afaa9723657248822943f8b20370a0b62fc95f34649711327a2ed3cfda8d9e27

General

Target

AnyDesk.exe
Size

2.0MB
MD5

81ba28925fcf013d871e0650f3124214
SHA1

c7f8d2d80040bee563f9151d86e06dd6d1547966
SHA256

afaa9723657248822943f8b20370a0b62fc95f34649711327a2ed3cfda8d9e27
SHA512

daca4b670dfd693afc66d447b7bbfca4eb5ed83be5d571284185e690d00f505b97e509897105dbac5b9cfab1afb0d9ac95067587ef3c23f1f5c3f1c6227f2e72
SSDEEP

49152:hF5ac2fepZgOfTJ6e8AQohGDsxp6RtaaG/tbPFnwr6y:T5anfebgOf96RiGIv6WHbNy

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1468	AnyDesk.exe
1468	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2316	AnyDesk.exe
2316	AnyDesk.exe
2316	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2316	AnyDesk.exe
2316	AnyDesk.exe
2316	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1468	2888	AnyDesk.exe	86
PID 2888 wrote to memory of 1468	2888	AnyDesk.exe	86
PID 2888 wrote to memory of 1468	2888	AnyDesk.exe	86
PID 2888 wrote to memory of 2316	2888	AnyDesk.exe	87
PID 2888 wrote to memory of 2316	2888	AnyDesk.exe	87
PID 2888 wrote to memory of 2316	2888	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
4984cc1d28c5d6b4c7f36b322209bb3b

SHA1
9bdb5e1f96305d9e3e2a4505c0b7a5dd90fc8a60

SHA256
11560038b1fd39f32fd6b66179e1604b7cd2d1cbdec1f93d9f3674a0af039a06

SHA512
0a8bee165105bdba6dd93a78474707c3be65188850f578018e6c45f0088b85f1334197749d231ecab90412f0bc657f156d7024a26513d87de27e54a5dd7be4f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
b16b10f27e1e636790663b01f26d3993

SHA1
e329b16c44ca50b6911d79ea7dbdb4b07f6a2893

SHA256
fe7f7f25f31826cdd86bdbb53aa1d825d18bd7bbcd4109f1d0729afcbd87b7bf

SHA512
0b55e14f763749132c5fd262a2bbae23e8caacbeb33aac59d221a6b20718993f9d2302bec3a1bb3dac5f47d30b163264c6a27dbf320104ad62485a58705f03b7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f0cd45b9ea31821d4b4efeffcac0d424

SHA1
985ba038680d033c6aaa65a3f948b1cfedacc0de

SHA256
b257f38364088927c2db68b486275d0463aa63a2133549b330916f06d9fe68c7

SHA512
336b3dae5bb9189846f878dad58c0d067010b5213b2b0b741acc44a3275f6bf7de99e617ea9d9f0ef100d4a275b9e78bd6f99b5ef9577dd5c159b345dd78f000

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
33bf6b41643c1e453d586dfe6ee462f0

SHA1
10c2c6da95720d5e426fc4913d2f17932e169ce8

SHA256
f3737929aa7df865063a91e8ddea6715fe74516def3c376305fed744e913d089

SHA512
bfc672898c53ea229ee27d1f1c325cbe414ef31aeca8df0d3c97d7b8af5bceb86977447e694f532e36ae47e19f1d6687072d5aacfdd4bbfd43b733d4561c73ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
f054753820c47b41c8d97c756c8b545f

SHA1
611650be40ecdbdf3d1d823cbb2d2fad2629b5cc

SHA256
9109d7342f9433e7978f62662354a366c087d50630ce9b3d336c2dd49269af1a

SHA512
8ab27c1eadaf0f1bf6439bcc0acb2cba4197f323a7264c05728bf51f929828611fd29abde04d965bb31c00179ec787f4908c550696d256a7a9b203291e209a28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
b83a5363261df193e4a47de3bb59f8b3

SHA1
e1c8bdc147f38e25900c0524516082f7675a7728

SHA256
c90eae5ea13992a60e58fe690d8a6c75a2a5a12237494d3ba2883b54d7b7dd4e

SHA512
088db79a815cea8f95daa36b2fb13097e7723afe5392e1c943b3457ade466455dbfd336dc5662f2d06879400e89026e3c5b832b9d1e0355fe6b870ff65c0a223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
828fe88a66e0d28ced119db47b08f05a

SHA1
f2fe68cf714709906a327917e34f60548d4a838d

SHA256
3b9875f87bb4556028c34111c939daed769e96a89730f96d451afa4e66b08b87

SHA512
85be8d62b418b3d6e83242cf140e89d8e010e4862631e515233b7ff81b33818b32b2ee2e60a85a66c86327e113deaf50d8b3f221c0e18e7325a15d2a8b51707f

Download Submit
memory/1468-66-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-78-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-96-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-90-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-87-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-84-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-81-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-28-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-49-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-75-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-52-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-69-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-55-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-57-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/1468-63-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2316-50-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2316-30-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2888-1-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2888-0-0x00000000000E4000-0x0000000000789000-memory.dmp

Filesize
6.6MB

Download
memory/2888-54-0x00000000000E4000-0x0000000000789000-memory.dmp

Filesize
6.6MB

Download
memory/2888-3-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2888-13-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2888-15-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2888-26-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download
memory/2888-27-0x00000000000E0000-0x000000000098D000-memory.dmp

Filesize
8.7MB

Download

Analysis

Sharing