Analysis
-
max time kernel
24s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 13:51
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20240802-en
General
-
Target
AnyDesk.exe
-
Size
2.0MB
-
MD5
81ba28925fcf013d871e0650f3124214
-
SHA1
c7f8d2d80040bee563f9151d86e06dd6d1547966
-
SHA256
afaa9723657248822943f8b20370a0b62fc95f34649711327a2ed3cfda8d9e27
-
SHA512
daca4b670dfd693afc66d447b7bbfca4eb5ed83be5d571284185e690d00f505b97e509897105dbac5b9cfab1afb0d9ac95067587ef3c23f1f5c3f1c6227f2e72
-
SSDEEP
49152:hF5ac2fepZgOfTJ6e8AQohGDsxp6RtaaG/tbPFnwr6y:T5anfebgOf96RiGIv6WHbNy
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2220 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1712 AnyDesk.exe 1712 AnyDesk.exe 1712 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1712 AnyDesk.exe 1712 AnyDesk.exe 1712 AnyDesk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2220 2396 AnyDesk.exe 30 PID 2396 wrote to memory of 2220 2396 AnyDesk.exe 30 PID 2396 wrote to memory of 2220 2396 AnyDesk.exe 30 PID 2396 wrote to memory of 2220 2396 AnyDesk.exe 30 PID 2396 wrote to memory of 1712 2396 AnyDesk.exe 31 PID 2396 wrote to memory of 1712 2396 AnyDesk.exe 31 PID 2396 wrote to memory of 1712 2396 AnyDesk.exe 31 PID 2396 wrote to memory of 1712 2396 AnyDesk.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD520b5c18831baa7d8e8807f238e457fbc
SHA1ca8bd4ee167d39db180d1ab7d5ddca7c6c2e164b
SHA256ab497b7784ec867af02b73e16c78df96491ca235cc36a9cf23bbc7072f4e966e
SHA5125ebd15d602fb675fba3ab1e4f8d79d008b0b51871d73c18e752fbf8ad03a3f65ba42c21d345323457e9c85d9616d9e412dcd19bc23a08154a4ecbbf887c0430a
-
Filesize
2KB
MD5f191e1a2e21f4579447d08030faeecbd
SHA1f362dbde3db7eafe98218d239f08003d678f580c
SHA2567dbb08ddfb12b2c7fd6bbc4b7f4cdb6444e8099fdf3542d4cb43a00b8256574a
SHA512faed767bd59257fb1b1cb07560d480b16b6365b5be220bd0fe6592268d0ce0146ed2c0223aa4b76e21f4b24b2332203c1cf2d44cd2f8daf537d19b4d98d2ea3c
-
Filesize
105B
MD5b3e49bc7956dcaf22cddc5a4109e690e
SHA1a0f54e3ddd4dff9a90c9fe0e666e3f4cfd858ac8
SHA256ddc88641d9168493bb7bca3f062e3b57616b67bd2033c4297573050963d2b537
SHA512709ae68c2035ee18042ba551de135c32bfded68824e8f5e480e160c26293ac323a613afaffc3e0740ddbbb8367b1f636b4b2ab803bf765a06a120a63fb5d63cd
-
Filesize
113B
MD58c36f3b78ccf67961b42ba08fbac7539
SHA17e5cba105ee800bbb7ab4bf6daf49e43e30806ef
SHA2563898294f3e18d005611fd116b50a58b478d37598e40c834ee48e2ca14e8217d9
SHA51214467726dd38ffb08ffdb60cceee48adb9848f529c52cb8d1974e0dab72536798c5357831c523f5cde5eb61648b512f93b51130bb6c05513bb0b9097640f65a7
-
Filesize
107B
MD5f25e48e1d9e1e1398bc5fbc6885570b8
SHA146557c8ebb9236af6c28c9bdd317d1d25749e710
SHA2560379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA51241e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7
-
Filesize
132B
MD5123c524682c9ff72ec7924efdb41b28c
SHA11e696d9f3e2bf149773186496c7ab9d5df35f9dd
SHA256e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6
SHA512676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD57ffb5c69d3fae408f879cd0bf28f6e54
SHA153e97663877796bd845d9f5e1f39c2122fefcebc
SHA256afc29135cd73b668089ef81a3bff25635a76837f28636bb479eabc694364d393
SHA5126f4601e01abdd73f6a03df8a23442a21bdc09504c013d394d661e6c2217484d18a6e69a0516b1a2c4d3034a840990dfcde8f835c2f68329cdb027bb8f57938d2