935c19977ca47ee1224e2ed738b45034a452106f1d661e7835b7f7c0683461b1

General

Target

AnyDesk (3).exe
Size

2.7MB
MD5

6521734e3a9a91767d0ddaa2e1d0472b
SHA1

02c8d591be6295a4a6aded37f39ef5614fc5c42b
SHA256

935c19977ca47ee1224e2ed738b45034a452106f1d661e7835b7f7c0683461b1
SHA512

1118e223fc5dd42d167d12e3cafe9624afc92b1c3afb436b8e6f4e349b9b46d492c5d42c8e4d90278db1c8acbf5ce71ef0327e99ecacad3c0aca5bbbe255ced8
SSDEEP

49152:EbTSviOL1rkkAE2CFbR7bgX3QgdI2rynaTd4lGLDdccVTwsmuCtP0GI:EbWvVek/XbRQTdIaGaylSD6UmLMGI

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (3).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (3).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (3).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2244	AnyDesk (3).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2300	AnyDesk (3).exe
2300	AnyDesk (3).exe
2300	AnyDesk (3).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2300	AnyDesk (3).exe
2300	AnyDesk (3).exe
2300	AnyDesk (3).exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2244	1872	AnyDesk (3).exe	28
PID 1872 wrote to memory of 2244	1872	AnyDesk (3).exe	28
PID 1872 wrote to memory of 2244	1872	AnyDesk (3).exe	28
PID 1872 wrote to memory of 2244	1872	AnyDesk (3).exe	28
PID 1872 wrote to memory of 2300	1872	AnyDesk (3).exe	29
PID 1872 wrote to memory of 2300	1872	AnyDesk (3).exe	29
PID 1872 wrote to memory of 2300	1872	AnyDesk (3).exe	29
PID 1872 wrote to memory of 2300	1872	AnyDesk (3).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
c3f43b80d7d9aa7629b02d701d5020d6

SHA1
5345386009423a597a9a1681b6a569f1f8d2b7f0

SHA256
df9bb0a8521960e14a19d03bf8d9d6bfdd92a1396464d342e28e1909672e99a6

SHA512
cf182786c2cf1d85a1b325f674a6fe8d3b0c25a90080f6d6c559d57bbb86b7af300fb430390c319318d04e477e775b8c9a2cc8a97fa05946bd2e9338e005775c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3e04dbd6c10da80b434fb228b3cfa7ac

SHA1
67a7fa2d11e1888639bc1acb74837a1291247f79

SHA256
5c798e5d15712ae2683b7331f1479fe89f8c18d09822339dc2a81fe44c09baea

SHA512
b3130efe37941a28ade1b82be6bcaccd903490b96f59579b61d71ea7d6ce62dbfb7b077a0a27ccf7d966d726d1f502fa52d74ae35bdbf848d1461d44225bd402

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
0651d4792f674fd5c71ea6abda6b262f

SHA1
bf9fe3e418237e563735d4dc1bb6f59b36740ee8

SHA256
53ac228ac4d4f8ae77f28123bb1221cad3ce344c93b81465c1390afa817e6588

SHA512
96b0638408ab88c7d0342b252c78a4ebdf497e0ec1b456a6b19de897e6efe3a6a0b6a519bad9708a444e44ca4b823ba21c8c0a4f3254eaebfdf7be9a258b91f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
b6f70e28bab60cb6caa75e009280f3e9

SHA1
b0c5b2851da21970aa18a2bca79a36d8c56c7fd1

SHA256
fc04b504af3e27a22f5b3ae80062991d8408e58725ce54261cadc9bda59433a8

SHA512
5278102d08ff313be15b7c0215bc9e5ea1b64eca8fed1891ce23506d6ffed8749f394e6f3c9357966ea0157f6db00a5491fb9e0a10dee4e44fbc813b87f9ef95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1872-2-0x00000000010D4000-0x0000000001920000-memory.dmp

Filesize
8.3MB

Download
memory/1872-4-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download
memory/1872-0-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download
memory/1872-64-0x00000000010D4000-0x0000000001920000-memory.dmp

Filesize
8.3MB

Download
memory/1872-65-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download
memory/2244-16-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download
memory/2244-66-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download
memory/2300-18-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download
memory/2300-67-0x00000000010D0000-0x0000000001BCE000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing