935c19977ca47ee1224e2ed738b45034a452106f1d661e7835b7f7c0683461b1

General

Target

AnyDesk (3).exe
Size

2.7MB
MD5

6521734e3a9a91767d0ddaa2e1d0472b
SHA1

02c8d591be6295a4a6aded37f39ef5614fc5c42b
SHA256

935c19977ca47ee1224e2ed738b45034a452106f1d661e7835b7f7c0683461b1
SHA512

1118e223fc5dd42d167d12e3cafe9624afc92b1c3afb436b8e6f4e349b9b46d492c5d42c8e4d90278db1c8acbf5ce71ef0327e99ecacad3c0aca5bbbe255ced8
SSDEEP

49152:EbTSviOL1rkkAE2CFbR7bgX3QgdI2rynaTd4lGLDdccVTwsmuCtP0GI:EbWvVek/XbRQTdIaGaylSD6UmLMGI

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (3).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (3).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (3).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
696	AnyDesk (3).exe
696	AnyDesk (3).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3468	AnyDesk (3).exe
3468	AnyDesk (3).exe
3468	AnyDesk (3).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3468	AnyDesk (3).exe
3468	AnyDesk (3).exe
3468	AnyDesk (3).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 696	3272	AnyDesk (3).exe	86
PID 3272 wrote to memory of 696	3272	AnyDesk (3).exe	86
PID 3272 wrote to memory of 696	3272	AnyDesk (3).exe	86
PID 3272 wrote to memory of 3468	3272	AnyDesk (3).exe	87
PID 3272 wrote to memory of 3468	3272	AnyDesk (3).exe	87
PID 3272 wrote to memory of 3468	3272	AnyDesk (3).exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:696
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
43ef6c203b3f87efe1a3e30a277151ee

SHA1
86d145883644c9b9b9f544cb5ab5d5f5f1323201

SHA256
ae43cf18a52e1a57855eeeb065f29d1eaf2c5539b013cb6732358a1ae9e3b91a

SHA512
e195fa941f5fda9668f7e0948e48f69655329da3db03b6e2bf17945c516022fba24c8ead7157a83a4494ee3c6dd220aa9cbdef3d770dcf982ecb83cc86966f68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f62611a0815323dbe3f71c8517324677

SHA1
fd179828654c4943deb55db6d18ee6a8be746cd5

SHA256
52c11ddd5408d2b8346d7bdcce8100b6e3509b7500d907ed347f21e4099a4ecc

SHA512
c8d467a52fb15e2407afdfa149a5a9bd5fdce561d4c496141da9d664f5f024efc31257e1dd45a19ae13661494758f0085492a1c20af861eb390820c9629419be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
4bb8858385f1a4a968134c00ff456dd0

SHA1
18e458429110e197e5b6edaae5517094e0f51a70

SHA256
9ac60d21393604fbccbe506ea6716ed169329c7e19dc2839690cde8d615f164d

SHA512
05b6f5aebd1666a4079b5b2ca1a050eb92053479359e75d159aeea74e8c528d073b586afc388afdd20ccb935f10dcfdad816b494373522989a12e0ef763058c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
82a094f813a18044905a2879683952e2

SHA1
be0524deca5dc1e456968fdcc5764c92f338ac99

SHA256
22af0aed1b0e42ff653b9507106b3bc662df9eb12cf76d9b15192156ba01df5b

SHA512
44c0c48cb0286c57020de842eb0a362da359a8b6dd4f55306d99153eca05341312d4f50928db05ca6bf9500e04d7007ce6173e49907f77e0da6e80134bf36480

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/696-41-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/696-19-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/696-70-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/696-60-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-13-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-18-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-3-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-0-0x0000000000104000-0x0000000000950000-memory.dmp

Filesize
8.3MB

Download
memory/3272-1-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-59-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-17-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3272-62-0x0000000000104000-0x0000000000950000-memory.dmp

Filesize
8.3MB

Download
memory/3468-26-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download
memory/3468-20-0x0000000000100000-0x0000000000BFE000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing