fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
593s
max time network
592s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
27/01/2025, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	AnyDesk.exe
2988	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe
2860	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2988	2740	AnyDesk.exe	85
PID 2740 wrote to memory of 2988	2740	AnyDesk.exe	85
PID 2740 wrote to memory of 2988	2740	AnyDesk.exe	85
PID 2740 wrote to memory of 2860	2740	AnyDesk.exe	86
PID 2740 wrote to memory of 2860	2740	AnyDesk.exe	86
PID 2740 wrote to memory of 2860	2740	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
3426a7a435e1dd666e90c3500c22bc67

SHA1
2ef9870d857fc6d2a4f0abf5d5a273ad3fb06296

SHA256
03b1ab062f080d554bea99521bda9094930ff06d23dccf7973f94da380425aac

SHA512
863900c0a130a7d65544a095880af7205238186d9349d898314b92dfe076803089a5b4b23a89ab86f3be0c7d28867433d017a629ad45191639af25bdee53f98c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0930b6f1c7a15ed7621110313506ba5b

SHA1
dc35ddf877cf63c78bbd9b4f5fea6e3fd247eab2

SHA256
2a8678350331d7c992e0114926352d91f4d32cff6cfa7b8c9e8a09592846fff9

SHA512
338ae596e1e2dcd2b12182adb4584134881afffd9fddaf27e44d389eccd22e244d2977091102495b6b98f1d737199364778eea5a7bcd421af4248fe8b7f8e50d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5602b29c3f2b5c0f82ee966e8a29a1c2

SHA1
856dbee27f84c1f4d5229769879e56ddd951188f

SHA256
63c93e469ce5cc29374c6ac726c5baa9e72c190b48da69a93b68d2fd0e1f9788

SHA512
0f24d29df4f2cd8e7254be877da106d1936121fdafc00887bc4f1a09d4a0aca0832a69e8da753042d65390fe54d151a3075589661cd9d1aced51670ea5d60288

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3cb84e5d9b70f22bad1064ae16697e7e

SHA1
310de149f6929d7151d76cb0b9df96e7525b156a

SHA256
dbe0488f24a05e16850e2aab7f497f9a17995ff85e07cba4bfe50c366e629a4a

SHA512
06a88ee2b292e291008dbf7e84f5582c260faee8a0a36d2b0a7041f8af8b3db659e478789c08bd9c44289ccf859f3f7c371682da6e6db862d1533b6ba60b2cf9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
914d116205e9a1420a935a4c853e1a1e

SHA1
633cb99abd90abfb10984fab531e92fc5dc1b639

SHA256
e82ee71c12662d9032015bf8aa1eadb1c9b2f7b6db18492d108d6b43fe98747e

SHA512
d46b75b9af900c6bedb7c5371331da2f253ebaf237e04ec57636e0b8f46fccdfba7cffa5cbe3b0d1b1d68af57d8bec1da77a4203bc7b0bf95eae1f6e29b23da3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
466ae6c1ee2aa11c53e8ddbd03683e79

SHA1
b330f0cdb4891f8673ef58c3008aa171e3a93e5e

SHA256
e381dba33e3b6f10e5b93335ea2f0a4f961fb3c438a8729f4f71de39ec8726e8

SHA512
7ee5381566b7805cfce63a61bb26fd107b05be576e9cdf51f6a141cb27bf3cddcf84c21d5f6db6d2709fd08d38f8e785095dbe8ed65f2d4ebe9ba10c6af19733

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
db847bb6367455eaaa409b0e21134a00

SHA1
8ac46e8bb56b03f34306354e2361c869e8262e83

SHA256
e9fe108b6e31ba94c5d3898e06a8fcbce5c7b8fecbd505aa34f6399f5059dca7

SHA512
032c3057bfcee8c43adfd2817b698ca63a97cde05c34f139d0eb57a6dc35e74bbf42fde168e9c284c6d798f6976f2b17353b32e6d51cd95b7f4d44476d769a19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4fc88eb9b762eb4fdf00ae231e381e13

SHA1
94b72fa05dd38def60b63d6703a2d358fa064b8a

SHA256
1c0efd0348cffbd6146d5d8a40b51e54816942fd0833a3b692a2851eba27cde0

SHA512
6ae8d2e39b7523e51b516b98d588f4a635fd796df897b6677f54fbe932463b78fa24f1582cc4926e8c11cc812172725821a3115c98125cc703316620e7836350

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
d4e459aaf1148b82bc2939212548fa47

SHA1
0fbd55d1d1729aba6f3c03d58e02e41ab188f3bc

SHA256
4d8c7ad1cb883c6e78b5a9159b12cebd1ed25d8e29e713f38ae5f6a2c9ae46ad

SHA512
0fc12c1f8369e236142f7fa728a5925ae2dfce0e0e4ced05b2c014f1cf61285d8df06cf3985c2852af8f238a274ffb7c131ee4550a7b9dee6e58b062adb46ec1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
842de85a86016c7fbc0d602d40c54b2d

SHA1
a10015fc958138c0e8906344bcb055f1c77a23eb

SHA256
aa3fe7b81ae13487d397d26c05ddfe71a87294b3c0096ae86bbf13d1361062e9

SHA512
d69e8e573c8c35fa43d5413f51537a6774d70e2a04df80e8cd55c3c886adad51e36f0ef7fa73ad9e451b7ac584fa8a4cf74a5ca76e4cbd6deb7101d4b7893e6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
f327e1a121be66c663c2f35eeef35012

SHA1
f0fa5788a5f131a309e9bc16fe6f8ec8782d9192

SHA256
f239ddb7fbd1771b35f5bfee7a91afde789f5b661c76dad25b6d54b88ed68da1

SHA512
bf1e3602d8cff0d5c2239730b3b9a5892e127172c6c4e9fc94c0ada006701d586acb92e3f6c1e06c492d7034db0b0927b525a86d69d445ed62ad7a9073d61c85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
dd2537926f4e76a2a1259f62d17c1697

SHA1
e361f5874584530b9d1453df2a713ba798a8df46

SHA256
a0efda4be7b4aa89696898085c5abec1e640cc9204c76fc142a911a11344c40a

SHA512
cbd9b81acbb34b062e5dc6fbbb90ffda2d9a988af2123f44afd6a408f3479bcb4e473b81d242f83120ed33b0e0bed20a591828fe4a321247a6c52363b6c501d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
70a7f56a7d8fe8115e0403ab335fdfe6

SHA1
ec2fa26cb888a8a25d607a9d66b5f5efaeb1042b

SHA256
7acff993f0d77d7396d189043e82c8be925361a7147991c7546e5b9a3beb6e6a

SHA512
0b329420d46597c011bc4872cc268e767ecf4c869460c4539db9a78bffe19927da580691c598ea7c4827778546fedec985a317667deeb698d1a08ac890fbfee8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c93be6aeb3595e1a5e00e00477ea5d32

SHA1
cedfe5880d3003d368e35cd14860ea2b48dc2863

SHA256
ff46883c8e07540a53c42e0af9586d6288f48037edbdee8c297efd438f6156ff

SHA512
fc2e79e4599c0cede8df5cca3cb0813ae9cd0b63113497c8bf2a8baaee8013f541aa82baaec14122f22f6248d7d78c599da817efd81b8a17bd88d86c1a4a8458

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f18ba0c74c7d30389d6cd5dee69150e5

SHA1
263ab2b350473ecb9ad693f790f4199d0c0f64a3

SHA256
0e10ead3e308572eb85299c624d56d18c6e4cfd67e65f8c6c63b9c2a53ebf873

SHA512
e8f62cd65a3bec19f9e1cea0d2d6ce90d9410375c3c456d3269d44a5e67539bd26f80c2f38f3f0da51f586d088b95e53a590bb615513c09b8dbfd381c9456ada

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4f816b83156c1295780c2080de30dce8

SHA1
2035eef7cfe1b96b20181f37db6aa22cc4155b91

SHA256
32ca9cad5aaf8de01802d681b953fed4f883431fba4097d73009c8cc30e707a7

SHA512
6223414334f38eb4ab77e4f835d1d2fe544a98386afe2cfa52db756ac35af0f0628fcd6360bdba739f3bea763f51100af920ed0fd1146db8ec29c664286f9851

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
67301c1c00e50dbf63aa492300f1b3cb

SHA1
61518e50b5e1351b9f6d702d33606d810df4be22

SHA256
1022ba60c419c28f5205fbdbb6656b187de0c1a1e5a90dc4ba0d555c0cf56f63

SHA512
f18e6f0e28a4294ae4446f30fea56fa750841489f3dd5d4ad1d99a6e175e48bcfc3b95ac9e14969f16f9d46712f6923f1c71a7448bbf9950bf7cbadd644a9132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c98827213b6cb0fbab57e2514ef6b6df

SHA1
e162b0beca173f273951a93ebe8c534edb2a4e3e

SHA256
4fa102fd1498b370559c953a83fca10030ca790d662a88981bbef3afde0414e8

SHA512
c47c034010472dbc278105c7b81ad1c1844fe4b37563cf93d09d4518ecf182b9dfb9d315bb166a011acbdbbc7569a1b8b34ef9e942c448ba68791081327d5df1

Download Submit
memory/2740-1-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2740-4-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2740-0-0x0000000000614000-0x0000000001716000-memory.dmp

Filesize
17.0MB

Download
memory/2740-203-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2740-204-0x0000000000614000-0x0000000001716000-memory.dmp

Filesize
17.0MB

Download
memory/2860-10-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2860-206-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2988-11-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2988-18-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download
memory/2988-38-0x00000000057D0000-0x00000000057EB000-memory.dmp

Filesize
108KB

Download
memory/2988-41-0x00000000057D0000-0x00000000057EB000-memory.dmp

Filesize
108KB

Download
memory/2988-42-0x00000000057D0000-0x00000000057EB000-memory.dmp

Filesize
108KB

Download
memory/2988-207-0x0000000000610000-0x0000000001C52000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads