1abd13caa0ce729854040c8048a90fab150e7d71315932d788bf722c2ea9511e

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

entry_1_0/AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	AnyDesk.exe
3012	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3028	AnyDesk.exe
3028	AnyDesk.exe
3028	AnyDesk.exe
3028	AnyDesk.exe
3028	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3028	AnyDesk.exe
3028	AnyDesk.exe
3028	AnyDesk.exe
3028	AnyDesk.exe
3028	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 3012	2076	AnyDesk.exe	30
PID 2076 wrote to memory of 3012	2076	AnyDesk.exe	30
PID 2076 wrote to memory of 3012	2076	AnyDesk.exe	30
PID 2076 wrote to memory of 3012	2076	AnyDesk.exe	30
PID 2076 wrote to memory of 3028	2076	AnyDesk.exe	31
PID 2076 wrote to memory of 3028	2076	AnyDesk.exe	31
PID 2076 wrote to memory of 3028	2076	AnyDesk.exe	31
PID 2076 wrote to memory of 3028	2076	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\entry_1_0\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
7be1836b5007d0634bdd0e1ccbd69908

SHA1
66ade3d1d99bdd438f839fb7d29450b1b4c9d33f

SHA256
07e587089a456dbd4058be3e6a76385bbbee8942d5091bdf19bbd26f51d3a512

SHA512
db7c9fbfdad46072580c3d7922277533524237322026e35d217ff418daad7bad12ff901582ca5cad010d46a42cef9d04ad45579921d391fc856c1c460972ac13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e00df86ab4d18323648c45e4eead29c3

SHA1
bbdbde7e44cb0819acbbada07c344c17d8c52caf

SHA256
ff618f884f235bb580c9d1f80b5b551ce646e9dd805bf129cad12841b1e5bc01

SHA512
4bebbf9ce6086fb67549e9b1493caad565062d8d887d72191dccca27a252873dc978fb2fb5d140450557289e3f1d68a5edc5ddcd8e34bf581a0bc4ea78a01888

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6150e9165fdf7a71e845e0de39b65e90

SHA1
a79b1643134fa0e76d322a12893f3a48dcba36a2

SHA256
ec0a08b4300b3367a491006386f655ddb9074b8800a143d3ed24c99fb5c0629f

SHA512
1c88fbef01181161a4e42535a03cbc33eb9a35e0b802195240abc0280ca4be26f7e2fde12954543cf87e4d88fa34efa3428eeb623c17af0c57281dc20030a4c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
697B

MD5
4a5b421208e12dadde15147912dd7f85

SHA1
8810052e7515102bb50f7244f2db368fc4f00b8e

SHA256
acdf897e732d3856ed9961f9eb6ded82e7bcc4f939178c53c0306c60ee1ca357

SHA512
7c7c75742275f5a1a48940169a1d1f3c6077f31131567c24f2d1caa05614c7d5091b1c908b26677443a7e8bdbf985f7f14d9ba6437bec4f4b072c0416fc47a79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
754B

MD5
f7807b3bcfa8b8e23b4ce06270f833eb

SHA1
eb55c92d68ce647dd87278e8dcc488b718767132

SHA256
55cb60008124cabdf86b71c098b3abba26730f046db267a8ec9cae9cc0b62430

SHA512
e4f1d599ab692be311a8bda8fb921e717b1d65c32f65cf0dd6cb7420e519d8c82b2b22443b697da96481dae7e381149b9dd5612c1c044e0a275516d5ab7fc9e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
763B

MD5
3dc58c96efad38881b566c0c3fff7a86

SHA1
b851117a2eb99737ba8a6cba72ca2bc0416a370e

SHA256
b9347a57e1fe763b826fb7404f20be4d8decc250c9466d43d3a8457c69c759a8

SHA512
c85e96b563afb482a343f45c8d05bff5c0dccf8d2020be23be4442937ecedcf1ee002f28f19876cc35ef8da20044624abd2ff11deec3f429d66497b0d4698769

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
d9f6a4d391a46819f10e243fc10dd314

SHA1
1d3d552cfa5344dd84d3f2df64ec4e97835a4ade

SHA256
fc6a1676553fdf65ba96a5a5b1b1d2b5f33d316b46e655dab3193e051798ee3a

SHA512
213646a90a693e572ae892bc1c62def089f0583d4960fee15fccc1d34384bda72425f77c222dd385b9f7e9644686b46018813411382c2fb7ab6e7d0a926ee3a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
f7b26341c6105859a2e6cc95d4da15b9

SHA1
eb8a566564af2f7b8550e7a1808af7c234a477e9

SHA256
197f80c75101ddfc11b462e1422fdc03da569e9efca88df0bb21480174a3473d

SHA512
e5b473ebc22475bc327ec05867b0258c86b3c6e10cdde61e84fe89c4922020d90cfcbe7a1c34f5bdca71e03e88b4fbac66822ec36cead0fc4866232da704be0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4a63f388098ff497b8e37a52fa050a66

SHA1
6b744584e96358f6883b109f06c0355b51fd348d

SHA256
9022e447bde3a3cafcbad01c636c1dbf3f5a4befd37f55dab7fc0de5e316c007

SHA512
34cfaabd851ee6b854c7a46fd14ae27a84d1dc59fb1a21183be7996a3c154fd8bfc305822c14521e686fda916559e5977c2ca54c2c02eeb002a1def46252efe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8f08b644dca42fde88f0ffe0b2188e25

SHA1
f8d40d627bf6e871ef12cfc5447d582dfd070037

SHA256
2a09f128716c42eb89be4908cc16a62211eecaf2835ccd3d745c1e4f73ba2070

SHA512
bdcb2f0b6b280c8cd8fe17dcbfabab2c585d7307c2fefaf799ff264535a81928d3e3ac542fccecd0339e8b9e9db03e8138aec0a17fb4f7cd473c3800faad3fa4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0f62f0ab7da47419edc20fca5b836f31

SHA1
4ad8edc451eb7bbf397c8ff7968f0b124d4e179f

SHA256
c85648b463dec310ec2d41515fe2bb42eabc817750761de9ec7f42d33b85513a

SHA512
e3cc5715978312f387d84c774ac0ef2e053898c4db97127806e05c97c1ed3cf5350e75c9ca4af85b3cacde57f511cf86673dbc20a8cc23d4d70563613469e7d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b160b6276cd384923333fc16bc3040bf

SHA1
95e43f76006aafaf9de0eae44874d2af40cf3980

SHA256
bcf0dfcb6b1ee6a958ee51192e16e7ad5d18ff8f116ed0b7dff455831ead54d7

SHA512
06a03971d3f64d425ac2d18d1324220490c434ae2bbffad2a7012e212ae148e575908a281d34041347d631bccaa8902f0e1e92b354f10de76df07f33dc245215

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4a1461fc3e4423264a36e73736041130

SHA1
7c470cdd60a0cf66653d8d1db32db5480ffe1ba0

SHA256
d6918be148541728c5aac77ef95c76ea960915652819a011aec5fbeaf8216a43

SHA512
94ed1304da6ee6536c9d88c83463a4018666300d3d4698d724f2b7b71eabc4a908e891b240b7f51465d9018aae0a93e21ff38e0b8284b783018ad88224fcbce6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
726a6ec0163ceca31dfa7e9a7b7f40fb

SHA1
22ecfbbf04d034a33ca8512ff4220f63732dbe5b

SHA256
6085d6da0459ee7012a5745d16c4fc0ce120cd0eefca6ca4d3c17cf9145f7492

SHA512
a7723674b3dbcea5ef2b66fd367e1a0728323379cb479f3e8408416428df7974efe7700d0d1d916569e3f362df5191e527400590499ab374d139ce20745105d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cf06cb6047447321476e77372da0be95

SHA1
20e7e41f7385164e94f5d51ce40083724742214a

SHA256
0c2ac0b217c2d1a086893c24f7e638b2fba2ac35f523e360c1273608f3b2d1b0

SHA512
0a80a3a504d91894cb8e69dd0cd259855a0b1e52521dee6cdc7a7ae8037b77d9c662ce3035848a9ea11f714bb594397f887865ea314ddff608ec6a7f9b969dd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ddfe72dc1580c3645bda3acdd674b4fc

SHA1
b23ebdf45098ac1f65cf5466f8eaae3ed0074cc3

SHA256
d200601c931141c5d0ec84893866d760a0350e7e6a18567e8f6fd3b250c6bcad

SHA512
fc6b1dfb882e7c533f4b72c6b48df96bfc4387b59539f798eba74e2237401997e1555dcb3628afe996b52cf5b6f66cbd140701c3775778126bf1e61d50f17f82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
dae44a35200cb71b7fc435fba8e74bfc

SHA1
ea92afcf2f56e2748d54884055589988e384ed00

SHA256
e182f28e56e135d0c22183b626b6a168af5fc080f590bf12201683affed7689a

SHA512
c97ae8ec005ea30ea84052a1620be77778906c0c745565e67ff0f7dc260f6d8491c50ce42f4327287f49433830ab5068be6108ab6e6e369caa92eb91af172534

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
97c70f2ae0e9bcf8c6fdd6e020a84892

SHA1
de1ca289abb3ea75cf57daebf41ca4354f3fb93e

SHA256
3cc42c3564ea4bb5dce1d8742d91319b178a3111ee38c85d64c623ccbb2a6aa2

SHA512
b7d5fc3f25a1bc22f9c1494f8de8e03da67d4503df4496303aa39cda4cb9d05ee163c1706737b4c299751b709c3b062ceaa33e1e19217f12cf9e9d53b44cfc55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2e6a1005600999c84144b820c5e5e43f

SHA1
422318ca8ae1a6916cf98b7117fc259b808db7e9

SHA256
e391b440bb4083f3d422b45061efb33d059fb89d6f8855ace6f5bde50414c7a7

SHA512
8c869f79c424cfeb546c6dab8bfe3f4feece2e53348dc23d778e511f5f9b45423d21325c242427ab6ffedcb23c4d19e7775f03c163b45ff2bdbbe2efa85d9cc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ce6b8e6b7b2564a9d166f5e5f7ab633a

SHA1
8b1b6e2f9646a184e753f849498f28cd19590d05

SHA256
8186120561169233fc6eaea13f0df31387ac01595f15f4e501cf0d5c43a1aa70

SHA512
e8fca8633642e15518814de3249169eabae399ab975bd3fc70da26fd09a9391cfe44a55909490889b0f999d7d01e774402d6ec88262debac2143bb505bc9c056

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ba9b46f3a2f37802998f7d11e1b0eb0d

SHA1
c9c6035e5f0bfa82ebc1d1b17628ed3590ef0dc4

SHA256
7fcff9474c9b987aadda5fc957f25ff0a2b31d0b5a1e5d37d8349157eb43efd5

SHA512
f7c35bfe9f74623d26f1bf5f6fe517907d9dc1a83099ca6eab5d7b370926b03a211b4603b42a807f8f040f1d85d2ce19ddce190d4a037d83f9a94316d1bedaa8

Download Submit
\Users\Admin\AppData\Local\Temp\entry_1_0\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/2076-4-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/2076-2-0x0000000001004000-0x0000000002106000-memory.dmp

Filesize
17.0MB

Download
memory/2076-61-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/2076-0-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/2076-268-0x0000000001004000-0x0000000002106000-memory.dmp

Filesize
17.0MB

Download
memory/2076-269-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/3012-16-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/3012-266-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/3028-14-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download
memory/3028-267-0x0000000001000000-0x0000000002642000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads