fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
898s
max time network
891s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2025 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
972	AnyDesk.exe
1560	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
972	AnyDesk.exe
972	AnyDesk.exe
972	AnyDesk.exe
972	AnyDesk.exe
972	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
972	AnyDesk.exe
972	AnyDesk.exe
972	AnyDesk.exe
972	AnyDesk.exe
972	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 1560	3464	AnyDesk.exe	77
PID 3464 wrote to memory of 1560	3464	AnyDesk.exe	77
PID 3464 wrote to memory of 1560	3464	AnyDesk.exe	77
PID 3464 wrote to memory of 972	3464	AnyDesk.exe	78
PID 3464 wrote to memory of 972	3464	AnyDesk.exe	78
PID 3464 wrote to memory of 972	3464	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
38d043e4408074173894f0992b92c690

SHA1
35ae5a1b9943b0637071e00868bec8be88a9278b

SHA256
f1b19f089cb6a901241e0951864e0aa15155e9805da68c8cd0fbacef5fdcf918

SHA512
0ebf06b93430a834687e28f495185f4aa940c5cdd0dd28d3cf6b3526a53d27d10b409fb583f0eea31fd371c951a2226c912788bb77d740488f64ce70b3bc56bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
c7bc6efd1f557b9440c64568859507ee

SHA1
9689d041a02828042cb53b3e52d0940c6ef1563e

SHA256
64fc03b238a4006db7213ee44bc6146b1600f1e994228a4781bec31b03ded84b

SHA512
818bf3aff242f179b978105b8838801ce37442ec9460d141d39ce0899a818ae62b86fa3214f39c900703d363d8f1cd01fadc4259666e44276a19cf06db2b5ede

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4251f717e7fb180fbdcb48ea2570ed9c

SHA1
16fb64e16dd1affdff2efbc248a6676e605fd813

SHA256
137aee2e00568ae99de6fb3a536145fea7b89f73f3aadb87512d7ef549e7e35d

SHA512
605a74f50063281005487ee58ec22df9903939213c6f9bc4cf9fc1544dbfb1155c31d1ad6d3ff4ce336d4f3e7530be959ca951353bf904e559bdb4aff825ee79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cc9dc1890a5251ce229e3153ed8971bb

SHA1
ed388815d06d9ca62cf7c7069901e41428c9fec3

SHA256
675ef2320c8a9967f0edd95bbd1fafd1c43d1df6c130baa0312248a490a6c952

SHA512
1809b807e7b4cf79606423506912580f0c944cef33d98e32ae723b89d0fdc4321d587452f31ea0439838fc3330e1673e3de90c9c4e747d0f740c9b18f35b589f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
937680e0196939607063277dec316b35

SHA1
90834f2342547f26ef6ab0ca4c47e8dc00579d68

SHA256
01b06c3b98ba60bd9c612365b890e63acd56c6bb43a85a83a89460fdc041a798

SHA512
68fe38ed5e3bef1bc5dc9ae1d86e20bed9bef2249fe5390806fc8b588d4e180bac6a0c4881f1dab8c90e03ddee031380a4136a0450ab7635f751f1c26bbafaa0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
1c98719293a41ed1bfc079e7cdb12064

SHA1
ab1cc90c2343903a4d926bf639f951fe5dc9715c

SHA256
65d44d56a6b77ca8217b4e11f149f9f9e5920d8b22707b2be8da462e93179d6c

SHA512
a3b8f255ccf3075f2039a7a2f58b3b35f01751faca77cde4d563cfd8738b171ce1af4fe6ff15d304d3fd1c3c4081f39595fbb9fc148790c44d1d21460c8df163

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
1e6643e1707f090871a5b6eb90975199

SHA1
455b1b4458abaad8f71d2d393317343063115425

SHA256
bfb18d01ed1573be49c22cc1ca130ce595d761d090b573ea95a9669a2b135bf1

SHA512
4fc3b994a56d7fac836bb03469ee8782c92f4656fb1623b9f121f5a3a6cd839ce1b30fd7aa186c5806aa5e159cdcf12fa8b6680696b8deceb4eb4bb4e744306b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
bdadb2f9e3cea88044fbe07dbd142ce0

SHA1
1d3f9f668bc64a04bba9e8b2e79bd9421179d1de

SHA256
62110cc2e3c3f4c882ad158d3a3e2191e2a9771f492c86751c9c4c7be4b4e25a

SHA512
8d6ac65a43546d363e485934a1c71e8079d99d878989fd4b00b31b3b07b6bde453205346aabca0205a02418e2b804c1a9a29fb1bbe4b1fd2c1e7a1fbb440be12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
3382d708ab4561881bdb21247aa86c6d

SHA1
f0b7715ea4ce851373ea3f923e10f30e665f840d

SHA256
e7f9a2185a86c98d7f4a29d3bf922d962418f0d0b1faa71f958549d519f2d545

SHA512
e03f59643088c9e9212088f55e326b4fd179db393a18320822e5bd984d6f994cdff2336ad30c2cff33c91c79943250a3ce5d7f38d624a9a4bbcccbc173d8245c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
f5e2d6a7b95990e535d683d64799c66f

SHA1
9c04b6a500993737d7025c5af1479334e6c34f7a

SHA256
7572a8d94b6ca31c870640188f8d6e1a4c9ffad80a98fb1f6825e7399c539051

SHA512
4e24452381533694cc910630eca3ab7f9fb78b3cad6a32179c7a789784624e7e4339fcd983cb9adfb755b1f2c6964c276afd5ac324ec5c3160c43b03f5205d8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
399c3965a2230469a80f0bcf6ba014dd

SHA1
6c2bdf64c89bfd2d17bdaf255dc09e6ca1e64299

SHA256
6673ff6e7a1796d436c842caed96bb078202f1d3a902466f52c473a70e2a1075

SHA512
28ca6527d5377e29f70625e606d16d6201d0bddd9467cfda2c0ea3bee761b9f17204e6bcb89ea0e525fe93f6542b66f9f7f6186d5fb4f3d7435d6b605aeb5e0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ce23499fb40690a51277b6980e723bd1

SHA1
9384d7c7ab256a424fec4d06742139c7b47d997a

SHA256
f8602506e7166dd1bbff34b17b9ff05c5e24b10182280bdd97be3f85964929fb

SHA512
f8e3b28ead160fb17b1bc98e92abbe40510e76bbba1d0063c0317e69dc02d8b4debd2391bb3f5762e3941fa7a9cf2d9d58cff413c1cf6eaaf2a7438c52310e0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
eac4588fd447d64d20a7b37a51a45fe0

SHA1
6370e307097d34135ef4862b0f8a075a91f52118

SHA256
01823076ff1e1d26cba0e92434f861b1a4bd23aa1d9a53b38c1fdbe62e961e1c

SHA512
1868428313a863ef4bdc84fcae95148f141ca894dcd9ce9c38df2ee389a291256fbabadf3176c5c84400332e652bdc8c6e1446d9fa69bda4e7c7656391dae70c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d3dbb3decc53d50600c9c1b9475cbaf

SHA1
c01c282b3bb98d02fb37a6d496858ffbafd31a4d

SHA256
1c7874ec5f5dc6fbf2004d8bf0fc1267a6d23b88e96d7e8549c0327e346ac954

SHA512
1f697a3b8c2f1b57346e4ba77f267394fcd7e7ea8838f5d1a8269d353112fd8f10ae61875b5519f8b67debd82b55575330e91b973f39b597ca52e171f0192a3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6c32002e89f6d0a17db415ebd165370d

SHA1
4633e396ccff85cb4762b19505f8d31b1ee316d4

SHA256
6bc465b8ee1fe2e25d03167c93e9fd1349dce1d8f3c5bb3f0f01a49c6f22f871

SHA512
9af02fa7b9df52d1fe69311468f47251dfd5cf9443da9ebd7023894345c08e681eda071aee8a38509bcd8b3bf38c6a14feadd0018fbea488c39cef5fe6e8a160

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
42f6c0c4589e9306f8f2a58ed0cbcff2

SHA1
5f3d189e83b3259c7d26ff4031b0fd60994bf522

SHA256
109155bafe8552e1083e6697d35d713ab98a14b59c08b5b00c483179141308f5

SHA512
ed09ac991ec116d0265abbb7c3faae0ff3dbdde662b169d6c474cb1b7e19a20885b0e08da4c4fd0ead5fe16cb816423698717fab270f455d787612d895bbc4c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
05017aedbcc3faafc823f4e2f6a3c2b4

SHA1
4cbf24cf1c4caaa05579373e0a6109798ef67379

SHA256
6fcd55ea554116382ba7a5720ea8c1bd042547f6ba810c7544bf8dc98b91d89a

SHA512
10e0061c5a9bd0b77c0c2738f2302edd8d34e6dd42a4bbb17070179b859202b23addc3510f0a0821fa061198bbaaacba6d6dc20481ea27ccea31536bff1a2907

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ba1eaa42b343765d9f433859d3d39217

SHA1
33c955ecd9781a23a6583c0f7d5b33159c68058a

SHA256
0974af929cf5a572ea2302e824680810e4a14f73c915a081d408cc2beeb73a70

SHA512
574bddc986109a7f1c2285daff392ef03bdb3a73148932394b5b87c0f8e2acfac10b1efdc03736b352fce65edddbb7217f4ae88e7da3fc81b2c5c9bd426f6c87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c0c3e20653d5141f67559bdb51bcec30

SHA1
e85a9652295b924fd0e62df0fe9a7f35c8bc5a1b

SHA256
0132a888a696c11b956974e5179e4d378d5f259294d68f5554a077621286d3d9

SHA512
744a0b864239ad098e496a63d474b8d57960ac2d2a28ad0f3d80c5d1511f2112b4161635bdc625d3ca281c275f6dd2486dc1be1e733e1800d35ab44f1d0c4f0f

Download Submit
memory/972-238-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/972-15-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/972-11-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/1560-42-0x0000000005B30000-0x0000000005B4B000-memory.dmp

Filesize
108KB

Download
memory/1560-10-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/1560-39-0x0000000005B30000-0x0000000005B4B000-memory.dmp

Filesize
108KB

Download
memory/1560-43-0x0000000005B30000-0x0000000005B4B000-memory.dmp

Filesize
108KB

Download
memory/1560-236-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/3464-0-0x00000000008B4000-0x00000000019B6000-memory.dmp

Filesize
17.0MB

Download
memory/3464-5-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/3464-2-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download
memory/3464-234-0x00000000008B4000-0x00000000019B6000-memory.dmp

Filesize
17.0MB

Download
memory/3464-235-0x00000000008B0000-0x0000000001EF2000-memory.dmp

Filesize
22.3MB

Download