fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
150s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2832	AnyDesk (1).exe
2712	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe
2832	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2712	1944	AnyDesk (1).exe	77
PID 1944 wrote to memory of 2712	1944	AnyDesk (1).exe	77
PID 1944 wrote to memory of 2712	1944	AnyDesk (1).exe	77
PID 1944 wrote to memory of 2832	1944	AnyDesk (1).exe	78
PID 1944 wrote to memory of 2832	1944	AnyDesk (1).exe	78
PID 1944 wrote to memory of 2832	1944	AnyDesk (1).exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
5d64a516ba31294615ddb8f20800b007

SHA1
93c65f471703ccdc929842106c901ddde052eabf

SHA256
7e68019e8b98e95bc8a6aed8a7636c444d0b59573ced7245d4210501fecc73ad

SHA512
7de2dc2fd3fddf9338f1f8cdb0418479aadf81fce73f2f1746c7eb6863bc0c734834dfee08a289e8a8b150bf7fbdadb64e179255be74cdfd3026699a50ef7599

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
71ee9846e74eb9c30714ad0f1f968149

SHA1
efae08caa7ab9f23c03c2de5c69f24b0a49d807a

SHA256
625b51cd3cf347433ac0e43e3e472775c7f337a58651ba29a73b7b8112814490

SHA512
8d97c93a4b5368b522afc1ce14da2ced5077843af66a82fe9b6527022c97734c5438bc04114e1af0f73ef8a7933a5fb0b62e027426359d1fdc7f68551813fafa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
15efa229c5eee76fff025950cfb35c62

SHA1
5b06a20f65a48d6a2604692022884b77d364e875

SHA256
c481da2f5def6df6e356581296d3aa6e8a6a8641a13f1d04534270c2ce87c4dc

SHA512
ee9e3f18287b8778a8e2b97ae43c8df6910964b40ba8c239a4b758d1e99c0e94778db43dd14afeb6d2f0f7db7a35c52d43bc658cb3be18fa5ba769f17a010e63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
547cbc76e1995d821641b649caee668b

SHA1
daac3b047f8ac5511dc727d71ba7b89fba0ebedc

SHA256
6759fe030dd13538be585c522f9f2be2d94c0ad2339577fac8d6046f049910d8

SHA512
855d0e91368e04c5bc321241d5e455ad2b9df5642bef75094c3245ede30e485f2ba3d51c33378510c1375abc7bbb828134deb1c22c0679ebee08acd45ff02c04

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
fc5c7e9d167a0f75a9fe40d1be67e2a4

SHA1
31652c97c569ca0a60036d445df73756470d0bbe

SHA256
70e8b2007382455b10bdfc1fc30b8f1ea7998f6f88d83532b5c15c837c22c520

SHA512
506f587d2a371e1a9b0351cd37730a20ce3f77a1cc37c4bd79c0f154ecf7546ec9f2071823ae2957a342e40669aa9ff23d5da71cf983aea0fe4011cf52c1a2c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
94068219c08dc148ae8bcf61ddecc466

SHA1
0c1b06cd9c2b43bda88b7bc3892cfad0d53a258f

SHA256
64d1f34cfdce30932552d89f960c06473f82260426d3afdd3373c20e9d474f5f

SHA512
6b1cfd1df5c698b419c196bffb4d20902df626e69c78fbe46409948e1d36db440080871afe9e277780ef7d38af8e352568bca2f55e0abf969b5b4c3c307c1409

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
9cf6784794bb67da3869f1d8314d5e23

SHA1
9e446bcd12a28b965cb16c89ce980ad915616bcc

SHA256
4c839ab6b484b924e2ae31571dae0154ccc3c1df62f51c45ead18a6c713fbcbd

SHA512
3192bb3ca3e9982d6f0faa074e0d6434593f3ffe8b4d2f4eb412251aa9f14c022ac7b8fcb4fe50644dbf6be617ceb2a08c375565c7433c898271a083bed0d9a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
838b34ece8732b5bb88e988edf0c5f11

SHA1
8a8785b78216dd61268c18e16a75a6005e034dc3

SHA256
1e3648117ffbba3d66c186eb4685823e80a3f6e5c212c9fc5fbf4662d0fe4eaf

SHA512
881e0a6885c94f05f96d8306ab6c4e292f06a7c807bcf063330beaacc718604547ac7684266802ba39d604a45ca9c68dfd9cb14f881b33d861027517916d80b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
74cf5a769404abe9f14ebc20e49bf660

SHA1
87a0c3561a0b5968ccc1831e27e275ce873e28e4

SHA256
ec585c755c248abdbc57f64f5b96ad0c4c4c6e91c68b6571b6dfb92505548da3

SHA512
0ce5f7331d74bd49decf1eabb8c1736b2e4839317f7f8f98cfea0c6f9b60ff071ec62d400a121f27b7d4bd80c91d15cd13cdde3ead1e8a8dcf714c09cddb8ffa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1152ff3f8135fa594fe71dfd813b1e7d

SHA1
c1fa4b271294bda91e312bae2a5583e68304af51

SHA256
9b4fcb35a042597cd82ca66325f63741d24985684136f53778bb1e759cec299e

SHA512
dd30b3538a1798a63875108982f60f3c41da0a62fe7c6470d7ba7ed6cb4eb01299bc298d347dfd60d07772bbeb6c12a9e78e900f02a020a3131d3e4945239ba3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
25013f5440f46d807e50a1864b732119

SHA1
d4460c37c2f4df9eefb06327b6290e651a74c356

SHA256
1e8d31f82cc837a5c6f3049a677689c803bae18b24645fe2eb561f5191ebde27

SHA512
aae523c8c28b8a9ae7f76184a2ddd5fa0a1e640944a2d4dfab2733b1898b7498862d35361ec8d64e8ab5dd9077924a89344e182cac331e41ceefc2e06cf2d661

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8c0467748e1b6eeccf31226bba378c7f

SHA1
dd8cbdfebb1cc67901efbd88706d0c604e99e513

SHA256
22e6413c4b081211b4d3282d9572e1c0d3ae1f2623f051908aa5ecc2ad25ba48

SHA512
00a3c91ee08a07ce7715579b5c50c1da8cc5b3718418e85fa3b44dbdf978573564f9125693c876d80ba03f4171b5a102fd1c7bcab0275f9364376c2e46d6aadd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52a27cc88f9eaa1c901238ac4d7fcfa7

SHA1
32eb7f9da2dc71d2ced62d272c6eaef6ced87ac0

SHA256
0967fcd4ebc5d0862b986d4dc9e4dc30cf892b50476918e039da40a23500c2c0

SHA512
45e9bf8d7dcac8e6e0f3d68992d11c935bbd40f488462a6a3ed2bb12955cf58219ac1aa370f347e6088ba43bfc4256c8047a7ad487834a561f2405733bf95a04

Download Submit
memory/1944-7-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/1944-183-0x0000000000E94000-0x0000000001F96000-memory.dmp

Filesize
17.0MB

Download
memory/1944-182-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/1944-0-0x0000000000E94000-0x0000000001F96000-memory.dmp

Filesize
17.0MB

Download
memory/1944-1-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/2712-38-0x0000000005600000-0x000000000561B000-memory.dmp

Filesize
108KB

Download
memory/2712-18-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/2712-10-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/2712-41-0x0000000005600000-0x000000000561B000-memory.dmp

Filesize
108KB

Download
memory/2712-42-0x0000000005600000-0x000000000561B000-memory.dmp

Filesize
108KB

Download
memory/2712-184-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/2832-11-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download
memory/2832-185-0x0000000000E90000-0x00000000024D2000-memory.dmp

Filesize
22.3MB

Download