fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
145s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-01-2025 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3924	AnyDesk.exe
1556	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3924	AnyDesk.exe
3924	AnyDesk.exe
3924	AnyDesk.exe
3924	AnyDesk.exe
3924	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3924	AnyDesk.exe
3924	AnyDesk.exe
3924	AnyDesk.exe
3924	AnyDesk.exe
3924	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1556	2348	AnyDesk.exe	78
PID 2348 wrote to memory of 1556	2348	AnyDesk.exe	78
PID 2348 wrote to memory of 1556	2348	AnyDesk.exe	78
PID 2348 wrote to memory of 3924	2348	AnyDesk.exe	79
PID 2348 wrote to memory of 3924	2348	AnyDesk.exe	79
PID 2348 wrote to memory of 3924	2348	AnyDesk.exe	79

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
256KB

MD5
1e2c202611b304429423667726774cb7

SHA1
9b9ebfb38333a7f53d8e8d9c27da65d0bdeb597f

SHA256
f6be90507dfddc76d377a493cab51377af79462bbca379f2a251e1ecdebca627

SHA512
6a8ed9aed23d58ee3058b4a164d329fc4a546fded672a8aa875f53bebfeb3c5c96e649fd137657e736e00587102177a39ce4c3e871108cfc1177de57a51a2858

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c63543b3832a251a85117e8bd0e3e8bb

SHA1
57539ad8f058356639f5f2aac4ee8885ff5644d2

SHA256
a2d190e52015983ac039fc9b5f15e8209ce3c7f1bd24bdca5c5569e7d5059c01

SHA512
263543a6db37f592067dcb2594a08b6ca78b3f9132a99c20c1de6641173c922c664cede04473aab9057189114da71265ed22617bfd0034e7a5a55e4deaac155e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
953db44c005ec1a7f51961bd917b99a8

SHA1
67eaa6a40b5df4e6f2e57bbe9f11e70432a8a1fd

SHA256
40306a60d96cb193fc8d27d9e3d0f227b0901cd2a9d11b08870dd1183f0e808f

SHA512
72503f9bb63e39704fe2dfad896870855078595a258b4d40211da5f046468fdb47694423ce71b0b13ae9650c58099dee182b266005dce0b78fdd77cc5c90a61a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e60543d7a6bec02b730838dcc3379ff4

SHA1
52830328ed1048d96f0fbd1de24047eb42880945

SHA256
f0c2f368ad7129a6024e70690ad9120d459b767bac6c73450c0f6a603cdd718f

SHA512
58b67d8f8fded7e23992bd13a11661f131e8374c786d9c52d68b79717a82dec3ee504f7538f4199beb2c87801c4c9f3c5ebdd8559105929d44626057a35a99e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
9b9d8d9ba40e697b9745c8c1f73354ee

SHA1
b87fb75bae52f75b6afc462f96c8e46d002f3497

SHA256
4d44fdcbfe3eb5413e78794065864f4c304b2bb7674b0f1ad1a3d4372df6b351

SHA512
766ab560706f7301cdd3555e5af575b87b107e4b8ecdfc8b5b866e378e95feb8ca8483ceef0e4c5fc0e850c237d030d49f0b53b17ecb4f5e62bf9ff1a04099e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
33ab080858cf3295b63f2fcec881c76f

SHA1
05db14dfcc2779623dbd639f138b28f1819d6d54

SHA256
2b1d8db8341c30051b1f5bdb04b9337c483a49e445523f14d053af431fef5297

SHA512
6bf3e6517d002e1f3e20c6c8278b77b5eff26957dd0eb0e346572365e5282d1e7c5950ec4d079ef5573addfec4eff500502f0d1f59ac8db7a699b53c000dc949

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
9c1b463477c8bc338519bf3f83feba7a

SHA1
7adebccb277adf25f19acee9fb0755b5daeb5fb1

SHA256
c6588aaca5dc0cb785b7b986fe073173a5138242319ad38a20334e2723a5f579

SHA512
8d47e81f1558f5b22e0d3d2b0834e3cfbf385c264e7b0d76ea8589231a699e93d9181e383e350bc3648d8a5b22c3d720a30085526acdf2abf578ca848c00c097

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
497e0e75e86cde78bddec4699b992133

SHA1
5d2c1a624cdad0f6cb33be5e22917a878e9b3dbc

SHA256
9b450c329cf8c100df406f131194646ce76d5592e1fa8c513ad5296d438b0494

SHA512
6469ae3bd575264056a57f92b9b84ab0b2da1d10c71154ecf5f9de7e0fa38b7a2b604f3a64381d341274b819d94436610ea8d9421eec1524073fba4401346211

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
116cc5a681863c68c80cc1909bf8d8cc

SHA1
64f6cf5b809428b1d8b66980daad6f42d8fffacc

SHA256
ed1a70d9f11512fbcfbc5f6f92fabb6d2b89fcf288614be7087f806ebdbd7bc2

SHA512
5c39e77300eb901220d44234ae191304e0c3f573e1369f3974124a9f187ed32805c3929b204f2381d49779dc52e58bbccaab5c26ae5f968ac949cee73a30031c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
71c03e5979d0af1bae5c32658e51059f

SHA1
eeccaa8776dc9caff547cf9570b8ee4b107fed1c

SHA256
85728d64f32ad0bb9bd482c91c082df1bb22c3a62586dcfe3b245ad6b453f94b

SHA512
6bb1b7b7b7e153017a7d37a022f2494e4c8b196e9ec591395e750ae43083be72197626d6895c4983e29b45ba6af071d69759b938ee06ecc07430707481627b03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6904a73af1a997a45c29e92bc565e3df

SHA1
57c70df203eb80319a9d1eda2c3b3c09e3cca1cc

SHA256
302296bbdbd9edc1a38efb2f14c7709520ab98df49c191e5669faf0e54953ab2

SHA512
c6296b12dba68767545697568ba4d0f5ef25495b4defa3df9949cceb034a101081b6062979f59a18bb7965934c98fa96b48adedc3913c1bf50afb50b553d9ec1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ce3b42a5d908d178dd9ecf3e3a65d3d4

SHA1
e2900ba3a56ebb4b307a165c38dfe4d33f6c768b

SHA256
cc2fe26a53521e3afb26bc7447f26394e36940be92bdd0f871caab2ccebe77e1

SHA512
694a568e3c357444c9646452c4b24fe4f0a4dc4ac06c28b59ebbebccd0daa0724675276df1f07846369e243b5b3f5d6b0032c861cd039c652be0a0ebaa6c6236

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b08168c27935b95c2320530955625268

SHA1
2574bb13b7da7619d0409c16896f5eebf5fa15bd

SHA256
9414ff07468c95796f7661c1c01f08620598d6efd6a746d69fde6a6172158b6b

SHA512
e7248640f93dffd22fb5cd1c3a14c222d265cba3bd04cb93f2bc8747de446b1a04022b93abee96051b1b2b9138a08ce46567237e9516d0964ee254e9ecf98da6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
06534b42ce8792449502de3d801d77b0

SHA1
f22ac7a6aa234dd053e44b9100cfd2156ddf9ab5

SHA256
8e998e0bc097ec832f942f815847998fc29a5334ae60a66f1923dc9ae93b309c

SHA512
e148e976d55ffe0529c3ee0844c2749e1ce41f2401fc4c50663a067bb8091a917817a96f7e255dea6078fbca8100abccf01f5bf43ab47f495085446f3f272774

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
c05b5ce7f94b98579a8a2983c8126cc1

SHA1
d250164749465c3e2b4eaf6178a19ff62dc18c1a

SHA256
29a1858ef32e1d04b89ae128e38753c9355a872283e2ccc5f86c9cff6d7093d3

SHA512
9199182b8349c2d4389c3d88b15e12018449f0f917f88e8896570ac5fcf6fd5bc7b9bc18c50230da2ac13cbd638073a389e2f70167e76647607d290b973334d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
da70718be87f34a0446af514321bd449

SHA1
991b5b28df5f3b743323ab7c786e35e96cf89135

SHA256
b97e06f9c930b1743c38056952ec5c2a63fe714a7edc2e09e064a4360f959176

SHA512
50e5ad7e1c89e22c482545136b6e141c5b5f9a3f38db3d1e20fb11abc913110a87cb9460baeafc223f8ab973edde0e846da9ef18abe968419f5eef17efa39eb8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2814d1fe8a200311878119b6a548d8e9

SHA1
6bd96c8400f7d3f72dace8acdb49d78d032f986c

SHA256
3ded9be831a0e2fcea11056617d27a4c3c94614909d1f8f58961198868189c45

SHA512
aaa68ff0a43116520d398ab52de825f860a1162f892a719f258f8b75a27f447486e32627c50c9b14e8c27e3f23115035913ab36da348c27c43f5c736f896c325

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fe8accdb20b69d0757f2ae69b130865e

SHA1
27abc9175fc3d68a5a6a9d67354528dd38011e71

SHA256
e887c432b309581063647b6d4d17e2781cda1363b4650d9b79fbecf18039689f

SHA512
8fd9ea3b5455b520046f8633d1a5db5ec604e09669aa373dbedff02174f278936e8a76a9d83931b9d885e94da8d14842322e04acf7ebb51c02e40e444ab4759b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a4ef54574c0ef6c00ab5311f1df61d00

SHA1
f7e49c8e83be965ef50e6666fc8d6cf9c2024472

SHA256
8197b7bff63340bb0c0dd79337e4399c8573279645a54de828a313109b82810a

SHA512
1ee66d501bfa96af8ae6b0d61ad9aafedcc8825766d3cd9e1ae62715657c4a658f4a2384edb7ec186d30096c40018467c256e90934b4e243f8eee07c3f1c85ae

Download Submit
memory/1556-41-0x00000000058E0000-0x00000000058FB000-memory.dmp

Filesize
108KB

Download
memory/1556-14-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/1556-38-0x00000000058E0000-0x00000000058FB000-memory.dmp

Filesize
108KB

Download
memory/1556-280-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/1556-42-0x00000000058E0000-0x00000000058FB000-memory.dmp

Filesize
108KB

Download
memory/1556-178-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/1556-10-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2348-177-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2348-180-0x0000000000EF4000-0x0000000001FF6000-memory.dmp

Filesize
17.0MB

Download
memory/2348-9-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2348-2-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2348-279-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/2348-0-0x0000000000EF4000-0x0000000001FF6000-memory.dmp

Filesize
17.0MB

Download
memory/3924-12-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/3924-179-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download
memory/3924-281-0x0000000000EF0000-0x0000000002532000-memory.dmp

Filesize
22.3MB

Download