fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

27/01/2025, 12:49

250127-p2nz3sznan 5

27/01/2025, 12:46

250127-pz1wvsypev 5

Analysis

max time kernel
149s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27/01/2025, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1412	AnyDesk.exe
1072	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe
1412	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1072	896	AnyDesk.exe	77
PID 896 wrote to memory of 1072	896	AnyDesk.exe	77
PID 896 wrote to memory of 1072	896	AnyDesk.exe	77
PID 896 wrote to memory of 1412	896	AnyDesk.exe	78
PID 896 wrote to memory of 1412	896	AnyDesk.exe	78
PID 896 wrote to memory of 1412	896	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1072
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
8c9052e0c457983595109504f1563845

SHA1
5ce82c5c4fbec0bdc058747c087cc41f8e2b8586

SHA256
6f77ad6228586b70cd4850e6fdd3d344b07969563694f6574cba353ee5acf1d9

SHA512
c934de09803242ceacd9e7c855bcdff15266b8cb7e5c46b2fd1af46213b7221505ffb0f7cb126fcee5e87ef68fe6347a82b625cad7b41a5ae65be5d4611ecfb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
3c5def4b2c66dc588984b4abb852c98b

SHA1
68a37fb143a0ffd1aa599518483713cdf3475f25

SHA256
54289ff328f13f61a9e05c67cb2069149e6156b638f17b48206418068e7c0b19

SHA512
35a4ed0a36086155a1e9d4456132c2ec828f2fd6b79e516a7de1a56a3d7c7469a3c39c69d8e1d02b862ebdeacda233b0b574bc21ba8e234c0074d4f30bb17826

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1ed740243f5b0b1de7d3aab0f7026912

SHA1
d01ac1f7ab46cbdf55b6414b8d2e80162b3a70f9

SHA256
7fd807512369289a92801409db84fcb66c035d404b0e75d9ad564c87e1d937ae

SHA512
c4000c8618facb00611f82f1e9bf33295752baf6b121dd80c860958f8ad35955a4c8e0c4c1391541f77e0779ac81fbb08afea5da8b6f372d637c81ca23b07d84

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3b352b96e74d18dbda0b032f036bbf57

SHA1
bc7c01a57dd949b6751e8a8b6cbe307fccacd6ae

SHA256
eb1cb81a3c6f415aeb8d94f23dad67f4bdbe5c0bd70e092a935ccf789c0da4d9

SHA512
5f66a2e089ab9358cbfa9bebef1d38bd621973b0c3026b8b509b0a2c94ef2bb3f739084060e1a9ca06585d60121fb2dbdfbacdba8a92ee82fddb90af82fab9f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
143ffe63cf40598832524fed65aa7a49

SHA1
dd74f38e17a0bcb8e77bc20a8084601d558e1c2b

SHA256
5aee7a43e22759d0c2e64081d725b0a1c6c6a0e422ab4cc6c7b069fe31dc9b83

SHA512
6a47a677c60c02144d03f2785ad60a1edbbe5020adfbebbb546fca510b07e50c79b995472b6efc82631dac392cc0b23494273f56859b1c88258bbc2ad1ad69d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
8ab34020f1325df5ee7aba6b313c3cdd

SHA1
ee3a55b310b5a1d4eebfff3258f799801e0205cc

SHA256
4970ae7f1cdce7fbb99276100df9ef407cd8c1f05f9ef781dbb7f124cb0442b6

SHA512
1f8e3584ae2f8ba8874bbcd3516c7a133c0a2b2c42add8ed2e8cbdc4203a0d676ef7c5c8ea903c072bd095743e6de25cacea5301b7c80fda2d1db30b01a722f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
2eec95a9875ffe11faac74d1a29a04f9

SHA1
48e04d8b0a847563809140a186d8326811fc7c9d

SHA256
ef6f849a2ce0694e9ab9263bb12cc6b618a3920df5c902dca0d0ea28615c6fb7

SHA512
3cd42921a990231aabba54eb31f12919ae102eacaa59da2328549e2f3cf965e7c09714e70c352fe2be9ededd3787aa534bf262b8be0965c4b226723e74068e96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
79a10966deb62a408af05fdcc01edea6

SHA1
1a48d6dcd36442ab6de50238a790a8bc858343c2

SHA256
d2403ba600f4878c7399db6fbdcf6d1a6f77dc195f1aa32582b6084ce2eaab00

SHA512
661f1765a7e68a6487400cf7dc989bdc72f7a56f8ca58f33e800ac9fde52c5acf11d131b86f5855217f926a70fa9c237229b1513ba1389ba0ee8b31febeea8f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
5718a6fbb80de40e35383e86ddf6d299

SHA1
4d1c0835e6733feda68665d52efa330610ae799c

SHA256
0ace06f3ef5da218928c1bb68ff4b1291577e05a9d596e622ade4ebb9755bbcc

SHA512
72c84dab90dde66b12c462092327b17202b983c1aac2ef22bc4ac0346abc312ddeac336d0c827f4e7c6b68bfb3530553aae9497d60753bbce8ef89be4ea00dd8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8d43ddc611375278eb807f5194f85523

SHA1
2def0d678632e27d089491ed6517deade9807e2e

SHA256
1ae99665156dc67fa84a51d0402fec71eb69dc55cf537916be4da2668facb4c8

SHA512
520ec98d6e480372e097bffb3e26f5e2bddc34686c7c6619ca3829eaf0c3cbc90b124408950305e2d4d2f0dada1930fcaa7f5ac952e4f44fbafb0f4c17cad411

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
301a5f33dd1119a3664d46d633876c40

SHA1
71cbe9e1f0b11eb5e9c88e0c5742670d64cebd7f

SHA256
48650d9a4e868263e4086ab56b4e168f990262e043e4d11f4f8c2c6b9ae2d86d

SHA512
a8d47685e68b3cfb21b6f3fa63ef3245f9ea1cf44a63a4b41a72a011d84acb44b16f52588e1672d9cdda310e77ea4643637a4099e708748c329a00ad38252fc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
31b449d65ebda5b727128ed3afe41ce7

SHA1
22f6cc30036b8c7e35352f584d8adbfde5535f4a

SHA256
e1ba1b251efd58e338bbdaece481b4ab926de2c020954ac42572ed5b71ad28f4

SHA512
7523cd8d50272155eefcd3bd88461ddd9e3a659a30794b0589d5c7ff926f99af0f6079bda85d9a61d3ce36231f09262d99910b5cf946388f26f9f66712360a7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
baeb18b4ec073c189ce95f75564a0071

SHA1
a2cb750a83ca783bd2c63866d1d3810602487f93

SHA256
f83b7f176f8559cbd69df8c8896364d6a5ab0465547b9dae52aebd3d1210a4b4

SHA512
b9203f124f4c90e75009c2f5b0fe8bfce4352207ac7c6c4027f2892909bdb0077dc89beea35cc0ee5c408c6b7e0c5b77f418cdf8a71419e477c71784a57ee055

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a39b25aa5007eacfe60dce0cfac7e22a

SHA1
059132a3a9f5a314bd0f1a2a21caececf95c9432

SHA256
42ca9839052dec9d43fdb3503aeaa7df5a911995f2147e9d8ddc512b49947f3c

SHA512
0db8610951a00ea39478c9a8c432ea3987044026463594a9387917ed86f075a24c9044793bdbb1ba3480967ea2ed9220a356bad0eb07fb1849d8cc1bfaa58181

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1fe0ef9abfd9a4c7542b0a1b582c7f4c

SHA1
76b8e3e903fb27e01fd18b58d56e645bf6171cca

SHA256
70be12e04452980730beed9f7be7d2bb5120fbfc5dc6a8501cad436b262cd1bd

SHA512
0ae0c06db79370e20f4392eb99653decba5957e71ad3ccbfb7f2b0aa69d472d474f4867b821965931a2ad203f6668b230a68cd56225b3886787123a94bfa27d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
69b321d72e5852b26cd2878a7586ff3e

SHA1
9a1deb09d9149a3b99ca9533e144c6f5faa9cb15

SHA256
bc1e431d8315cb43950d179ba47b835b6319f6455066b72613b046ffc65aefb0

SHA512
179b5c00ff4943dbe60df21cfd43a8f3f61de2b5edbfa39c64a932fceed1ce01ca6daacecea78b7b21a1531538ba2c905f595df3b7558bee381253ace64b861b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
7c5b7c6849fb838d6790d232caadcb65

SHA1
74f7f00a88413089996bc782a2b3799bda8ed3cc

SHA256
50bb6ea44d81f1ef321e052eb2790ad9a07d4e7d515255d2f5dfd604d7e004c8

SHA512
83a4d4f19ea6c72f732c6e1ec51e9c4779d7fa7564daed2a7f0b52aedbf57bd7bb705a59433b4b76693e3e7e673b8020303066c005d08e0c2a7c45088f3f438c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d9c23cd3069fde418fd42cdae257f49c

SHA1
49213332a3057ab421804547be7118a67474ad91

SHA256
d47a28599ae99f0ddfcd6f9f3954b772315f07f6163d5f9f2c17b59bfd79ff50

SHA512
1ad3cea3577fcf58fb492c68445faa3799eaf0311537a4332c5afe59965b89e8bde4ccc7e1b7abe1c31481260f804e017be3f269cd9b078270b1866d466a1b80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3fa313f1785b3a2854915dd8256caf74

SHA1
90697881c73e91a8ac567480120b7627cb473eb1

SHA256
4a3f42048dd0a09b7b9e65aa0b5e434d44d5f3cf2fa3db356fd79178bbb4d08c

SHA512
f3b8fc14645b9121cd110d23178934c89158534e6672aca848c989156f7ce219dec443c2c1b4f2c8bfafba2bf86b7da26437e8095239ca96d7eb4f3b6d1043e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
95d49f2fd116061d383a7173258ea3f8

SHA1
5aaa2dbdd139d84071e84a1672472ca80701af6c

SHA256
a9a9a797782bf8298e6f8de0bd80a12cf924f84338123ca251d0d704553da8b3

SHA512
a42b0a6e2b7b07d05a4f35b54b52b693414dcd3fe64ac57963e69449731fb6b860a81bd93a2eb21c49cc48713e97c98425b7ec66be44b2ea8129338c2af6b46f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4f7cd95f758df40bf7cbe6d5c140924d

SHA1
28c9bd09c64d4024f9ec939bbed14fd1fa5e079f

SHA256
e03af53911d110788842dc6671e18d791fc752a00b697fd502c173ea57625e0d

SHA512
7692712d462b30f04165a8d0f08cee5284a13c4884acd59c3aa8eaf47ba0e8d24885d3f6ede9349f60308f0c0957f8eb4bb1a246fa483ad37c331150f2d20bb9

Download Submit
memory/896-199-0x00000000006F4000-0x00000000017F6000-memory.dmp

Filesize
17.0MB

Download
memory/896-200-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/896-224-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/896-9-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/896-1-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/896-0-0x00000000006F4000-0x00000000017F6000-memory.dmp

Filesize
17.0MB

Download
memory/1072-42-0x0000000005870000-0x000000000588B000-memory.dmp

Filesize
108KB

Download
memory/1072-43-0x0000000005870000-0x000000000588B000-memory.dmp

Filesize
108KB

Download
memory/1072-39-0x0000000005870000-0x000000000588B000-memory.dmp

Filesize
108KB

Download
memory/1072-10-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/1072-222-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/1072-14-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/1072-225-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/1412-12-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download
memory/1412-223-0x00000000006F0000-0x0000000001D32000-memory.dmp

Filesize
22.3MB

Download