fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
801s
max time network
810s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2025 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3540	AnyDesk.exe
5804	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe
3540	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 5804	760	AnyDesk.exe	79
PID 760 wrote to memory of 5804	760	AnyDesk.exe	79
PID 760 wrote to memory of 5804	760	AnyDesk.exe	79
PID 760 wrote to memory of 3540	760	AnyDesk.exe	80
PID 760 wrote to memory of 3540	760	AnyDesk.exe	80
PID 760 wrote to memory of 3540	760	AnyDesk.exe	80

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0aa06aa1619ecc3b7668cb625c1786d8

SHA1
d1f9022145440a0a06b2dc739abb5ba82cdc02c5

SHA256
cf7a0b18b3802fb79ec04399723ec3e728ba27ae80db348baa421b1ef283419d

SHA512
82259b36f6da70bbfd612e8a8341a2440563aaa2a926816a457623c523417b823bbdcb31ffdc634867e88c204c9d60e394a4e339c51b0f535894bdb4190c8170

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
a22e480436d4a8e77e973be9775e13de

SHA1
e17bb2a029eb92d2065a69b82ce21505640f3ac2

SHA256
b9f8abb33146dbebf5048fb2c83845d534b22be73d92defe14296b8d137f6196

SHA512
18b9f4b80e6845099c7269afcc4e94f218aa396151786ef71a3620915a7926298be109143a8ebaabba2cfbcbb2224be68c02c7245ad0af582921bb7cfcee754d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bb93db9c7f7501d187008deeb1518c2c

SHA1
784f8a6c8eca2d0e0ad77ba022ce4e7f134a7a62

SHA256
826bf0c5af3c3d04205da919dad7a0028b9f3194d53497608ead80819d594584

SHA512
f16c143255b8f6ad2593bcd78ffdb9c936281ee49b06643794ae61d72d2c6cd3abf34aa65e91218c9cc85c0af7fc87378b1584897e8c66ef5618225486ec8b9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3f8f147dd07dd4ae66fcad57af7fa56a

SHA1
2ab16b94b525ff27f6b0820a733eafb96659c34e

SHA256
33e28451ba9736d701df125e8fe42ba5ece93fb626fdd0641b34576bb24984c7

SHA512
fbdd3b48922a1ca71583881b80e5c49d1c180797312c0007d180987e01be57e0f194a1c386e62591378deec8181d8f51b9f7828f8342454f39410d7e262caf50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
2fd7a66083558e9738229201f0f45b8c

SHA1
b0cb62b8d42cb2630d01468cc5643eeb0f4a47a3

SHA256
6033d53773b265eb280b3f4d940923f6494256f6c8722b414bf8792a20848146

SHA512
ab34467df06c4f199ba56b59a0c32e675deaabdbdc2733eabb86aa3ce45c49751f4c472b2201eef5e67b8140d58e6d7f0b2213abeec1f8047ffadf1db26b2645

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
309e871d8960f13e1235759514de62a5

SHA1
95ed314a9add31b5595f52f490215746c1b8cfc9

SHA256
36b950578311e2dac3f6d15f92f91adc5b45a15831b2651b6930e582986ca684

SHA512
f42d39601f5646c61239dfd3fca4aef0b576166482d96de6024b64b1d59cfc6a6b2be22a3fe608f169fba6962b30aca8f8897f0c7e851e57564679ccc9ba2d1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
4aa7f6e283dd84b91c15e854920ddb0d

SHA1
89e78bdf013bf6a1de456302bcf625c5eecec7c8

SHA256
2d32ce5dda3f907857bd2e5b119a9c0a17dd51c1af324d757bf134d8a1cbae3e

SHA512
95cfbb1dcfae287aa3bd6c91f51e28249898593b1bf6474c354aa882c07ef3c895fdddd149a898e9dad39e6fa2118afd9c8378a5d52ec1952b16be51b412a622

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
d305b17b4ecd6cd688a4d01fd2548e4f

SHA1
dc5eeb4d2c520f34707375b95738f67aa0746a12

SHA256
96ec6720c95ed9c78eedead35563594f6dd813589f5780487a60214f0a0185ce

SHA512
3bb93ffb3533f47be0f43028201f659bfb077a4e44331e9927ba28c8913c768b89025204aa104de717884b0ea158f9829fb1f3ff9d6f1dc6c07026829f6cc23b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
12fc9a1181a38ab3fd76efd46807dc28

SHA1
a01227f16fd18ccc09e4e63d5467b227ce07b463

SHA256
9cfc8a3ad4ff2bdb61646d93034bbe8e0088fd2f85e3533959ba430f51c74247

SHA512
37bbeaecc3dcd962cae796df7d4a021c2496da45baa7e00b1788fda600050d3e48d19952d76691b45d9ca10bca36e03c37287b310df864c902c45cc9a28023ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
13e29952f39dc6ee6fa0be2789c23a26

SHA1
2e92e6287914b1493351fc4933e93203af83d984

SHA256
8501fba66cb1226d2364a808332a4c2ceb17663fb4d386f57897b1a7cdd4aa3c

SHA512
aad61ab895847f0698c94f5a3d20dde1f2e0ee8265e725803bf5686c69b78e7ef9ec33c94785452c25a9335188a814848c55744fbc23339a51189c572beb4606

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
31b3321f947da0bc29acede3004e07dc

SHA1
30fe93b8dc00390f3638388a2659a02d13cc4409

SHA256
e0fa7f502e356a91f917d8dae648754ce31836a6aa4eecbd8bbc6d25272c4bbc

SHA512
a3d5d70317dac6747f71ed826a628a5febddc66bef77d1385d9284d122d2669ef3c1617979dc014eaba1844810c2aba1f39a21b779b3b36fb5759db3fec9c60d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
34efefde818f1602d22f749f03fc740a

SHA1
56da3ec6ca9aa51a985b2a2db7767146fc55b6da

SHA256
c6aaf15e592177d8df6756af52d4d3670c4d6880614e90b5556407ebb26ce487

SHA512
28055546fa243612e4d541a2d6ea1dc8c840b8ebf3fc91c8037c04d4a387e278b9138d3afb125d37a77cb1bef03d34627389dcd2feb86dede9dc3180e266390f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a902fb076574418204e48b7c8876e131

SHA1
0499a44200d7e60ca18c18169c373843989bd367

SHA256
ade0dbc5ad53083ae41a0e9ba287b8fb1b82ca08cc11573016a9b6adb6e2182a

SHA512
a2e8aeaac806a33728f4fc546d86328d558887cef4c9c24d781ecd2247f5e19547eae9f90a7640375f05c7865da1f32312ef28ae654c1ee21c61882821f6d308

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f0ecca920ad132b0a0085be6d53d0d18

SHA1
536c3a49d1c7223bcfd9de950725f0d77c1dbba3

SHA256
9fc63f288f748a22ee204fe9a87f001d8ad319dd9caedd669b6ad7e029b88ee2

SHA512
c8db5f4d3c8c30033d64944bf6c294731b899ba2d7940ccc2b9214ac6e46e3718738b46af8b3af7c63d4bf3f079a91efb433b829671c0c59cde202dcb52a71ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eda7091b702350a77fabb01b013b31e4

SHA1
4c3fef5881cef3e46ffe43cc6365ccfb8811f886

SHA256
c85d08a529de742ff20ef0f2d854de11551a45dd4dc150018b6834139edfc36c

SHA512
5a5ac98e596569da00ca1d17530172fa2c5a042f4917d1527a67ec4868e8b5bd33dd80256132b82ebff4567267e4e0df39da4ad4cc8ffccba2516d4495a9f602

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
aa4611275881ed6422633a1637072aea

SHA1
e5a234065e89c80a3b2bee0dd7f1a11a17ddc7ae

SHA256
89435ef910d9d201d19e27617b412dd3fd7a7726f55b0d0b248ec7c727ed5bd8

SHA512
fa99b8a2b1b7cc15996825237bf1852f49183368a898ddf276b4202f1962ddecdcaa566593dd0f8995778da8954710bdaf88c29a5a6483fe61aa6254da2323d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
18851fea7aa8b9d15074296f4b573eb8

SHA1
ede9a480879da96814f796b7803305627b724901

SHA256
60de82bd4207ad43e1ecf46404a21c95117f44413b79697eb17ef6ce9808825a

SHA512
e094c6e1069242b52a4f3e269d63a5719c505779256df8977af89d0f7c376491d542ee10d22d90a6bdfe2ca76615a109404509987e04f212c0850bb7ec479115

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a66d53b95dd53621b63e1fc205baea53

SHA1
7bcb467f107378172018f069bfbd7c3351029835

SHA256
a0ff98110aedfb30a2488086e6dd787d23da11e5652dfa58c8d32097a9bbaa9e

SHA512
e6cc7eb97793721881918c90ab5a9481079e2c5a7c5c2f15d7cc477cb9e099972dcc17268928be4485aa2f76eb510b6b7cbdee852ef88137a7d5d51842a259ff

Download Submit
memory/760-0-0x00000000006E4000-0x00000000017E6000-memory.dmp

Filesize
17.0MB

Download
memory/760-138-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/760-293-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/760-291-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/760-2-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/760-7-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/760-247-0x00000000006E4000-0x00000000017E6000-memory.dmp

Filesize
17.0MB

Download
memory/3540-236-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/3540-12-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/3540-295-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/5804-235-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/5804-10-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/5804-41-0x0000000005860000-0x000000000587B000-memory.dmp

Filesize
108KB

Download
memory/5804-38-0x0000000005860000-0x000000000587B000-memory.dmp

Filesize
108KB

Download
memory/5804-292-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download
memory/5804-42-0x0000000005860000-0x000000000587B000-memory.dmp

Filesize
108KB

Download
memory/5804-294-0x00000000006E0000-0x0000000001D22000-memory.dmp

Filesize
22.3MB

Download