fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

14-01-2025 01:19

250114-bp1w8asngy 5

14-01-2025 01:15

250114-bmeafavmhj 4

14-01-2025 01:10

250114-bjndyavmcn 5

14-01-2025 01:06

250114-bf5h2ssmaz 4

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4120	AnyDesk (1).exe
2340	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe
4120	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 2340	3996	AnyDesk (1).exe	77
PID 3996 wrote to memory of 2340	3996	AnyDesk (1).exe	77
PID 3996 wrote to memory of 2340	3996	AnyDesk (1).exe	77
PID 3996 wrote to memory of 4120	3996	AnyDesk (1).exe	78
PID 3996 wrote to memory of 4120	3996	AnyDesk (1).exe	78
PID 3996 wrote to memory of 4120	3996	AnyDesk (1).exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
0ca9e98f14b35621f88a3e97a3bf23e6

SHA1
bc534c6a09821427f7b9db8806244195ca8a3f30

SHA256
8815d15ee7701a2ace5f595d28f5ad0f7205fe33072c10da201c7811dc2c10ee

SHA512
79b7966e382f4185ce2b748e998d6b9f85dc11772c21335f78c0c22846eef292bf626c7eca828a49f75c30d77415dbbe9393e349ffaf81c4541a348fd7777022

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
06d40deb6c98db08f9fa86103620f989

SHA1
785896f067a88553471483f4e495fd8482734edd

SHA256
807669798f43dfbc38af9d9940d4af7adc665a005b31978df1328f81d49bbe85

SHA512
3f1d54f6145a667c4b2a12b87c43800d0e2692eeef661b81628c2a78a2658fd204725267915b397433a9517e5bfa38f2c4367cfc742414bb82485e4035169f92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e8d5f14df6afb3ce82f4b929fda00446

SHA1
060008704e03142a7615707ba0412fdebe18e7a8

SHA256
e781943bce516a2b466585dc159839c297293a06ea1b1a7d0c50c16831738070

SHA512
62f8eec5d2560625d9da415dbd4212107a1adc73f55b9e3cd09e391b3655d22d677923f656ff56ad8a822a0361d121d7357c4a8a796260cb706a37d3c6e3f465

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
789355ea299773e7d3305f431dcc78ed

SHA1
cd828341b0ba97004bc44cdbccb62baaa492712e

SHA256
645a71a0f13ce4333b1335602be2090cf1646a1a57f9d0fe087786d027ae452d

SHA512
bbde418965072edda3f81012f3626b043af90ef041ee4f1c8c367fc2dff885fc2c45b603904ac3cc42b2dc937488eb02af11042dedadff426807d2bf1b5db943

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
4899ace2e19c522c0ec0c0642acc0793

SHA1
90145bf4f1a395af780df972b87e73324c07f278

SHA256
51fd81bc29d00e71f953168d011899b0f8c50e2510482faf7f76e880555a4fde

SHA512
63aaa597789872bc965bd4a2ee2f1dc85f9288a595a5cbba0e0b617d4bc619454df1bbacc58666cd0d1de01e70d6be1a8d09cbd4714bbf98136ea82f1869b90d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
08bbeeeb7241de4e7e633d3acce54ec5

SHA1
dc6fa4603001b0cd7ac3429f12c4264fd336d4f9

SHA256
d83c30c838bc8c02bd0af5ddb8eab5f14e01e8b5f852f63386b3d62bd6fe1ad3

SHA512
18989ea6fdf6f85ca1d9ef5289503b9f2ee44978c27f53f3e900467a439b77862138b49b65220f3c0769d1e3ca1ab5e2bd0f5fdf4caac5d9acb49cd478ca3d1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
88ba87e0c99629ce6f1ddc6b75576ca5

SHA1
00d712a4163735dbcbaa94ad0e8e776edda2ce58

SHA256
12496aba8029bead6c1bad81a2867f9dcf98c56ca0e7b771af70c190aff84876

SHA512
056fa12486d710c49c8bcd0bcfa62ea554c0c96a6e52ae621c13c5532bd9195878b29e198d03bfc54ac04c0eb4f33520318aef6750c2175a9875070918a75243

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a83a733cf8481655fe2ac9b2528a31aa

SHA1
bc5a9f4558f29363f05205063d7e133a98cd7733

SHA256
58fdfb6cdb3993f75935d1c247eea2b6b1727f824dcb9048bfd068207bf18eb0

SHA512
7b926ca4463818fe2c9c9b2c6dfb32404d8c6c99e23b2ca867511290b5412134b4e5afc11c1afc8f8e05cfdbdafeb6154eca83ab375fa118bf3f7f72891d4724

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
662e8c02b697d0449b06330e22e24310

SHA1
f787ecc6a91615ac0d450a317cd1304d6c9b0cba

SHA256
16851d06b3db3f233b6de96a0e4987be5f5cc2bc7a6b373b77ebbb1b6500c6f3

SHA512
50ec29d6195bb7136b066ed92688148057e1e8f254c87f239da89e7cc08785f1e930a3693af5631ace090328f14b3b41d4431b02fa809b357360a9909681d7b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ef4a899dec1957d31b51b5d221ee02a

SHA1
c40b3d4c1bc81f734b9140e83afe3928b6416291

SHA256
7fe3856dc8a0a244ab8fed333493733d965607f62f5e70037484d2f20d635f51

SHA512
db34f1e19817ef32af2e10ac1a696b73dd11fbae697696c3f044dc5cca00e7150711d7deae4b4b8d276b3c499ac85130b26901494000846a8086e5caa7cc45db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
29607c5075acf918316c0016bde834d4

SHA1
51a24b366687786120e0f130e0558e130131e077

SHA256
65657b104b3bc11e11742d58b847e23fd0ec8bd181ca5e0805c62118cdec92de

SHA512
3a9190ffc35b4caf3fd80a0c70caf27b04c129edf21500517dc13b8f1eb32d18b79814a318b9d02683d7657fecef038398dc47bfe76af9d74f3957c464c5d25f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3248bd5f7ff8668ec47816ad5a7bfe66

SHA1
eb341583c64bcf1e88e84213b8e518eb1068668e

SHA256
6c73eb921448ec50686b014261ececc9389b80623ec4e4d2ceaf8457acfbdd8d

SHA512
82326d790f7cc32b6dc494a629d7c6ac9e124df29ea3d70d805e93227bce54357332abe0bbd40219e1e366dfc1c886dbc9f40f5e407fd5c63209f734526b3bd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
68c1d4d44483c8a71798a7c8eb786ac8

SHA1
37bd7c148b77da19f5944983506d88b86bb85177

SHA256
e2d302c9a35b9d55ff4bc1451c87e470555dfd1350e0c9eddd3fe19ec14a9d54

SHA512
96a0136c1fc4ae7c4b9da30fb85b985ba5b4fb47c6818cc9ddf47d26ac25f0a249d4dd101e56f3495d84bd94c2b4a1b2c15ac25fb23b1b92696e4d3105cf49e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ca19a74730ba743e451aa38debdb18c7

SHA1
a2dd74f0943b420238f1b2994060996c63ee2992

SHA256
22f324cbe5cb5f15ccd19949f891458159f3bbaefc19cfa54a5088f71c0d6991

SHA512
d421ab35a0cff16fb12a537c5db27411ed5a0b3f505cd589df283f7ee22c7b4f96462e044cb2dede10f19aabe44280ffb34012f4d1d69bf791e61ee0aa33e715

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4e4bf35ac5197acd6d4465b77144425c

SHA1
f3d6b944e1c6645c315ce44ded58da9a9d23fc19

SHA256
00ab424140adae4e7c0420b29fa13c0db1c5b8a359874ba54797b0950acbbe32

SHA512
c46e30901d0a79c566f63c8e67d5d162995c4635bbd41fdaafcb3f2f261b13da0ecca15256fd8481d58c7daf8170a04d436a4fc04e21da8b70a8d84e25ae58b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
48e10de0108d19e2b757c9ee13026cc4

SHA1
dae09a6962475f069376bc5d1576227dbe6e009c

SHA256
752a330cdb5ef5b4794699e06832e644f38d070e501fd548378d9dd0e89d9834

SHA512
eacbaaa95b2902189993e5411c2f488d40b88eebb0e5777d067ac5a8c36dcc1c4f3f6f9ed6b718252cc68cf804fc1d070c54d5e22ae0e45cceb6ddc33f90ec03

Download Submit
memory/2340-39-0x0000000005340000-0x000000000535B000-memory.dmp

Filesize
108KB

Download
memory/2340-10-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/2340-237-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/2340-42-0x0000000005340000-0x000000000535B000-memory.dmp

Filesize
108KB

Download
memory/2340-43-0x0000000005340000-0x000000000535B000-memory.dmp

Filesize
108KB

Download
memory/2340-14-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/3996-5-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/3996-0-0x00000000005B4000-0x00000000016B6000-memory.dmp

Filesize
17.0MB

Download
memory/3996-1-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/3996-233-0x00000000005B4000-0x00000000016B6000-memory.dmp

Filesize
17.0MB

Download
memory/3996-234-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-12-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-236-0x00000000005B0000-0x0000000001BF2000-memory.dmp

Filesize
22.3MB

Download