7b9a0fd990959dfd15a879bbffd13d4959b9bdeecf6831b91b8ac02d72e9bba5

Analysis

max time kernel
143s
max time network
154s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoof Instructions/Toolz/AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	AnyDesk.exe
2680	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2504	AnyDesk.exe
2504	AnyDesk.exe
2504	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2504	AnyDesk.exe
2504	AnyDesk.exe
2504	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2680	2372	AnyDesk.exe	30
PID 2372 wrote to memory of 2680	2372	AnyDesk.exe	30
PID 2372 wrote to memory of 2680	2372	AnyDesk.exe	30
PID 2372 wrote to memory of 2680	2372	AnyDesk.exe	30
PID 2372 wrote to memory of 2504	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2504	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2504	2372	AnyDesk.exe	31
PID 2372 wrote to memory of 2504	2372	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoof Instructions\Toolz\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
3ea82783cdbfff8f0a561a970907b42b

SHA1
fe6f29c0dd0ce8f8e6334cfff2babcc30054b1dd

SHA256
13a1dda24fc60d39963b4e6399305642561144075d78c58c962a59ae6943ae10

SHA512
212548648d3bdea6cd82e5acb8ec018825a696ddc71708ba8594df7d06f2ff91039d006358626f5b475ad935bafd46c2963c6e0c69d8a4ea2d5b558b2431e002

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
13KB

MD5
be74cac8ac336134f8cb2cba5223e9a1

SHA1
ab4c7bdefa3780d8a34ef4f6036c93cdd21966a9

SHA256
7b66233eb1c924ad937217c9c0110f59b749292cfd1b40da84dc6d25e0371986

SHA512
7dbcf3371830d627ec82ff28ef6cbd4bf77721d7f3209ee12aa92aeebba40717891b178493e4bd81e5c60b0ee650f4e23be384737375653c41f35c589d4540e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3de86fb816e9f8b5811f7f25f4314e86

SHA1
daecbe1bbe9d99a60f55e87f74c2317fc5108e3e

SHA256
bd75032465ba41162082fcdbd536d884d61803838d43cdc7dd1dd4c754724efc

SHA512
91357da14be943dadf1f1d566c8cbec3790b7a48deab1b4bff80fe0c7729f153060b0cea09f396035004597b65900e31fd1ebcde79189846307039dd6578cf68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e8fe87b96ee4dcff22e950854d90acf7

SHA1
cb3bd589d102bab00f8a5d42933a760b33e660ac

SHA256
5508fd0913ac9e8d632e78d956c73626c097b968ba7128a40fa8be5a862b2aaa

SHA512
d84fa1e28ccee6fe9c48671d5b589b890c78ff9f2e7ca9cc43ceac0475af7e3d96e8bf6e8030262cc132a4bb4addc61ba0d6d16f876058e880d0dab69840e9d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
5c11556b56b1d5ad3d169ac0a1c154b6

SHA1
d3d9fc023cb2c74af007209b613589b620a0f879

SHA256
5250805add4a382e958bd00050edb1374ed5baaa6308a51e86d969492da3daea

SHA512
747845bc6f7755c32a9f0cdc335b58f9dd733768f81eb6a743854fb77bbdd4563402dc989db37ad08b3cc83392adfc884d02261d68b1b06b5aceb0e5e3dfeb4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
be7f067df0c90d437410603d24dcf3fc

SHA1
eb333b02fd7d00bb8115a37ec5141c29b92c1668

SHA256
f54e0cd89324a1d6710306689afdc6588c3ff5d4596c6ca3b939e8b550811227

SHA512
4b4b41bf48dc83313cdb258378dbf15abef2669b58990356a83d74e55d872b48ea45edc882cb31b7041bc38bbe783312a08bbdbd33f81196c153c018141af2d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
75d2c5db1c85be4730f7db0b173cce10

SHA1
7c7623a808e22e2597de86f628dce7d5049be469

SHA256
925c142a1d6fdd6d9016a90ebd8e3c6abe2c7552601f6fc8eba322da8a757d5b

SHA512
3fb9775de7144328fafa076a95389ebb93ced5b3224247e60c8034cc708bada327b854f3c5a25afca81f957ac6c47755cf1beba86133792eefe564cdaa7c68dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a540f72265c5601fdea4a76bf604b9d1

SHA1
d7846983bc1318d61f38574a15b72e01db4f0a24

SHA256
0b229192b78a3d284a5fb9546fb22d67bbedef4ae0e6b8aee11567b08285e03c

SHA512
59c6a463c30e57f993571fde374db0bd1c6cdd12d13cc16534bb756f4d0ca4bae83a9fe9178811df65b49a2494fa1f7ec981d5a7eb4e1d145449dc36de64cf82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0db17e22e106f0cc4b909436212bb388

SHA1
20496d21e5f7e04f8ee4cbcaa59764df45c69475

SHA256
a9d4ef3724300dbd2df6dfaad98cac04f027666df4b159534f6be721a8bdb70b

SHA512
0009e87b101b7eef9af4fa6d3d0c89f0410ed168450b1035dd36affc79c9390cb2c8d45f6c0e5a9666fbc188308a4d8e40afe96bde29feb9be82af0ee961fde0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b6b9bc766e4eb945aaa4bd56869c5fb3

SHA1
6ff95fc278d0ee0210d0805371ff49d8bad1cef6

SHA256
57e8fec63fab0c9a23f36621873c6cc379d5bec6419abe1bbbbb11ba9b3074d3

SHA512
8beca23481d159bf98f892defe5cd5f71ceff76f6de755462df861d4a344ae1b788de894950442e380b8761fba334e570a5d0f8b30b3edeaf7e52282d54af04b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9cb2bdaeb4057dade8e8e60bac77fe27

SHA1
6a23e667b7211ba7a6a62a732c946450b0600d91

SHA256
d139c84fcef8dd65afadd4f9efd06ab3c5b1e8c82ad3dcf7ece0c51cf4c4bb0f

SHA512
a3198a59ea11262e6bf409484dcd355e94de3d1f7d9740285e46180893426111d60bd94d7ec5b084a8294cea0ff63ee083b19396d0ca167586f8c6251da9f9a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d86b301166cd3fbdfac6d8251f645aea

SHA1
d3bbfafeae1acbd9fe0879d590dd68dee7a92ef5

SHA256
4802e107cc86674fc0d09b3fc9bd6900b30dff7edfb3eaa9c98836f24b12fa92

SHA512
733e3ec6a183433def6646e526c3903b8cb846dafdcde6729c58238602e91a9cd42122787657fa0497a1ed229ad9fa9486facf6dd17f163e03ef9dc997120991

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
da346f8e91faf138fd4539e7a252186d

SHA1
923101209b9d0364634818497da32e1a670a0cb5

SHA256
1a89d34f0d0b14235f258248ab001e89faeab4c7bc4b988bb19825a6bb9489e4

SHA512
974e9934fcd15d0c19c96d681ad275126dc233aa1a492a760885f7abed280ca554542535591b32c8511928cd358ae6f90b39a30b7830089af8864b4ef7fa3018

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4457d9fecc364ea33892fda55db73b01

SHA1
c6416f3fd734e886415c5e1d1e852398c74637f5

SHA256
4aac7e3b98b574b163699d0d2062f6333c27ac40ddc2602f16c014dc84ef704e

SHA512
f4be58bcc17b09728a4c171842d12203d4f3fd5c5cddb5e7a494322844b902adc90f1ac06b9c9055068a4a5688eff2be7152f2fd6e75dd3fd17b4a7942c02f2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a549c2accc3e1deded3e16f9c0fda98

SHA1
7028fc4c0be0a058345a8282dc3592fa7d3c3cce

SHA256
0fab7504b88bebb1616d6f77e1a57d796df293d47e31b9881579856625a1ea0b

SHA512
da80d77dda99a5f595667c86f15dda4b7f7149513802c5cd3b833bbc205dabc1f16dc37306a37152136b5cc67b904e11880b0c1230b6034e20639e0cfce5edb1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
45fcd7ba30f55f1a91fc817a49606ad1

SHA1
f20ac4e6da0ae49bee9088c86f19470f3ac04614

SHA256
ca7080ff28457db3e5eb154a9b0ec3b84a44814069e6a04fa908da668ffcc49e

SHA512
b131832541b520447bbc42c9360ecc4031bce2e50b498015620ec327a5b21ec4865050e002d03adb64e376c873ffc2d98715c16477ce800b7e30d3b11323142f

Download Submit
memory/2372-1-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download
memory/2372-9-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download
memory/2372-2-0x00000000008D4000-0x0000000001B0A000-memory.dmp

Filesize
18.2MB

Download
memory/2372-239-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download
memory/2372-245-0x00000000008D4000-0x0000000001B0A000-memory.dmp

Filesize
18.2MB

Download
memory/2504-12-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download
memory/2504-241-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download
memory/2680-10-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download
memory/2680-240-0x00000000008D0000-0x0000000002019000-memory.dmp

Filesize
23.3MB

Download