fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	AnyDesk.exe
2420	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1628	AnyDesk.exe
1628	AnyDesk.exe
1628	AnyDesk.exe
1628	AnyDesk.exe
1628	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1628	AnyDesk.exe
1628	AnyDesk.exe
1628	AnyDesk.exe
1628	AnyDesk.exe
1628	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2420	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 2420	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 2420	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 2420	1552	AnyDesk.exe	31
PID 1552 wrote to memory of 1628	1552	AnyDesk.exe	32
PID 1552 wrote to memory of 1628	1552	AnyDesk.exe	32
PID 1552 wrote to memory of 1628	1552	AnyDesk.exe	32
PID 1552 wrote to memory of 1628	1552	AnyDesk.exe	32

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
dea818563fba2af3e7de1285547c10db

SHA1
5930cfd25b8a1d80b33db91670e949c40c3c92c3

SHA256
86d4bd9e8267f66c5b49f23ae8c5c2a36e125d8b5a494104b768e22672a9f963

SHA512
c62c8d304c07bd610716bc739392b965fe389c6731ba2c0693baf3a8c63abd328096ef786d141d7a694f22d6213a8103233ee44992344e902d0b3e4c77b16c2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
382ded1636f00492c5c5065e1aba2415

SHA1
367bb034a984f4746dfa10625ca88af1dc66e20b

SHA256
f2f6b640d69b62c297bd0ef251c4d1890e302d2178e8d661d0557d9e90a084f0

SHA512
7f9d7d13a0397690b7dd3555f1670fda33e9d5b5c0768dace838abb20ee6248cabcc4933537320ab5e53f4b398f8a08c2fa8e9bbd3692a5e3e267da69c4a205c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b776633a5323b9abc8cff807dcc7ffa3

SHA1
dfed7fb97b12ce746a908ef86410ba77e8557fbd

SHA256
1c667a2f7ec92f9d99ccf6da5eb04e9a03a066bf0d3c576feb236bc97dc8fc86

SHA512
fb01bcecc04ae5947b888866a088fea878335a7646e1a84841929a688cefec78e8f62f1ecd957c7cfddad7f70e7e11a3e1ca43856e3817993f700dc8975e9d0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ccb10f2f0b5556e16a9bfb79ef3621ca

SHA1
b4fc3acd4126d089676775eb7513951c767e5940

SHA256
0314d4ee98eee8ea23a73f311519e34bf4bf1ac48336ecbb583115602201fb15

SHA512
a531735085266710ca7c739e2bb9c14b37cde7857609cf29d6a28944019174ac3686201f40498330cbc0e634764c7aa1f8d163e428a01393d66f7aa5856ff532

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
7b4567ecc6591ca1900b4d9214d9edfc

SHA1
ced2162826c17492b2ab9e97c7421d00b592c057

SHA256
6eca1f8d2524c09925e301495f53a0efcee356d60a801eb8da6bdf2cf7cd0127

SHA512
ebaa58d52cfb2ea2a9a51c7a0d59aba536a39b59560d1836a7cdf86bfa3c5a39ce4ab2164b6515cbd3437cfd179e76f8f052e9ac0805e36e56af8be5cd8d0dd7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
5edcd78672724f8700813183bb7ec90a

SHA1
98ca668193e1e9e74b6de51a17fbb0e445da3318

SHA256
2eaa57e325aca7decb1b916255f6ae4d4ea2d0cc143b7697dcd55b7533c8b129

SHA512
dcdadad2c178f5a3261bbbfeef8911ee2d0e1f2f5040b3f1dcf8d814b9b60f42c63d0baa88a46fef819cb1fb402e6f09829acea2eb98e3f9c35ce09c8c720290

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
b2e81784237d066318662a789b6cdca8

SHA1
13edc584702abb875e21bf3fbd5b15ab6c203bae

SHA256
d35d4294464657659e5f9941e94cbd3a1383cb0eb3bee32297272cae8ea8914e

SHA512
1be7cd24432668d4c1088b22ab66ecea8614a6f3cbfd3e43842696746aaae861ff005be5af5041e54999657caa7f02656b6a8e36668172f752da53f0f655d498

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8772ab3ed9b13210ef51f96b5109af4f

SHA1
5fe143dee9b0ea4bb11f8f454697cb63fe6f8f0f

SHA256
dd1ed55fe4866cb0d92a5c1b1a2fe7d0eb6e7eacf7de01e8157df3535a21dfcb

SHA512
66d47913f7911989f6542fe70643bd2877327a11bff636d50cca55dd55a78a38c9e0aa419aec2272e0729421643b4eb2ad94ba030c3e6f0f848bc61101f668f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4c6c10342b6b0ca461ebcd6610fab8a0

SHA1
2b475baba671ec957313869c4f2cfe0a19e678b4

SHA256
791203d8a62caf591e83e1972856a36ccc4ff675caeb12d9b42d65eb3cdfcfa5

SHA512
6121e0481c173c81ff4246fd0bfe8fee85bfc179b9816a42eebb7e82d63a992e36d0d5439579539a1c9f4dd1372933a886e9c87311adde656d5dddb853755c66

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
186d707bc0f63ceaa19d41e630931fa5

SHA1
a0e505b740be9c0c795499e24329abbf93f5e342

SHA256
d6ef8ba7bb2397e6ce9acc697a08ae174485c95314da0bedcc96c31d4b1dbe0f

SHA512
6af461852dd5f4a772ed861264efe3419963784ca4d4daf2df96b07c3da4765a33406cfc29b036e69c038e0967b3e1af05ddf6b8d4117c22c4faf48515dfef97

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e2066a8e4a830e87eaf9123571be4ee3

SHA1
9724ad8be72d363433c1544b16d1a2636a24d1a2

SHA256
d9bfbddeb19e2440e203f8e03abed64a8ade667d935c3bb0a33777a424ba6c37

SHA512
893ea62f61e1909d717c670a116f47646ab56ce6b7f37fd21dc292956bc29ef8242c6116c35294e21215ca3c7850fe7687fb18e9f30189f41fcfeca6e6e478dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
40e958e8b963fd8c17685563bd83ea9c

SHA1
8ef1ad1ca21c4b1e76fa11b5e3cd1b9c7c6aae79

SHA256
d45882506866f7221399884e592997aa04534245ba5adba1b2faed3e7dfac52f

SHA512
4ce62ebacd08304477b0b31b0263720bb56682e2f32c7cecbc00d9fef171ec978e330bfb6ac2523f0385e5dc1a92353f77fcb8d7bde5168c49421814ff2234d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4e58ad7f093cfd598f5e0be61ab4b64a

SHA1
bb680e59670d4e33258ce2484cd7aecbfa1f2c12

SHA256
8cb30da51939d5baa7d1dbdb7ca31f86ab83926c0f29501921970ef053eaffcd

SHA512
637658b1ff865e2c4112c5ea46c52b5985a9b637ee8b608f016dd4b5b0885c9e308bc04970564687b98f153040aa2a7aea9f05e45170ca07e5ed9ad56724d1b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
25ca00c3764571860f9218de10f11589

SHA1
739137b451e46d6b28f5108a863b7d2c8ee6ffbd

SHA256
c20f95aba84917bbe7b058b63d39e5130654ecc598ca0c7df8de63a6c87f4055

SHA512
06a3672340faa90b7697b3ca31d0be3723f6005f9e7cfd769099e6234e24375627371a19a52daf28b795de2f6f3db4464334eb8c45390270ae298aa254a1d307

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08ce37c68943d2c011986900e06221c9

SHA1
ef5603fc45ca90c93a32a8cf84f7c548f29c9de8

SHA256
7ebfcf603c77c13257c84671a49b1d84c73fce115f8bb0bb151bc02dce32c749

SHA512
6f7555c0e580652cdc3b53543efd2245c3eafed59bcfa3398880efa761d1919b2872af0c80d461a2c27c895a8ed25044042f330c00e7f52bf9f3df0824d887fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
75c3c003aa5de90ce92a5bc820b711f1

SHA1
25c3e7549c758b12911a60b857bcfa694f1785af

SHA256
01e3f5f474280da3d51629d39fba9a1ebb36089df874c1a9a6af01ee71599a4f

SHA512
4da9d2d4a366142125d90542fa361ef897bfc3193d55abf07ff7d95fe7e431215f8d3b96c89eec17caa759364115a11febac3d81ee82450e8893b3a6deb486fd

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/1552-2-0x0000000000304000-0x0000000001406000-memory.dmp

Filesize
17.0MB

Download
memory/1552-5-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/1552-1-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/1552-261-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/1552-262-0x0000000000304000-0x0000000001406000-memory.dmp

Filesize
17.0MB

Download
memory/1628-10-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/1628-264-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2420-17-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2420-263-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads