fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

14-01-2025 01:19

250114-bp1w8asngy 5

14-01-2025 01:15

250114-bmeafavmhj 4

14-01-2025 01:10

250114-bjndyavmcn 5

14-01-2025 01:06

250114-bf5h2ssmaz 4

Analysis

max time kernel
150s
max time network
147s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2052	AnyDesk (1).exe
3092	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe
2052	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 3092	2000	AnyDesk (1).exe	77
PID 2000 wrote to memory of 3092	2000	AnyDesk (1).exe	77
PID 2000 wrote to memory of 3092	2000	AnyDesk (1).exe	77
PID 2000 wrote to memory of 2052	2000	AnyDesk (1).exe	78
PID 2000 wrote to memory of 2052	2000	AnyDesk (1).exe	78
PID 2000 wrote to memory of 2052	2000	AnyDesk (1).exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
2536b375b4bbd7cdfff60c2cca863384

SHA1
a5ce5552281a6c39cdc445092a9056758561a84e

SHA256
f2639ad419a0c4272510073a56602e955f2fb41ae1e8f90e8de51c499fb258a0

SHA512
53595200b2e45728e1bee4c4992b678ad2934a1900ccba89d824cfb756af631e2664531911d5e6efd49a2ff81602a838cb05d45d2fda07b16f87646643eaa447

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b92498547988c9c339e2d7566d8ec9d9

SHA1
5e3efd3c6796a8bcf34badbcd32817728e92b386

SHA256
767ae99849e7fe27a9b5e3ceed97178d19312af37ea395688e07f0fcae815f64

SHA512
b90bbe7300d37601d40105fecf4f84798bc7ac3871f39c42fc4299a6b20b0cb322647c5cc81bb9bfebaba3977339bb6763151c355b353d1954631c272da9dec9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2b9cc1f5d34bf6558e9efa2eba8ee6eb

SHA1
607c72d5648c69c0ab553ab332021cf90e1f3cd5

SHA256
0795a35e15ff919e4dc0068448429ef60189a89d4d446a1bd6b9785861faefbd

SHA512
721af3e8b64662c19770c172ba48f512ccae72cc2087813312c3b6976f1df7e5e8b06e9efd9e295ef6ddfd8993c4f5843daa9bb31ccd6bd0cea38fd20fa672e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
4a69c6be3967c42b9d57b12903f4efb7

SHA1
651813e6312415bb06a8279ea20f3ab3d9bb73f6

SHA256
9162b778dec521e3e2353bc7260475c566f81eb469de53aed490625279c2b9b0

SHA512
6e6a4f66b6a921cc5b58f0b59a1c650245e820bb1c54adf9dc350c9c339338e7243590a6da1933ee07689049c0cf36868d2e328a56fd6a6f8b5a0959c9c02faf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
6c5b134b57580444b1b4bc4714b4ec55

SHA1
a6ccc85ae94e2f2a0563a2d21faee80d87670ab8

SHA256
fa67a1ee5375a1779593136161cd67a86bacad6ad870ea1c950cbe5d9d4d97d3

SHA512
171abf4bf78b58403ee41798a4356696c075a187a8767780ba749be2a7acc6f96690e4eb5d623d0e1028faa6e73c1f5af206faf471809d4f10ed47ab27ba92cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
4328d3473008ef9391d75df0e7445d67

SHA1
ac2820322e46b586e82bda25aa86be8dcc194b90

SHA256
f923efa23920ca781487dde73c894425f6b70ed15af8f0bfea994afba02bb53a

SHA512
d78b500bc3162fa969e3c0a7138f88db6c398adf0a5a73e8fa57fce28b98c82e76f5ddc33a455cc08da6a9e4820099819220fa20f95b9fcf2993f071188fea09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
4117646eeacc976de3deaff794dbeb18

SHA1
ff3d86a771a17a0b93667b6b504df3ff6b03b5e8

SHA256
c3ceee0241c35808a0487eb2e7635bd1843fccf421c5c02b0d9ca3e372732540

SHA512
caebfc66826f67200182339bde2c4f0b97086b61be7fc110ce925e9b06acad270171260d80d99ac062b6451d4dee5bb2f5d3d78045116995b2f82e656fa5be7a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a1d7a75514dcb88eff60fb8b2dfdc014

SHA1
69f479c5b44f65b3c93878646bec0039e6c25f4c

SHA256
57ee6e49307968abc49708fd61f3eb1f135a28d62b49d6f7a4238cd990db3da8

SHA512
dc5e79e9716bd94c8308a9e69f9af19ea00de24ad9e1c0d766bed512e09dbaf877e345df7f1624a0c64b1d6d3a774458a733f159ca533a72349e084e2cdfa054

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
0b75d5f91b4c71ab245ff1e20d434ddc

SHA1
3c3f697f38b31614eaae4079c55606ec1cb5b42e

SHA256
2d3171aee762d9da44448293485d0e59258c81d1441072d700da896e6e69103b

SHA512
5a83cfe3ad0a8b1f010f8384cbff467eb642a28ef7195fd5c8201e308977b00202fb191f65e74f876c04c76013ca39924f49c2b7b88018486407c166597a181c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
aabacfbd5e44fc89641ac20179c803fd

SHA1
946f03b44c07d19c3217fd4a99fd8ec3eb267c88

SHA256
a79c07e4591d3527e3e2e7f92bff77d2eaba51b9c1e75e5368233d6056d200f9

SHA512
a816ad6ec7fd0de0526295abd4b080d02cbbd48912c443ee4126e6ad757f51cb5ac567cf6ff5850b68208f11739418e632cd4fc8fa8b5e71478b2d6a954fe6ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b0540bfb5f8724579a455f4a6d39c255

SHA1
49d67a20df33d60157062874f08cab2022f778eb

SHA256
2614dfef42cedd7f5642477fc894785333e40c45e1df8a7a8449e382f242d37c

SHA512
cbdc165d604b0f6014537411a50ebdf1b951438083a8cedc241c1480269d32742b1b9bc92dfbb42a52664820cd741d9ec25de40fdafb25bb680f102657118ef6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
33ce36f0ad768d5f5db049cc53decdec

SHA1
262e691d975cceda4bf2393e0d2f0ec650520da6

SHA256
73659f9e9b9e0ee9c92901e983c29c76f76d81296daef9ff768762f7bb231402

SHA512
ec33ed0978087663848560d3a001100dc8da147429c51001d08f034a1f9c33137be70e481d21158b44ea427d4e2db740a581795a72a608f17dc682985ad65129

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ffd686483a870669e2bf69d9f14fa115

SHA1
ad970c9a9b306c4ee2ce1983d0e7cd941bf87677

SHA256
91d765c343363f07008c8e7e2d9462c942856c2d6efc39bc700fa3335987881a

SHA512
60904aecbf9f708beab581b57fcc9127b03c59da5196fa46bcf7a3001bda899aa3b0a4036f90ad1e25531e299534c0da910a59a7bfa25003ba283fdd2f7d600a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fd29bab02b3d6ee598b0480f6f985f01

SHA1
652419ffd8af1076dd5e6d8e4d63daa9bceab71b

SHA256
341de081bc96513473fc1d242332ddb416ead5c7472fda2a867cb8dac021b293

SHA512
ac5148a59f5f79c161535423c5a487a7a8293847bb0b83786344c107d4644533718db1caf2e8a1e780624e54681406eac262e9cda6d0c7d7275c1111e6dd50e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb8e3819d2b1ef3c31b4794129e3fb12

SHA1
75e44547f9d4726ff8319b07255e6a00c3d6ce78

SHA256
6b50fa6c6dfc631983f51114e7c91ad4c826f8c083bba21af67b04d20f9ea8bf

SHA512
b3de1e76aea56e998e95dbe3df190d2f2b693b627c46a83f89fb9b108b803d2d006467f9e24b10762ece830ca6f39c1b30a27747182acbdeeb8dbe543d657cda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d3d69bfcc25dcd1f71679f4fb0ef3356

SHA1
135a3662a78aba392d9b35e9bd88383a1d06492d

SHA256
e71c0e013f55df8f33e23e3f2b863ca0d10603a6547f1f9027a9521882ef76e5

SHA512
8d2243729cfcbcc1f71292de6119be2c53a45853334b537a5b675184e86a2611bbc50da2047e3bc90cc45eb2c9dc6bd05f41a27ebd2f6b4af44828e448f5e0e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
51086041f60239319deddbfd03f1ec77

SHA1
a1f75b8ae0a00f25846279aaf52066decfb8726a

SHA256
a48f28d15ef17f0450a5ebb9b3903d8b6a1d529683c018ca5eed9fa88a8d8204

SHA512
b306a0e4c8e847316881acf1da6b91c47ef501b55886bb80cfcb35d0071c9ccdd926b7a96cac347160c4591d24c203cfa7061ac9c3da6b3e7fdc3bcf9b14d5c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9f2968330f55620fc0a8ca24729c6e79

SHA1
6f5dcfb9a51651c958fc96e28d984d26bfee930d

SHA256
503ac9b8fcbf247f91b5cf5590e3ec0e03a17c80e113ab6ad3370751c38e3c6e

SHA512
2c8608c06c57ab3f6fe03e2bda38983ed19a072bbbf03a7e075250b2113137f54812ed48d1a7a486afa0c6c86b7c586df40881dc19118f0a32028c2d066e2b24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d38dd93d729d4ff10f6f3ac1b9202408

SHA1
a8b56d9c7ba0f9e9d0eb3b76f1730e8c40696493

SHA256
a7dc33073d23ddd9277363f39d6f3e29454331112fceb7f6f4ebdd70996012d8

SHA512
0879dbb325fcf953ad6a40bbe0258b607ccefc2f1917a228a1c7545826acc0b9c7f1178e6396999fbb93cade1a6ff6919aad6ea44350d3f7ef7fdcfca769420b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
469a0a1f8b805aafda2b0290aed38a84

SHA1
5c051bc2719488062b867500dbc480cff70d011e

SHA256
8c35d1eec4bdf5b6accfebb2ca0b53c4e8f36a58137ce6163d11e61d6c600c91

SHA512
2f3cab80438b1ba72008a003ddd2f049004d5885023e1d5bd9c60023de5deba4325989a923aa23cc26ad53a287f3149d37fe08b5c72cac4ddedc159ada553e57

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
18aff925214111cb49d49407dd9cb4f2

SHA1
dca17003ad07ea1d935bcf4c12e81b08be241b5f

SHA256
78c416ce3bc6cb545871ab6a8d7fe3cfbbe256a2db2ef1d026701e2de66af04e

SHA512
ab9bbbf068cb88518b5720682725b7f6655498cbe49379513d68d5e3ac771c0d29862a75f6fd04008d79225e8180dc3bb7ef1952d79ff022c24ab7bb847ea561

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4cf202fd799f69f7ada45505d53e0a3d

SHA1
966294e849fa47e0b55a9f55ef09e0a6cd2b95df

SHA256
ad36ab87604fdb4cde624661955ef82e4dfde0fe3c9101384ab9d2ac72397613

SHA512
7281d3a8e5112c98a57990dacf6e07da714dfe6b4ca1874f79842c3b0167b5ab251cf21f29ac8ba90fdbe22c7a4872584704dfa8e15a70fa70a7132e90841667

Download Submit
memory/2000-301-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/2000-7-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/2000-1-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/2000-189-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/2000-190-0x00000000009F4000-0x0000000001AF6000-memory.dmp

Filesize
17.0MB

Download
memory/2000-0-0x00000000009F4000-0x0000000001AF6000-memory.dmp

Filesize
17.0MB

Download
memory/2052-303-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/2052-12-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/2052-192-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/3092-38-0x0000000005C70000-0x0000000005C8B000-memory.dmp

Filesize
108KB

Download
memory/3092-191-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/3092-42-0x0000000005C70000-0x0000000005C8B000-memory.dmp

Filesize
108KB

Download
memory/3092-41-0x0000000005C70000-0x0000000005C8B000-memory.dmp

Filesize
108KB

Download
memory/3092-14-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/3092-302-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download
memory/3092-10-0x00000000009F0000-0x0000000002032000-memory.dmp

Filesize
22.3MB

Download