30663f0574cd075b83fe01ed7e639000029132536a493ed88cdc1f2f2c012890

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VFS/Programs/AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2088	AnyDesk.exe
3048	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2088	AnyDesk.exe
2088	AnyDesk.exe
2088	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2088	AnyDesk.exe
2088	AnyDesk.exe
2088	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3048	1996	AnyDesk.exe	28
PID 1996 wrote to memory of 3048	1996	AnyDesk.exe	28
PID 1996 wrote to memory of 3048	1996	AnyDesk.exe	28
PID 1996 wrote to memory of 3048	1996	AnyDesk.exe	28
PID 1996 wrote to memory of 2088	1996	AnyDesk.exe	29
PID 1996 wrote to memory of 2088	1996	AnyDesk.exe	29
PID 1996 wrote to memory of 2088	1996	AnyDesk.exe	29
PID 1996 wrote to memory of 2088	1996	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\VFS\Programs\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
a48cb87ed304c57f9667f30ad4dd6d5a

SHA1
0af9d19e66ef124a1c0f13459492397abc408b40

SHA256
abb3270901f062d78d34713cc21fd7aadc8dc18fc7f4a338803b003256c69e9f

SHA512
4670ea61c4a3e2ce04fa41d91efc2c5adee805f2a6c0864e461d4c839437bae538cd811d0167f4fcac0805b536a6321b4434e61439b8d51f27fef04250c58776

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7d44aea3bc78e74249615b85fec5f0a5

SHA1
b04b98c071bd47fb565bad2cecf99917080f6527

SHA256
da84cd9745708825f967d16ffa6b64f875ac0a519d5304dee23a1891f30ad8b9

SHA512
73c04223d83fcd1f6e84e343269ccabd88dc04c0923561db063a2001026d47adfb20aedc204f764f2681693ec0d28d50cf5c91be90c926cb8019da539dfb6d4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7a9a004c30ed70121f2748f97df6fc9e

SHA1
baabc6093c2719c50a33285ad09fd22a59770eea

SHA256
e515cddda264ece7d2364da599aea17d20d917e12c19fe106fce0d5cc4a133af

SHA512
927fcd6d44da228a6b51be715f6e70fe1f4f68681fc2cc5ac22e94c9a595b16cb646dffcad637b7fa09de065b173e98377577e777b988e2eb6f986db4e6ccb45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
245b39043813ec08970876602c250336

SHA1
aed11d003fb872cd362a1041712b86aea3a519b5

SHA256
813c3cf2d03249cbb7a3b367b5de8cc4fe8f180afd04a9479065b0d9811ae195

SHA512
39938d91efc46162f716d78e9cef71722040b09f302bb8635e2d7582dd81f8635b87dd79beb374b258eaec8c52ab925e9d7fe57d7bd9fc68a103e297dc0a69b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
51f37bf0d935bc9a1fe3b91a5cf83b50

SHA1
b5fe7fd561935892a8c6b6a1f2d51477229b3e56

SHA256
73bff4ac2b6c8f22905cac90d83057e1a598987f921aa6cca039880f239a04a8

SHA512
0fab52de2cb686b917e8faf9ce7081deb3ba1379aa70b8ffce3066ce889a3e54745f446bda7524fcc02244168ab6bbf6082d33906dca949719b26056c362c732

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
9b192d06727e4ae3dc7fc38a80fd2699

SHA1
2bd6015ab21f7a5a96a6eba0d5ad5868b182bb4f

SHA256
6584b521ef5c7bb21a2a2c7d08b525c261640c37d09a2e7e40cf47981652ba05

SHA512
7223b5b0350b57d090460180e18327a569801c612b6a490b95ea0e437930d8c7918009358c299e813c8d65c33ea947b5717c54ab435d67d68adb4b8ab6558883

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
22f1b33d24a76684cd7f67d0c3c5328f

SHA1
d913fed406c4a72e4dc73e4da2610302b25e2863

SHA256
3def9f67c03b119d36ec9c9b8fd89dbace19e2701448e5ba7704845b10655492

SHA512
c1b4f7ff9f675671327428985cdadd3f4d7a2beca11e1215d22305ec296f134e5d80daae050669abf68872f58295c676d1fea5697a1348a579757c59b351b6fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
008e20fdf18e751555cba49e15ca5fb8

SHA1
3dee67258632d1bb64a2af147a7c90ebf575cb0a

SHA256
afdf28945e9ba2a4be3f3153eac397c77236b33ce6adc7a264b9c7b5f8b3c5c5

SHA512
17161b67aaca6d9f7f99c9e5965d24e216308a7ff047d34d95922045f6c6704f38aca247c3d029df56533112426caa6b3a11cefa413f34ae7e2901439039583c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7317e8caecce9b36d539c802875bb3d5

SHA1
0440bd6651b166803285ad8a5f8d35c689b1c332

SHA256
344ddff5a45fd5e323d594e9156f09ba432148bf01b9919696b9d267399366aa

SHA512
9a34b793da859abcd8ece5f9798d965ec44e96b2a9079f36af611b35cb0d87062442f40bfc7417e94049ac0946e8628240d4fb5878e76a98869d2b4faa675418

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
62557da0cc50419cd537cc1699744374

SHA1
65755a188321b665afecf781a8debe99945d45b7

SHA256
f3faf261ceab7e4cceb1ae764b936d58b5a9442073f907c1e37755936497d51c

SHA512
304c31cb0d71c87fbe0d0a9bb071eb00c2626f2e9d12dded77f5475f9306768a3b1bffd08d350dcbfda71cd754a80d34fa00955ac7fa80af3fe834ab5bb53cbf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
53e53072232ac3ec8492ec58da4378bf

SHA1
99d5e19dac597a40f9e81dbd116e2a7609d95e13

SHA256
dd47c76d7810f50084be603caee1b4c6d725da88414d46a070fd5c9d7dba76c0

SHA512
38daa24054febb194646c252533f0dab5220a525a3899a07025741f7774a7648b73c67adeffd42079ce7b7af9cc5a4f2f0d30fc0ec6781dca32e9265c64f061a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b4c428d5b84ffcd5c77c782d4ab4cbf6

SHA1
1f5dc05c6afce43fc01db58681d334bd5f1b4cc1

SHA256
4b11bf2e29b2f77d8122cdce072ea5163093d1cc0dcc690b9ec38d7ed2e44e4f

SHA512
b6935467cd76d7212e5d252dc9e47f9a116217946c60586b926773c05b70142aa5bb090a70ccb0c103731273b0f323db4e199b383ff01d5b3307309ef596da85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1df89b7656bad5716a55294d5a9162b4

SHA1
5c1a5fb9187e5b6208c4fbcfdd4d4dfc6219005d

SHA256
5ef8948f776ee3e889714e2e48771d64dff60bca5e5bfd743baa92da65efca34

SHA512
db1289c706146c1f4069ccd381a57f25e86174584fe1df170a3844709d43cfcb851da0bfd9127f61b82e192937b2c5f00a01c48bd66943dc95200dca7639a01c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
61b76c7ffeb5af56a4769b0137976d21

SHA1
68d07cdf54bd58c38013eb56269929ba058f917c

SHA256
5c58562c8b384eaeb5dcc2569c6ad71773623cc83de3fda75ae99e6a446729f7

SHA512
12c7f5eef7a7e50c00b7bd1d04161b69d687eda91ddf865986085abdfda45c6ceb02da4e92fb0eca77345cfd9ac5a6bebb318e70a30989f252efb449813a40b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
12c1d9db19107ae942ddf2965b1d7e22

SHA1
f6c4ba40663e2154e85545ad8d41b9e7f5280f43

SHA256
14e3fb7b446f9c1cfed01be42cc6c5f249697c55c2b9a0a2c37e59d57a5e67e0

SHA512
0aac8e5c83add9ee8227687706b466fde70697f94b3fb90990dc1bb94b622cb339ee3e1975ae375d81ec8c5bec28f82ef463a1474415bb8a8a2668f0f89790e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3970011eded6ac260b06f97effcb3067

SHA1
f3e7a604262324672962c12eeed29460e2f4194b

SHA256
f0f440414428cebc78bc021e5a50596e9db697f4842abd865f1f8b98cae8f563

SHA512
7b62798f3eb709d5530607e0844a2ff8f1370ad5cafa236f9cc8c9754eb06b81ac068275d38707b3a95f8909a5d9cae82294939e5c57f7af659168be67d913ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1b56f4bc63f19c5d8ec9d0de0c0cf6df

SHA1
6e2ff48698449aff93a078b99971236d071cc2c1

SHA256
08126ef42ae874e494fad42eb452efa2e11f3b3190cd2b57a85e6dfbc510d1c6

SHA512
a58b19b93c03b81db89f44ab8af4c18e6d03fc790eaf29f79aea635663466f132947a1a81cc4b2c8b95f34dd3a61c33bc88f762684d4b598dc47754f2b4a3b6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bba219e5459e5ba18989272c8f80ec13

SHA1
a09dd7fd0a5b1175ec44b1292d0bb3a67634bea9

SHA256
da44fd3525e57ef3f8e804acfb3a807882fe54e3eb8d7114c001fcb2a091030d

SHA512
b3dac948ebcc8cd1eb9eb8873b3f22177ec83e4a9b94d0a13de72913fab49729f96dc9d896dfe3204ef3d303eedfe7a6695ed761d1adfedc43d8e9cb1d4a65d0

Download Submit
memory/1996-0-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download
memory/1996-10-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download
memory/1996-2-0x0000000000134000-0x0000000001373000-memory.dmp

Filesize
18.2MB

Download
memory/1996-249-0x0000000000134000-0x0000000001373000-memory.dmp

Filesize
18.2MB

Download
memory/1996-250-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download
memory/2088-19-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download
memory/2088-252-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download
memory/3048-11-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download
memory/3048-251-0x0000000000130000-0x0000000001867000-memory.dmp

Filesize
23.2MB

Download