fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3620	AnyDesk.exe
3280	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe
3620	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3280	2524	AnyDesk.exe	83
PID 2524 wrote to memory of 3280	2524	AnyDesk.exe	83
PID 2524 wrote to memory of 3280	2524	AnyDesk.exe	83
PID 2524 wrote to memory of 3620	2524	AnyDesk.exe	84
PID 2524 wrote to memory of 3620	2524	AnyDesk.exe	84
PID 2524 wrote to memory of 3620	2524	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d5ee990ec12730da2ce546ceea79f901

SHA1
16484d3296651f5ce2a778a24fd408d635e52cc4

SHA256
02e7bed8a98fd16c85b5942ad8024b3545ef9f36ff1eaf90a3ca453ffc5222e2

SHA512
590513225b7f1ef379a0169098542032a7381d0d5eafb120217b37bfaa35df3f1f051a4e240f9d8ee6c33954ab013f33e7172de3c80f300fd751f9ff8be1a5be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
86548be0d7ee377cdcf2b7088fad43ae

SHA1
6f451fccfc0367e6b14d5720eae5a642eb5b0a51

SHA256
d6644e45e28b3685132aa7d1c3f5b2865941b0632ca7f368b3208d1a4e9dcc92

SHA512
cd39ab1b33249332f8e2a587780210d6a79b96ea72e0fd47b2df2eb96d8be4baafbec0f913b24d15423dc1e74af587e1f9c8b0bcf6e823263be69eb49028c586

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
88642eea2c0e43cdad25db71d4119833

SHA1
d2f45a5bdd448b6473ae2efd03f7a0174281c958

SHA256
8b89f527380c7d4a8a2f5baa293c763620feac30537a06d24be883dd21e27a79

SHA512
9a6705039cbb8074e06d7ba7c5480ac0a1d3de0b8d135063570cd21f00f59dcb574d8d07cb5accfac774cdb6cfc8fa273c8e9f5a1e886b276b958a243da81216

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a99c5e7970491802441a6ee9777667ef

SHA1
3812caec9f0fe939769122dd037551f29fbfd187

SHA256
3217b02ebfd595b0d958158d3dd7a7e41b9f0398b99eb5066cfa6d0e281aa1f9

SHA512
c700eda72d2e9f324ffac7c471b6300804757fc271ebbd56a3309871b3f163219dfcbc75f9828779891476850ccef19ab87ba284eb4fbcbae6d7356b7b415cfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
a804c6e92718c63124ae262cbe2030f0

SHA1
acb8b2a68ff3db1cb00f518913f256851b949437

SHA256
f8a46041c0aa06aa7275761ecf28fa0d78b5c5f783c6336e99f085bc09c82c3d

SHA512
43b6666408a48ef0161401c9a858108567a6d365cf9a4f50458ef4a761d642cc2ab20e22876814e96aac457d96e495a3247eaee61776811a961c52e84d777a3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
f2c2a8de5071718421ade558717a040d

SHA1
e02399f3b7e3e869b4372e276d1f8da5453bea2e

SHA256
b594c26c930f454ba29bf053ef831ee778d1967483e598b978dfcda0899f0d5a

SHA512
c2ae323340b69d0fdbb4d9de65c6a6687c763dbe8df9ecc58347d13ec793f794fb099ce81119457828c3068b68ab1bee1c47217a566df3b57ace73a0fff2c263

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
451864c761ebd2a79ddf35a00bac3f7d

SHA1
053a829085366a72283f3b9a0500b9de8af63847

SHA256
5b51636de8795bd8270109dd562478fea98946a78e43d9a329ae266eecaaec18

SHA512
d64e62a3175950621213017a96be65e5d30f61174d26e74799c85699a6bb84301387894dd51e55b16db23f215679b48fbe82ad059f4490bbbc4136e077b7c842

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
68c88556bb77ff637a2a9a5ef9e7fedd

SHA1
58c00cc81a5e647c7aea1578c28718ba066721f2

SHA256
35c037f64ca67253293a5caff8fce8a93173ce12225cbf18eb16705637f9120a

SHA512
756135d7bbe0854c797f69b6883ce1a7099f44b5904dc94ba516cb3c4f76ca5661275cf7eeefdab522d97838470ef11220a82af01a9c59952a478ad0131f6e79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
00882d2f5fe914a2f021b331ca8b07e6

SHA1
df6d9a7fade3ee6cac4b164fe44953271bbee6ce

SHA256
167f6876abeea22efa231918d1699227a7c86a4cec459e996271dbeb3496ae69

SHA512
f4d62fc09d0780e383ddb1f2856f71366b382e5bb4f479a1929822f11c4a16d112c2075ead748c18b2dcc521d45df9d4e26b2e63c6798990dabc157726bded3f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d6225c7268b80355a7e7fa03ef07ec0c

SHA1
d701ca4d25812a6f3bda034928d0b7da75a0b64d

SHA256
98f8e1779a0e3ac71cd6ffc6259ed2ddefb8bbbc450baa0fede55cf9d2b814da

SHA512
107c184c68f00fa5552de3f09b1f3737712b3b28cc99022610992b3db7cd5477d5f810d098708aa43d57227d983fd1f04591b6990b3dc9602fdac015cc66a0d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
dfa1dd84591793bd0f9756a9b9d9009d

SHA1
9b7d81b0fa89fe3dc6890a8873cceb9eb9dfaf69

SHA256
c7e7e88cf293228e8de5237fb72fcbee03b7bc0cff8431e7fd260410427dd9be

SHA512
e5ef3725f371f057ced62a58dc2dbdc816b3d684387cc7fba49277faeecc766c60aefe6c52ccea5020c2c589a355392abc57cdc05e2bb48ece4a632c6cdc7901

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9ae1d052a5855f4a2304ac344c6de805

SHA1
86aad51f1e821c076d9f8a0257b310ca16db97fc

SHA256
a08b2abf00a6b80e693425ca33be6cb8f1e022e8debc6a1c0ee61b1a4a4f47ed

SHA512
aa15b158ce33a4992baebfc0684cf61c771f7f8ea0cd8934fb3f4427a3506a71b3b34da2ea6bb98202ce2fb7dc1bb1311addb4ccf693f5f1a84c71711577bdd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
880eed041948ee3e9d1159d13b91bd39

SHA1
796c271e46343f75c7fd21377315bfdeeed8cd98

SHA256
8b3778d2ec8c30affc7c0ced32596f677006c0ee34e71da4e648bdfcc127fd4d

SHA512
57239b20d5c8be12519cdbf796b15b339dde610af8b3882e33f497150bb45b135c985173f2591b1e773bc85f7fc48d987fb5690e8fa20371d092925aa21dcea8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
732796ddbd8ba37045dbfc4a69c0a04a

SHA1
a7c0b23c611c331f2f301d879c02f8b72efa6699

SHA256
42911da79a55fdcf8b4460546fa6afb7e7e89e4506fcb4823c30624b38b018b9

SHA512
77b3a6990d7f02b7585cb32ea7b8ab58569934dffa967664789cfa2d65c1c51933676aa374d2f76832265cc6c1576a2ae47c480ef05e8c142196ac9e4772b85e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
43c6a0c2de5e59ec1f01ea0aef33010e

SHA1
b7d656a319217e23be1bafaaec0b0c8fa5627ca5

SHA256
f3b8468fe58fad5893f4deab90ef35e8672ded3773efe8a25c5df0c39d42056b

SHA512
ff3ba28e46397486f6c303f4cd9aa06e46cd9a1e7ada66600f6b512e1473563e71e165ae911b9f9c0428c0de8e474fffd12a7b4cfebeced5ca93ad2ea1f1fd63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
07fb788f8b8ed1cd2925304901ea6c40

SHA1
3237a3531d1f4b7261ddbeb6399ecce736eb7928

SHA256
5215d7c2e615ed448c6e860ffdc9f7eec473d511900a96431134adac49a7a521

SHA512
4b9a6c6b7b3bda434edb52ff8d020a2258c74bfd592930e6c58b5d359926178ac27533012625d0b5fe21b738c981a98ef2f46498fbcf42195f6c0e1b4dd8b4ea

Download Submit
memory/2524-231-0x0000000000904000-0x0000000001A06000-memory.dmp

Filesize
17.0MB

Download
memory/2524-228-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/2524-1-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/2524-9-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/2524-0-0x0000000000904000-0x0000000001A06000-memory.dmp

Filesize
17.0MB

Download
memory/3280-41-0x0000000005670000-0x000000000568B000-memory.dmp

Filesize
108KB

Download
memory/3280-10-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/3280-16-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/3280-38-0x0000000005670000-0x000000000568B000-memory.dmp

Filesize
108KB

Download
memory/3280-229-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/3280-42-0x0000000005670000-0x000000000568B000-memory.dmp

Filesize
108KB

Download
memory/3620-19-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download
memory/3620-230-0x0000000000900000-0x0000000001F42000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads