1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

18-02-2025 10:22

250218-md9krszkhm 6

17-02-2025 23:11

17-02-2025 22:39

17-02-2025 10:36

16-02-2025 19:11

16-02-2025 19:09

13-02-2025 11:50

08-02-2025 16:12

Analysis

max time kernel
892s
max time network
900s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-02-2025 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4672	AnyDesk.exe
4672	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4380	AnyDesk.exe
4380	AnyDesk.exe
4380	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4380	AnyDesk.exe
4380	AnyDesk.exe
4380	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4672	1088	AnyDesk.exe	84
PID 1088 wrote to memory of 4672	1088	AnyDesk.exe	84
PID 1088 wrote to memory of 4672	1088	AnyDesk.exe	84
PID 1088 wrote to memory of 4380	1088	AnyDesk.exe	85
PID 1088 wrote to memory of 4380	1088	AnyDesk.exe	85
PID 1088 wrote to memory of 4380	1088	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
960435f28dd409af8f86c73498657674

SHA1
774ab9bbadc0d6e2028a02111678322843ec0b32

SHA256
94bc845d0636bd310a787e9cedbc7dd273e55880cc4b9240228d401dad066b33

SHA512
a80eba88b36864ae7d2c67c906daa7f3da9082ebd30b0f3b7e78d37c59853163a7e2b253a316d3fd6a5f22caeb9f8d919209dac6216ed1fc5607fe6df5357a39

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
5a29cff01eac90726c5d54d2f62b6861

SHA1
cc46d5c7d117d9f9196ee6cef9c14d01bcfc7e6c

SHA256
2003acd5f7f7f21c487307a841d20eda7119a29c00ff09acbbce3b5bea548ef5

SHA512
1db2e1f980cfb546e4cd93c2dab5a47813beda24e1a5e1c52a826e175a5a486903c9132d90216fac071ba68186d73b2cea323201d77283bfb1bfa73a19355d24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
61ce1b6d5bbb87a5214c397b79436698

SHA1
945aa32f06555e15cbd52b6601dc6c419ae77116

SHA256
69f7ce3aded55b4755c90c28b90a291d1e833ea56237c1ccd7605e3b38ef6958

SHA512
71fe898c9963b76d7ad89f995213d4d45e7e807ff95503394116dd123f52cf34de46f93e654376f978f2b0ac171802b9881e9cc0d82480103bcc1eb6b73596a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
319f44eaa979f291c364fc167cd43351

SHA1
0484ae0387fc8f4c82a4e2d0de5ce551ec56b42e

SHA256
b7ea46ff522702ffd55ad1aac9792a4b3f0a6216a2b9a7a9200446570bbada9c

SHA512
67f4ae7e6841a01d1a10099519a59a05296a31519963da69fdbe193c4e000713ea4de80d6e6aa8e1079c776e781ae1605e145ef843e321d6e61ada19b2d43538

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
b146c91155d89083b263d0d586568ed7

SHA1
053adf97baaf2afb3f3214f19a48ee7f27630789

SHA256
48392a4c5a4002f266ea39af0b4e7ace5cc7e91266fa2372574889798426bf90

SHA512
104fefbc7ca668619941603aade202a1591040a7594d602046a6912fb2e4d80a38ecf40b7bbbaa1b109f829a48580756cd7f7df0a65cd2bb9a89fc39289d7b29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
11df1b0f83cb5f6b51b04096faea46ed

SHA1
3024be6732a7a90eb8831827fba7aaa299a11fcb

SHA256
5f144936615a5b781d2dab8367ec0b81270a99b98d7a37f1985283270639dede

SHA512
9e6879a4ded79cce116599fec48080fde4289f5d9e3923c5bdf9a35edd70afd295acd1c5d3175bd678362e2bce86c2426408bcae257edba6162c284771a01200

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6c2d75c88aaec37e674206ca0f5b2617

SHA1
c2112d87039782eb88c02c1fc47ee042f613b765

SHA256
c245761a9ebe4cc38790b0212fd01c861c71fb3f88bd9d8e50b4d80f6f961f99

SHA512
1751ebc6a068a8f034b79653eeab80e77ac2385120aaeccb49b2b9e8d6e336512b84e9b25075cfabcbcd4f2280f395da6139faa81487d09bcc23dfae331ce03c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
24d06eb90f2de4fd3d5f63d12ae8f255

SHA1
6d229c231972df782c4ca194084dc805c969af31

SHA256
03eb8dca1ac7ead9f3ff50ea06ad5f488b7a88c405367da8177434ddcab7b6cc

SHA512
5b0c937977d25000ced7e3108b4b2ed2b93dfdc1c0259bc50ef395ef3456d86fa1d6213e1d850bd9b72b551a0b9e6551db84f41455f464d8246a03c555cc1af1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cc09fdcf4b84ab328ddadc8098f56a01

SHA1
746f77584d58b03a3632b3b654d95a07cbea10fa

SHA256
d06465fe922b2249c64e81db085b8b68db606cbcbfad2c1ab67385388b8d14c0

SHA512
91b4dd8365c7db884c425a3072fe6f4fc4159a1ba7e05354c719b45a325b6b2fedd2f41ce1d0ff43f30c9e08ecbb1998470f9aac553b1b014ded8094a2546396

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
22906462868b728d7d3495beedc47057

SHA1
e6bd7e80e31be147a3426498a26b6711842f6c6b

SHA256
7df945c3569a6f58081c08abccfb385d954eb68a3a365f6c3e46d8682effa6ef

SHA512
03e12783e1fb9f198b3f1361f6e6b6ed2999ddf99ca6f23d01d03ad0a880eceaa885905e79a6654ab62cabcc8af456bae1ccc0645db2653c72bfca81e48d734d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e579440a8f60650d3888ac654bdbc015

SHA1
1bb290408387ac1bcfc88cee65dc832374f7e1be

SHA256
05face670e7f9a35a4bb9ed8afd284865260182b9b872a89e125bb175a3f19fc

SHA512
b69f20ffaa322aa787a56df4250e5fa743b70e6aa5ed4647331eba5f41f4c58ae67d3ef116e7f3aa2b6e461ef8a0d54f958306d3d5b097446112fe658bccfc53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f8aa9a2a400bac9a5947707e9a5349e4

SHA1
a367ec320a8f0c704e1993e06ef4896af2f270bc

SHA256
08e16394b7599f30fa45f7ea6f1a4c24996732a71f97d5f08d97a63cb8e2e143

SHA512
4e965f58c0bf3fc46e48f9cdf252bf9c73eee8906431208cfbb339c4f993b0eca026e490a30b4e919ec09f1da0094effa7e582149f15cfb259963501230f2dbb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
82baf53dc331d88cad23f71c23a7b294

SHA1
e1a65210717846d9a423bf366ec3090d437b7b2c

SHA256
895246a4f40fb9413e5b1d57f97ab66ff544ec290febcabfd82df49cd9ba0d3c

SHA512
2392971bdd1f6919a27aa10fe50cb6c68324de4d9f24676e39c27a45ee18aa2234d0978563e26049bf6686f343a4a70561c1d487f0ebf8c2a3477fb1286ca53a

Download Submit
memory/1088-219-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/1088-7-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/1088-1-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/1088-0-0x0000000000534000-0x000000000176A000-memory.dmp

Filesize
18.2MB

Download
memory/1088-220-0x0000000000534000-0x000000000176A000-memory.dmp

Filesize
18.2MB

Download
memory/4380-11-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/4380-222-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/4672-10-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/4672-20-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download
memory/4672-221-0x0000000000530000-0x0000000001C79000-memory.dmp

Filesize
23.3MB

Download