fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-01-2025 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4076	AnyDesk.exe
3648	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe
4076	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 3648	2672	AnyDesk.exe	77
PID 2672 wrote to memory of 3648	2672	AnyDesk.exe	77
PID 2672 wrote to memory of 3648	2672	AnyDesk.exe	77
PID 2672 wrote to memory of 4076	2672	AnyDesk.exe	78
PID 2672 wrote to memory of 4076	2672	AnyDesk.exe	78
PID 2672 wrote to memory of 4076	2672	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
659c9a789985d88965bafe4f9481dca0

SHA1
04dad07c6836ab6933683700276aa17e5d31e854

SHA256
a5cce323656c20e25548f486cdccaf9ed5f6fba872ff16ec77366d98895d12af

SHA512
2ae3100e55029c8a21f7bd8c754d503c7f77a82157d95785aef4aad113383fe839578e8511be297c89142e4641515ecbc1074cd07a40ad1580a8d44b66152052

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
caaba32c02644f48feba869faecfee5e

SHA1
6c8f4ca3ea06e278faeb02db9cf4241bbe5457a4

SHA256
cd89f768657e7e912f828986b1b67afef4eb5e7c7c40acf1ff6831ba7b5bf3b4

SHA512
acbdbbdcc8f7cd0269fcfe7e08465f6fc2531be67bd29e1bb20fe4c97a748839b8f2b56b1d3e9f906937918bccf8b67b622bab0aa8be629ab3c455ba3641eb3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
697908e41911d6470bd15b4f0505a60c

SHA1
0baea8690fc52e4aa05c62755b4214b88fa242fe

SHA256
a018762957b6629952cf7f27171913ff43dc73c7adc4aa8bdf8f86dde52f533a

SHA512
6d8ef8eb5d8875f99d325bc9c97cc26b0f9af63f5156b60791446a920dc70644b9ac6d3e149759fee65bef65e9cc61f435be6fbf59913a8e3a1e686ef8e9ebdd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
2f5b5fa91629ed856ebb41bf666fd951

SHA1
e472f8257b2176d52b217bd23a2f113102fa9b47

SHA256
592e5438305e8681318dee6b42c49fe0e4a761b3d7eda8d414346bc9eee66df7

SHA512
85bf4785c1139712097f3ad4df05cb12ee374b23353a6db2a91ecc01ffd50e0ebef01d06ec60da94fe6935fa9ccf083e0c962fabb7d4a03147231d710593ab5a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
45218d12a582e9e15c4ff84bf4222f64

SHA1
2cb3024c5efab1fab1127808c8c1a26b51445d34

SHA256
65533a9cea22bf7551f35daf99bb70151cba53ab0940a570eed75a46148ac4de

SHA512
337ae6d947dd2affa30d4ca4c35c9222693297f4ebd6004620786015388a24cc4e0614c1d225c8592a44e3b0c4c23fedb65988fcb373381baaf08e388527e25a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
9981402f210c62304e1a06dd981a6765

SHA1
98d07ce7438fc6af877aac95fdfccf966b199dc6

SHA256
4addabac5ef21fc3dbd29bb216bd7fcfe74beceedc1d05ae47be4cd8709bde3b

SHA512
7705bb916a231a626208ca5da17ced777b9fc70ae6e5ad0b6aadd2a2cb5d8330d72e1878c4e8b8e98408043bf61d32424787b817ddc64d8bc5c8e2f6db5f80a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
c059010aa8766f6ff241161791a08852

SHA1
542b49131315672d637448b135541ef5269802aa

SHA256
06f0317f602f59a416d57f7425f0292ade45fcc27d5d8cfa26cb38a4de03b227

SHA512
7a6b4a63863cc050f8ea639213ac33b5222819f996d87b65d4ae5b79a42576d2727c20944ab057277660fbacde52a4f570114074e76cb5436ef758b2802d2879

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4ee4645dd5289209b68a42204e0c8bd1

SHA1
2641634c0232a3897e4f6e077e91334533b8389a

SHA256
20b9114ee4826dc8d3c9cf6eac60a30f03034f328f359a74174e890e1fd8fa73

SHA512
99f449c0033dea0c00944d73d305a31dec690f95f2064c614fd190e2b71155e55fcd7b8f8ecee8a0e228384d2626f4e9656579bb26e8d302d373f523680a2a8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
628b1dfd6fdde46e8f66506a08c7c739

SHA1
6217a160bb6c1ff3667bb91b20c687b18ca99849

SHA256
4e21688ce6622fd287d6c8696878a9912b659b98e4a9751756f16e5d6ab736c9

SHA512
dc59696c1e2b80aa3291aad55c4979899e07ec4e97271134c58842df828eccfd1202080881377e11511484030148c0a6eb6fd0726266e7cc5a440202f23572e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1df7f07a4e0f2b246f7d94745ce4d346

SHA1
daf96d48b0e1d6d35974064d6d6df6e03e874611

SHA256
41b483d384621f36fe523ad39072f3a26158fbface0370b2b34964e4b3a695dc

SHA512
b3fa630bfb4f36f1b966ecd4aa9b26341a9ca0432c87dda09a42b92590deee5e20c641594534b3e8a0352f6764c69423771f1777bf55706a371137c1c734b910

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1e93fd7708fa6c3205ee614d9b131402

SHA1
659d5d50512f43e8deba4609cced431a8675ef1a

SHA256
e91bf9eca9948090928363035650c515cd50c3473fa645712af420c28d66edd3

SHA512
bd0f05fad3808f269a0035efe36beca47f614e3bb6a1d86c2713cc173109fa2ab38181e46aab51d3808b31ab3238c1c4dbadcb72ce66fb96a42d3e426781086a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b32570c05b5747ff3ce2e590edc171e4

SHA1
79fbf68976bea79c397197fd05a7c0bf3f9e81f4

SHA256
552e037a73f93b30675ad7c35358162c438ff1ff4b5ab18b0f1a579c24d158d2

SHA512
c018e7f32003d7bc549af52bf99268c0480fd0515785e9c8da8a5765b4816df13750ccba680622f98653e7ad1b896de24f398f681f4cbf43efd2208465a27420

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f9917974521b5e45c6edc4925353b0e2

SHA1
8b719ed8b032769e6d440bb198712f813d3fa2b6

SHA256
be85164e1b542d4a3f37cd19b78c33cad1efabd2ade0afffac3caa743774a99f

SHA512
aebcb3289a54d2e961dbab2c1abdee9f9445da6c8d21011d00064928ba6cd150f6bee16b5f35937b5ea148019791307763cec124f8e22a75731b55bd55d366ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
454c59b5405431efc8d3cb818d0d707b

SHA1
59061a504313634fe68ea4ba105ce9e48cb9de96

SHA256
9363d09c5ed612677c7d57e07890baca6321627e890fe34fe23f7b8671a6ceff

SHA512
842b6bce927f63cfaa9653e87d4c082af786f1e48b11270f465705e47a96c6d17db0de2bec61dbd95d260fb842a25030e8dbd80512931f2d1bd47753d5178349

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
72e54b0f8f6c08d099910c95781b88c2

SHA1
7d080635b72ddd3a6cbc3a6ed04eba6f26aba3e0

SHA256
f46bda9d33b89fecd01ee2b8a53b98c4ee321de2a2bccf1f03258eb1e602908e

SHA512
c6493079362c950fd4e2c3541b84f50480fca8ef43c0460558b3175b84bcda6fc2bb89cc6a6280164cf20feddaf7ec85011fc41da19424cb2017c22cdd79e0c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
06039743bd73d87bad3c6634d7a7f96a

SHA1
4ad9ced03872c2c19ddda5b06b66ba8aab5f545f

SHA256
650c32fb518bab25182fdd5f79a4230dc09f3921f9a1cca0e5652ee1c7bfcc0f

SHA512
2d6419bd0826d7cb624a34751591f722e296201326db9541eaa110aafa4bec0c98b472a24ac63bbc60fd4688a3b5219b268c7bd2c0b0d734a36837f045528cd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
536172b602fe1a6cc7dbebf60013ee09

SHA1
08f16f7ffe6949dfeb992a9adfda9c7c2d0938b7

SHA256
5108a1654b6135ab0bc12a318ce4bf5210e994370cb727bf5e2d35163821bbde

SHA512
555cea78c9fb552a02fc097bfa891f2d96609c428044ca270f49d565a5c1a585fc7bc811d492d9b6b3fd81e70a803270a2bd36e0d3785bee362522b6948a3f6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4026e56caf0b1e523f6e7b49e09ef925

SHA1
0c3a55657eff93a668f2029de1e9676c92d5b187

SHA256
fb23ddd0d041ca61e39442b7a6fa5cac7620183603dddf1b19e60b7fb24f3023

SHA512
28fdf4cd6b8d6347018505f503afb2066879fe21dde328f0367da115fe6cba408b31751e4c42f14a16105aeb2d7c070ff1c409dd20da9eebe59f8404d099f2b4

Download Submit
memory/2672-1-0x0000000000304000-0x0000000001406000-memory.dmp

Filesize
17.0MB

Download
memory/2672-7-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2672-0-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2672-228-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/2672-231-0x0000000000304000-0x0000000001406000-memory.dmp

Filesize
17.0MB

Download
memory/3648-10-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/3648-14-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/3648-43-0x00000000056C0000-0x00000000056DB000-memory.dmp

Filesize
108KB

Download
memory/3648-39-0x00000000056C0000-0x00000000056DB000-memory.dmp

Filesize
108KB

Download
memory/3648-42-0x00000000056C0000-0x00000000056DB000-memory.dmp

Filesize
108KB

Download
memory/3648-229-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/4076-11-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download
memory/4076-230-0x0000000000300000-0x0000000001942000-memory.dmp

Filesize
22.3MB

Download