afaa9723657248822943f8b20370a0b62fc95f34649711327a2ed3cfda8d9e27

General

Target

AnyDesk.exe
Size

2.0MB
MD5

81ba28925fcf013d871e0650f3124214
SHA1

c7f8d2d80040bee563f9151d86e06dd6d1547966
SHA256

afaa9723657248822943f8b20370a0b62fc95f34649711327a2ed3cfda8d9e27
SHA512

daca4b670dfd693afc66d447b7bbfca4eb5ed83be5d571284185e690d00f505b97e509897105dbac5b9cfab1afb0d9ac95067587ef3c23f1f5c3f1c6227f2e72
SSDEEP

49152:hF5ac2fepZgOfTJ6e8AQohGDsxp6RtaaG/tbPFnwr6y:T5anfebgOf96RiGIv6WHbNy

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2220	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1712	AnyDesk.exe
1712	AnyDesk.exe
1712	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1712	AnyDesk.exe
1712	AnyDesk.exe
1712	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2220	2396	AnyDesk.exe	30
PID 2396 wrote to memory of 2220	2396	AnyDesk.exe	30
PID 2396 wrote to memory of 2220	2396	AnyDesk.exe	30
PID 2396 wrote to memory of 2220	2396	AnyDesk.exe	30
PID 2396 wrote to memory of 1712	2396	AnyDesk.exe	31
PID 2396 wrote to memory of 1712	2396	AnyDesk.exe	31
PID 2396 wrote to memory of 1712	2396	AnyDesk.exe	31
PID 2396 wrote to memory of 1712	2396	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
20b5c18831baa7d8e8807f238e457fbc

SHA1
ca8bd4ee167d39db180d1ab7d5ddca7c6c2e164b

SHA256
ab497b7784ec867af02b73e16c78df96491ca235cc36a9cf23bbc7072f4e966e

SHA512
5ebd15d602fb675fba3ab1e4f8d79d008b0b51871d73c18e752fbf8ad03a3f65ba42c21d345323457e9c85d9616d9e412dcd19bc23a08154a4ecbbf887c0430a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f191e1a2e21f4579447d08030faeecbd

SHA1
f362dbde3db7eafe98218d239f08003d678f580c

SHA256
7dbb08ddfb12b2c7fd6bbc4b7f4cdb6444e8099fdf3542d4cb43a00b8256574a

SHA512
faed767bd59257fb1b1cb07560d480b16b6365b5be220bd0fe6592268d0ce0146ed2c0223aa4b76e21f4b24b2332203c1cf2d44cd2f8daf537d19b4d98d2ea3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
b3e49bc7956dcaf22cddc5a4109e690e

SHA1
a0f54e3ddd4dff9a90c9fe0e666e3f4cfd858ac8

SHA256
ddc88641d9168493bb7bca3f062e3b57616b67bd2033c4297573050963d2b537

SHA512
709ae68c2035ee18042ba551de135c32bfded68824e8f5e480e160c26293ac323a613afaffc3e0740ddbbb8367b1f636b4b2ab803bf765a06a120a63fb5d63cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
8c36f3b78ccf67961b42ba08fbac7539

SHA1
7e5cba105ee800bbb7ab4bf6daf49e43e30806ef

SHA256
3898294f3e18d005611fd116b50a58b478d37598e40c834ee48e2ca14e8217d9

SHA512
14467726dd38ffb08ffdb60cceee48adb9848f529c52cb8d1974e0dab72536798c5357831c523f5cde5eb61648b512f93b51130bb6c05513bb0b9097640f65a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
7ffb5c69d3fae408f879cd0bf28f6e54

SHA1
53e97663877796bd845d9f5e1f39c2122fefcebc

SHA256
afc29135cd73b668089ef81a3bff25635a76837f28636bb479eabc694364d393

SHA512
6f4601e01abdd73f6a03df8a23442a21bdc09504c013d394d661e6c2217484d18a6e69a0516b1a2c4d3034a840990dfcde8f835c2f68329cdb027bb8f57938d2

Download Submit
memory/1712-24-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/1712-98-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/2220-22-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/2220-97-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/2220-110-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/2396-2-0x00000000009F4000-0x0000000001099000-memory.dmp

Filesize
6.6MB

Download
memory/2396-3-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/2396-0-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download
memory/2396-92-0x00000000009F4000-0x0000000001099000-memory.dmp

Filesize
6.6MB

Download
memory/2396-94-0x00000000009F0000-0x000000000129D000-memory.dmp

Filesize
8.7MB

Download

Analysis

Sharing