1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

18-02-2025 10:22

250218-md9krszkhm 6

17-02-2025 23:11

17-02-2025 22:39

17-02-2025 10:36

16-02-2025 19:11

16-02-2025 19:09

13-02-2025 11:50

08-02-2025 16:12

Analysis

max time kernel
898s
max time network
901s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-02-2025 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	AnyDesk.exe
2020	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4956	AnyDesk.exe
4956	AnyDesk.exe
4956	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4956	AnyDesk.exe
4956	AnyDesk.exe
4956	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2020	3204	AnyDesk.exe	77
PID 3204 wrote to memory of 2020	3204	AnyDesk.exe	77
PID 3204 wrote to memory of 2020	3204	AnyDesk.exe	77
PID 3204 wrote to memory of 4956	3204	AnyDesk.exe	78
PID 3204 wrote to memory of 4956	3204	AnyDesk.exe	78
PID 3204 wrote to memory of 4956	3204	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
cb65b0c20d0237b466fa5b41f4879dd7

SHA1
778fc6af787855de5a1c8af63a4b8ac9629f0047

SHA256
a4130abc94ec7210f3757416c2ac7dea51f5a3e2b9dde0bf2c324ec287d4c959

SHA512
12bd940b3c4e2d4c38383e4a5be194979940837bf67d49f74905ff7f43d3c66935468d88608d469142557ce183edc03b4ce53d8cfbf6d7c335d45d674e02d51e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e66f7ff3aa7ed36ce89a2f2fb78c3bc7

SHA1
82722f8c813bfc2e34478c24a2f940d3072102c2

SHA256
08a75bf161e0733fe2c931dea076108028aad44be652a2a82bc369369aefa660

SHA512
c045d7a9d097830000152cbcbfced28e9582211f562c12abb964920d6ad5a4cc8bef8c91c6fee138c2ca7322c18bc809efc3b85d9fb5122ed06ba06c6824586f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cfb257d824020accc6ded3566e5f72b1

SHA1
5a67c62dd95ada5e647dcaeb3aca858f37dd1bb9

SHA256
821d84c2e393554131d201fa90e8c3bcbf41491cf10d30cca864fa5e514a9d99

SHA512
2ed809b6baafdfbc77edb641e6b719407269f4df58fb3cb9a7b1720549a8e7695b402ca150a3fb4b61efdfdd021c5f9e7e6c8e9cc08894d332f914b4c4fc9f05

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
56e5581efadcb67ff80a0849cc68205f

SHA1
fc9e4d490363abc05a383c5ce569757b9b17112c

SHA256
3f5e5ace0ecab741d718a953ee73858f5bdc40b23cd1ce5d62d0ed596473335f

SHA512
a8305b5394817bf4f474930fe42b9a554651685d92e1ec56bf9b50b3853bfaa155d3ba232b4d3272b52444d701b91530ca6a89cc5af92f56010e0510fb11fb30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
88eba772f31596ccc1d8657cd1dad143

SHA1
8ae6df9ae9166803e5feec4ac98aa61b2fb6fb92

SHA256
60e2df3eba2d45400f06d6a51350066ceb6c69c122efcc0eec93d875d1949db7

SHA512
e91a7c616d8c85cd1d180abeb39a0c4424b608d073094c9556b3a6ae911160c2c5d40dd1902e6c3f932efbb46f8158eb5b3aec35e62e10fcd8249897811c0175

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ad375e3ab706534787f8f6122d28d738

SHA1
6fc59f5998e872c1542759e036995c059a63a83e

SHA256
f82873273c94dd529614bab286766eb1114a29fe034fada67f1c128b6315b138

SHA512
2e9e95ddb57d0a5451a48b49469d6ea5017e9d2ce0c70d2d580b38fe0b4992624f049382b00e9e2803fce1925e1d2e6cfe27e3964231d303be6aa36e7c2dce49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6c28bd65bd831b2aa523e8795c0601ad

SHA1
32c6871988427eff04d586875d331da56d9ecd8b

SHA256
4742fa98cc5c9dbc3f8c2658dd25d7138963201eb6367109f245316458304ce4

SHA512
0f12d637b41eebaa3458d6b51ee698e6c5c1b49c07a7211399d04c75fd30a6ea53ebd68380f1ee4325516d94693bc52e36a355dd2b18e082b71aafcf5237cc9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
067c24acbb376805dbc9de21fd0991fc

SHA1
a4a3c803f115169894f32bcc5d0610e6e4163c6e

SHA256
6a8c0a1802603ae9cb8d903853700bab5894e9a7ea661962f8d796866231a01c

SHA512
9a5f2300154b89cdda4d0547bd6e249715c64b86a0a9b21e7ab9dc41bb94323bcd8208fd23f259b451a330edbcff8d99b509403ef61a6c598dd1c11fc62fe8d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
67e219ada52fcec737d444eec6f9c236

SHA1
4a2ce1592b5f773f48335cffb3d101552f79e11f

SHA256
f4430329f86fad3abd1516ed7c5d328d274687dea1a38ec795f18bf99af42be7

SHA512
261276db51c06d2ce16ad8f836e8cc02c8f0706452648c52e0eb1b6efe13656e759a958b95da8ff28e4a41dae00124efbc20294cfbb19931af6e9bb66bec9cfd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b3d8ac5be09e763f092c85d99106aaf5

SHA1
d00f069c283c9dc6a7a448e831ea61f12dcc1f42

SHA256
fb04f0c7756ebc8bcf9e16cb1b0c765fe69151dece74deed1d18e8dada5e0928

SHA512
6cb105bd3579b5b61d3793c73505bc90059c2f02b0e6072c4302e229522d12c1eb04e2bae6cca320d62f96e10173c4f2cfc09bc9c07a6cbc35218e280a512829

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
2f2f28b79b0a30fc201ff5dae8b793ce

SHA1
862c69a2a642f7720570316bcdc9bc114b66dc67

SHA256
40efe198cda6c65f4ee9a931d59ef42c32c3d17e5d64230e1a978511710faa09

SHA512
d7d4745ccdbc0232832b5ca6aa95c7af3939469cffdd2b612c2efc3c797c2d6a30d822d38937120a0e4d305751cacaa568c52fb366f095deae819c1746ca7eb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d864a39988a645a6349b8c4a0926a840

SHA1
ade38230bc891547439dccc124aba3e0cbd730af

SHA256
ca8522e053c72943c561ddf7c71cb0ac7835348686456011310983a63998a4ed

SHA512
d8dc83c7e6292b582ba0b7091b3b06d376f9c755b798e24e05b7ad02e3575f130634fca22a38aed0992bff52d2f6a40b375b2d5a0f50e6ef9ec04bb81e052c7a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
78ab5062248f99034742b2c2d6ad91db

SHA1
a91101b232e4fc6ce59295f0ec0b54bd6ba3690c

SHA256
5d43cf537a43819b9cfaa5819fed530fa06c0c92ad777c2cb6a807cbd3a8caca

SHA512
4303cd9ba610380ad67f093ab41fa3c21b50a3da811d7b8beb0c46669249a435f52eb73a153be7c8ccd6384f1b5325824d1cbe8c02b13cc8260bf8ec11b369a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ecf9c014a370e5d0cb84d0ae8b6b62b4

SHA1
84256c032356ce23de700ec0ec37b269b3901a18

SHA256
e8d1b344cce5b4048d330a593e9b87596ace2c3b398326efc5c3cb9b429f729b

SHA512
b50ba6c75a60e85ca0af81c8743ed964038b1e1b3e2de5f125e482cff3a25c1cd10bc9813b0e7c461be2dcbf6793ed0b0541066b7ad755217a731ca817407c40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
06faa38356af14fd2a1d63da4ce0e95b

SHA1
7cf74ab93fa8e012e677bdc31ae93cf746b1b756

SHA256
4335a35f213c8c8cf21deac50f836bdb7ff75c3099ed211ae6f40f1300361c40

SHA512
65af91044058918d3253c01a99fa13ff346aa9c01a6957763c085f61847175c44a7d478316cbde80200f70cc4ca074cd8aa96fa2dfc52bf9d8440dc2ae435a5c

Download Submit
memory/2020-10-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download
memory/2020-229-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download
memory/3204-0-0x0000000000E84000-0x00000000020BA000-memory.dmp

Filesize
18.2MB

Download
memory/3204-9-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download
memory/3204-1-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download
memory/3204-228-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download
memory/3204-231-0x0000000000E84000-0x00000000020BA000-memory.dmp

Filesize
18.2MB

Download
memory/4956-11-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download
memory/4956-230-0x0000000000E80000-0x00000000025C9000-memory.dmp

Filesize
23.3MB

Download