fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1041s
max time network
1042s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2025 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4120	AnyDesk.exe
3212	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4120	AnyDesk.exe
4120	AnyDesk.exe
4120	AnyDesk.exe
4120	AnyDesk.exe
4120	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4120	AnyDesk.exe
4120	AnyDesk.exe
4120	AnyDesk.exe
4120	AnyDesk.exe
4120	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3212	4820	AnyDesk.exe	83
PID 4820 wrote to memory of 3212	4820	AnyDesk.exe	83
PID 4820 wrote to memory of 3212	4820	AnyDesk.exe	83
PID 4820 wrote to memory of 4120	4820	AnyDesk.exe	84
PID 4820 wrote to memory of 4120	4820	AnyDesk.exe	84
PID 4820 wrote to memory of 4120	4820	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3212
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
2732195b8b0f2f0a02b039bf0cb261c8

SHA1
bbcae1d7dfaf60bd552e7f83567e65ef33b4556b

SHA256
71c2de59b678244230edd578e6c131ef13c740355c09a67e3bd1a893b7de912b

SHA512
0673cf6e21de5cb454de72a7cbf1904dfff86878bd6d3a37222373885f4eef32c38fc97a10d1fe4bdd9797ea359075714521b5d77a883ef244eb79a7e3adec5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7efa5084b7d4d9a94fe4640d5e581f23

SHA1
2f99babe8a091559d8e2ef4b56c6ef3050baefd7

SHA256
b99f534e1f4c7fbc2f94516d912efb9794f49ea2d0dba8ef0f09f254f8206ab7

SHA512
ae3a37654dcb82ba7167de739844ebeb1a8b0c565f915506ea6980c8f73799f04b076053a8c67ae8fd21a9a78a7e75553b0f97ad6f96c7626b4c669ca8e29220

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1ace4da272b2336a2817d1cefbc0540a

SHA1
0e283ed01683afdec41099e2d359086449a14cc8

SHA256
224801af5678c95392b510511e420ea918727ad124a9cc25dc8b9d717e78dacd

SHA512
c24f317701af537cc5495780467513e18e9cf9b5185cb6246129b763d8cee7000644ba61bc8644dcc3ea1d344432273443b382aeba2ed150813159f5b8b80221

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cb6095ec4b5f4c3d28ead364f65b4cbe

SHA1
a22976e3a9e5f03266bb4999f33d2b1ff19d1487

SHA256
3871685e545665ff1fd535bea3758520624a9225d9e0405670b3025a052976a8

SHA512
9432896eacf1d57768870bc51eb1b6e75a182c0b36660f12e191be59b481a0e4efe1841ca508ecf14d5bbf3ac50357344c4a8ff5d259440fc5c58282ff6a138e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
697B

MD5
4f2845a137819e9dc77d779c080e540e

SHA1
93a9ca9a26245a029cdbf3d4966dd83136731871

SHA256
d7aea97531ef47ad021674da17d005c9131f4a4587378fc392c8d43f3df129ac

SHA512
9c67505e3375a8adfa195419e29af8ab9716b1f635138b5847ada4eaca7e9b336c261a2569370db84fcfdc83ac058dd4300c775904a8df2a2005e8bf7685f8f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
1de3d764db9723c69ab3aa02fc20a64d

SHA1
178d9126f744588d7df7eb025d027d3e4819a16c

SHA256
2cc33d14200cba74778bf10f26c3b274f79bd51875e9d7f05551f2e46a4622ce

SHA512
3e569c612fc19760082d2432bba7278c92b04636c71dd22ca90e40b675104201b81b5eaf3e8bed55a49521836131a56f1540f32769532af574514167f51c8025

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4d7d1f9fe741acb769fa0aa927da5bdf

SHA1
e910fd00acfb949ce4736012c24c5d26a0bf8cdb

SHA256
4f01fd140ee5a627bd4e899efe1cfec8dfdc3354de45051bced9dad4b7c217de

SHA512
aa8e39ee471347bc1a2f823118d8b52f3f193f9bf93873dcea1eae355254894be89d40d8e0735b3341ac2808f018b11c8af3bba90b70f2ff64bcecbcf38811a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
93c451d3c4886348246873295e1db387

SHA1
7d5967addb93666b0ad98036a5344bc2da2ed140

SHA256
48e7920d6940b32cff23a7ca00afcd4294b7e5c72005369ecb974e3907e53eb3

SHA512
f190d0d5effaf1660dd7863ec13e5bbdadd581ab1f1ca7db3cd559ab9b95350a94c0b79fc8316ba2dc17e4c8585d3c2f78c5cf6d1182c2c3226b44f320c81ab5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
2f4e1112772e46b0e88e5fbb87c27040

SHA1
2cba6fa80097b0583beceb144afbbc456f07820f

SHA256
ea919db79663945ac8bc3763a74c5f91a476250f6b5f45ce04b6ce79eb2be647

SHA512
94f75bc7c9a918371e6d9b38a54dda792fe42c23092426b02d43140afe2a5e62df7787fd623f84b9914cd144d65e389945d7aa3572f3ed56990b67221d821c68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
288d0eafa83299c8a0222ad8230ebb76

SHA1
bf2af075c2443e9ee07a2b530c40b220690f5ba1

SHA256
e523ac1a77c0d017f03852c7af8ca14f79c4755eeec1c332264a11e94c86a18b

SHA512
dc0160e01a98d9b01bd24340957f6693a463222d9eeb02d9244d6b086b23f652da641a8a001a29c984bb4500aeb2b67639514a56716b7b22bc0f236e0f6ea616

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e09a08f30190b7863493e662c0e491a2

SHA1
4bdbe96ac04a1e052c98205633c79e36c4c67174

SHA256
48649e7ffaeb0a239f85902863cbced78804dd651a7ae4ca3530d6ab63917d51

SHA512
9e080a5f2f71dceae370dd0a41a1e4dd6c88c8018c4aea9a4631180dae3df8f1ddd6626d7edde477a44e80814e58968c6e03e1667b284d83a4a021e1dc2891b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
214d1d5b14d445edca926eac5de4975e

SHA1
57061239f344c08b390313d4a21540f1dad35b35

SHA256
20374b600cd0d6f3ac2bbbfecbf7cfaf0a44ebe216eedfc6bc88159d1bd535ad

SHA512
23ec53496a9b539211f5b02101afa285fc70731154eaf2136e27eb5d8afaa33d5af39533d4dd18a5b34edd954f39d0cde2c90e8aa269800b9491fbc29abcf083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
8d56129bd9d2895ad49e223cc48e13eb

SHA1
fc52b5568025071c54eaf727c16a9bd4539fc4d6

SHA256
8f1ff59cc4ec71a6af3b9e59ca4c4cfe21fce5329e854587d5e2202a55a99233

SHA512
27df4370e2dd43a41b1f48008a6c776a6de3737dbac466141d193d9f7c7a3ea1f58148257078491777c973638946d9d1978832f695ed9764b99f15440e21ea06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
074af0da6a13d2ef185b54862b6069e4

SHA1
32274de239e68031fc378c703f1210a57a40c244

SHA256
950edbf69f22cc7f7e57ec755eeae23939e9c500e39038645e2c5fb8bb4230a8

SHA512
af14874b783dbe44ad6bab3ef7f81c72dd26b272f97889c3e315f1a7b27345c4fa33cd90fc0ab02020cb7ab1c71042315c6f4c288507e10a206daa27a79f69c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
55f36c343879597ed313b5ca738b294b

SHA1
64bef119a5f59b9066c4d3c8ed0a925df9fe91ab

SHA256
1dcbdaae3f75e4f0d10f745a20f197f66431b20d51ee2e68fabbff7ed1376946

SHA512
611610fd32300727fe294f1bdfaa8ae44ae1fd87694aefd7577398d2eb376e9c16430f621c66e44a4473fad54baae04a55ce9cfc09527147f06d2537f62b5cb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d030930772d75a895a1fff25dc0f4366

SHA1
2b19b4b059d692b2c01000718f4f04a30203412e

SHA256
6a55da255cfd29e2ff52d3b70a4ce9890b6074a97d96b2a6b93d7fa4d3e01a27

SHA512
bdbe6233447d7b40f1a38978b862c983ed6883c9706671c742581a51beca5cacfaa4a0a899703e5da1b4714f863aff50baf776cf9801a8a19fa3c46d87f8af64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c236eca2aa5dd86e7485a6f8cd5c9d58

SHA1
3c537a3b4aef03e8f715f7dac21380e1769c255a

SHA256
b10929cd1c109d2a9d664f6ed03b50f645dfce18e0e56257b4a4ecc9041d4e62

SHA512
2bed4a3192e4b0150c7d5becb1a232657e3ff5c20f33f093e0a407ddc3aa59268665311379213edf0e15234e8822124f770e9c5f377d9229e1ce4344475047e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cf8d4a0ef0fcccfaaaa2dac30fa2f9ac

SHA1
db341432e6a9bebc950175ce314b20d13e99e0da

SHA256
2a351f21d3b6e2b8c84868c62ca129b76ce3a9383005a3336525cf78eaa7d5d6

SHA512
178e36d78f49ebbee28e81d37d36f743db0bd82854ad7b7fecc3a26e08eab4123783ce1db1a9e77e31820341be8660be938190581ff629a3550c882eec1a70f2

Download Submit
memory/3212-42-0x0000000005860000-0x000000000587B000-memory.dmp

Filesize
108KB

Download
memory/3212-10-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/3212-40-0x0000000005860000-0x000000000587B000-memory.dmp

Filesize
108KB

Download
memory/3212-37-0x0000000005860000-0x000000000587B000-memory.dmp

Filesize
108KB

Download
memory/3212-213-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-12-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/4120-214-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/4820-5-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/4820-0-0x0000000000E84000-0x0000000001F86000-memory.dmp

Filesize
17.0MB

Download
memory/4820-1-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/4820-212-0x0000000000E80000-0x00000000024C2000-memory.dmp

Filesize
22.3MB

Download
memory/4820-215-0x0000000000E84000-0x0000000001F86000-memory.dmp

Filesize
17.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads