1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

max time kernel
3s
max time network
4s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

4.8MB
MD5

ecae8b9c820ce255108f6050c26c37a1
SHA1

42333349841ddcec2b5c073abc0cae651bb03e5f
SHA256

1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
SHA512

9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
SSDEEP

49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4392	AnyDesk.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4392	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 4356	2788	AnyDesk.exe	85
PID 2788 wrote to memory of 4356	2788	AnyDesk.exe	85
PID 2788 wrote to memory of 4356	2788	AnyDesk.exe	85
PID 2788 wrote to memory of 4392	2788	AnyDesk.exe	86
PID 2788 wrote to memory of 4392	2788	AnyDesk.exe	86
PID 2788 wrote to memory of 4392	2788	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
a98b87fc38376fa9796d2f1ced67d30e

SHA1
12df96501b70e988cd11c54cd2624582def485db

SHA256
d266cb8ffcb96a60c91a18a9593f0bca1df0d3d4e2af8635a462d6a6ddb44a66

SHA512
302754a7e2f93d7d6078b573cb0b5f04c7601050ea02ab3211c9f1e10a14508f6364632c8272de44301a603e1d36fe6df80808daadd4b118839a712df4f412d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
b5715a3493fc08c1cf568b16e5fbeee7

SHA1
5d2e8b9ed2b6050eb808d19377f53bbedf388e36

SHA256
fd596b218772255c414480131a9217946f7339e4097d9c105ceafefe63f7d1ae

SHA512
d8fb551684b4ae0bb2f16214c67725223c95ebbd6b984a77f723901cf31ba82f444956f846bfc30f808c592b285ab2be6a41fbb97b620bc0b24a869878f7a5c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
92d4c355188d8b070cc7c3ee66e22a90

SHA1
d8f8cbe8b87c2dcc1107870344aa7e92a907aa3a

SHA256
ac36d8425bf2c09518f4c971668ceb4ffc83f7d3487b8892aa1e9254fa5f6c32

SHA512
a8f45fd952ab4b388327bd62b5f9cfc6ce19da446e685ad4fb22b6c89bc3717994718471f5a57a61a73fd32b6a5db91b745a9dc1606557bd9412f92644da8465

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
3914b71fc7f5837d60228e5819930872

SHA1
7b97d0d43daca9d32bd3db62bd5f408e406a3f97

SHA256
4103cfed3ffac730377e42dea0080faf6ab307f1c6967697eee6115d4eafcbb8

SHA512
11c69a4070077e452a436aa7eeaf845482c70fb1475f050960c4fc2e7d7347216b1b6ad67f1e649232a49bef86e852777242b1e02242063c58a0e2829cc28cbd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
018ff8e9c3c18bd6dbb99c87d68e1b0a

SHA1
67701c23c600de32ca26cbe8895c79de24413b8c

SHA256
a5b1ea79065921841a4ba8aab56cec3e978a5536a83ab8754c295412d75c522c

SHA512
e93db5bf35a6f87358d87a13f2389cb8638ec1dc779851c895acdd1bb387932a03d91be81db5198e8259873452b65dce94ec14212b22da39524b1c7d5d822ffe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f8f0d6f1b87d047ff843994df068dc9a

SHA1
bd81525c2a8bce41be31be4f94057adb8fcfecf2

SHA256
0ee1ea2b505d818e58a66c52a7c17a9bab96be3d935a83c0cf69b2e12ffafa75

SHA512
babdd4af23034459c2a5fbb03fcc3493ab159f357fa6c7a3013530fd58c1e1085e710f4788667824adea9fbcadd4ce79a533fa3233fd0a05bbdc976fb402fe95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c413794a562cd12fe55afb9b22e6481e

SHA1
b280fa361b2f407df5b670855fb04f514115eeee

SHA256
763c779cabca1b508dd4c2f845e50650564bb815f8372e3a1fd736a66ab88e49

SHA512
7722607f6d192a23a85e8861f92b314c1ce8c6f5871f772e3bab85836a865e8a32af14bdf6343a30e34955b3de41403ac2ce8ffd98268fb64869ead3e32af3f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7c29aed4e1a050498382c40e2d8320c

SHA1
9dcec0b541324be712b020423fa64d6fa3653560

SHA256
fa8e643628b507ac5001f3c02663b42c32f8d447647942fb5bf8c8993d9fd654

SHA512
07ac3b4e6e0051ebb51bdfbbbba8a477cf5f2c602c385ea98d7f8eca9715261f28cba8a2e793a968ae1254877487bd43f94210d0dcd7301a96efb89c293ccd1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0b9faa5e6e268d9cf70ca82e6d4959b8

SHA1
6b312ad32b8cf846331dcbc230147811d5733b18

SHA256
c90f106436a6352fed2a9b3716fdc627c26dba599e6ac33e0ae7a0dc52457a1a

SHA512
311ad93aa10299e6095d5ae5dcb29d18653577557cea342889f6a4fa25379888b9c1b7e61d084deee073a5c2f3da7116cb6847652d5788f2645b4e62ce3a35b2

Download Submit
memory/2788-0-0x00000000007F4000-0x00000000017E1000-memory.dmp

Filesize
15.9MB

Download
memory/2788-5-0x00000000007F0000-0x0000000001C9F000-memory.dmp

Filesize
20.7MB

Download
memory/2788-1-0x00000000007F0000-0x0000000001C9F000-memory.dmp

Filesize
20.7MB

Download
memory/4356-14-0x00000000007F0000-0x0000000001C9F000-memory.dmp

Filesize
20.7MB

Download
memory/4356-43-0x0000000005560000-0x000000000557B000-memory.dmp

Filesize
108KB

Download
memory/4356-40-0x0000000005560000-0x000000000557B000-memory.dmp

Filesize
108KB

Download
memory/4356-42-0x0000000005560000-0x000000000557B000-memory.dmp

Filesize
108KB

Download
memory/4356-10-0x00000000007F0000-0x0000000001C9F000-memory.dmp

Filesize
20.7MB

Download
memory/4392-12-0x00000000007F0000-0x0000000001C9F000-memory.dmp

Filesize
20.7MB

Download

Resubmissions

Analysis