc9b4c9a816141c9359

SHA256
138804e0479297ed7614f6321bb4aad62522f4d524aa8056ac12b805384c856a

SHA512
a75c2f8787dee50143e0be86a07cdaf500f8809eaf2e389865edcca93dc665b7938319be9682cdb24f935153fdb113ca1d829c3a0ae2689879e4c95f492adf19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9c8d243a9531c2b2854e6d3f575bd619

SHA1
b1892a5210981225c4d747ed21628b54167b9f6f

SHA256
912803fbf774434a86e9c259406b042860611838c19d3cd6030d26d7de2c6412

SHA512
a34347f226b997346ca2960ba95be57ffe59bbc5be302bbb24a781b63ba5210a58e17e49cc3d825aae7682a6c74b7006b077bc64583a95073161ca6f29e38262

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3e3019a5dd52ae76ae5bed8073b1a753

SHA1
fd1b14629e58aac3504fb43566cc6a835c14fe7d

SHA256
a59b26a6b8f361be064cbadcb7e485ec9af85894cf760e1834ae6b6acc250ccf

SHA512
5dfccf24a18450abfd85fc88f405b17a42f71cceddedf297f626681210ef52c22d5c61ef3b4896fd312655d0d63bb5f7599f906479f6bcf27db5aedd53b30e5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ac881430551164785c9860bc6fa761bd

SHA1
6b25d497db120d17d32afc8f5bfee4626f6340d5

SHA256
d476d98aa6bb448bc81b2d1df5c43194fc99ab58e14a442e40fb7ab086ef59d1

SHA512
6a85b3d1329b8b1fe9c42f65e4e6609383de8db9a2dc8e01373f0f96859bf96f4b35962b06f109c041d4cb0595d7ae75619277244b34a0329260d997c3ac2af2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9b8710077d8b51491dba9a2ac75e77f4

SHA1
07afd7faddac022724b58f6ba0fe73812e9a9525

SHA256
5f15f738de01ff31763971426e71fb490518c35931d557c19d53cbd5f865188d

SHA512
1010fb2f00b696b3b514d3940e38ad5e768db4ae3e7ec771e1fb5bfd240f18192c5125713d29f95abb98e33e149879149d589eb2fb459978613b0ae5685b0bbb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dd323d7e2ece26924a8c8cb71fb688ac

SHA1
a402da367107abc4b4b75cc279e6067da70df508

SHA256
62d877030a0e896faf8afe3ad53540deb037a23cf390ba8e1d4dd8f4b47fa688

SHA512
d54e798d889220cfc47bedebd36a8a66598c5e0e73d3089943316d7697897fb059835aa83dcf0821ccac04575ff1cb7b5412023c420f93c20aa77ea5e29d5950

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e7c06903e87431986633d5afa1bb04b2

SHA1
1b99ac8caaab85ff64a4a058acfa926bf5e74a85

SHA256
862e8b7f66b15b123f28df10bf3ea2ff3f394b45f48fa3007db2603ad37abca1

SHA512
6057b5a08e0b24227fcb7e691f1709a68ab97a3c267e95b2d01efbf96fae61363b1ef48938037a968efb63f8915f791ea8cb659e92165301866099e01f753173

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/2388-1-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2388-5-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2388-2-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2388-257-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2736-13-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2736-258-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2856-10-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download
memory/2856-259-0x0000000000E70000-0x00000000024B2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads