d9a3252d8aa1ce8786fd29d68c4d77018a61c51073aaff82db00ae5355704110

Analysis

max time kernel
144s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

async_modified/Plugins/AnyDesk.exe
Size

3.8MB
MD5

fe61cd9e702ec1208c13350c00f0732c
SHA1

379520c1ad0541d5a30f214e15b7c8bff6766f9f
SHA256

580f6a285c6c3b7238bd16e1aeb62a077ae44b5061a2162e9fd6383af59028bb
SHA512

504e581026719b31555f0131bbaf9d5655c8955d9382cc53688873295d393028987032bdfccef09cf42e16ea51f8f8bf91543585b2754d5827d7b29325540cab
SSDEEP

98304:RSExf+1CnXTxQ9LDj6eblG+L9nDHPdQod:RScf+8nXdQvPtL97dPd

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	AnyDesk.exe
2976	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2976	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2996	AnyDesk.exe
2996	AnyDesk.exe
2996	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2996	AnyDesk.exe
2996	AnyDesk.exe
2996	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2976	2328	AnyDesk.exe	29
PID 2328 wrote to memory of 2976	2328	AnyDesk.exe	29
PID 2328 wrote to memory of 2976	2328	AnyDesk.exe	29
PID 2328 wrote to memory of 2976	2328	AnyDesk.exe	29
PID 2328 wrote to memory of 2996	2328	AnyDesk.exe	30
PID 2328 wrote to memory of 2996	2328	AnyDesk.exe	30
PID 2328 wrote to memory of 2996	2328	AnyDesk.exe	30
PID 2328 wrote to memory of 2996	2328	AnyDesk.exe	30

C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\async_modified\Plugins\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
723805e707f2978a3d4d6b46736a701d

SHA1
f827436b0480e1d9afe6fac951e208d99dc50157

SHA256
e824751d4145f0aca6fe3bf14b608cff38ac37351ac7be74c32cc1def2486aaf

SHA512
4977d0fb84c1869f54b3bd67c09800477562e9e752a6b38f4ec4006cc2fc2b279f219c73cc08c56258ac71c00ca0d4df0fe6bf55d788941192a764ec7ad123fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
6d21c191298326a3a9604556aad89c6c

SHA1
c2f7fcc0d7d2d7a043239a1bb6c13a6aaeb57278

SHA256
646f7175364dc899996e1bf223bb68a75c05a7027e688b83db678ac78a9059c2

SHA512
496da7d6753e414cbf5225b39e4f5130229a37caeca074f209aab48e9f1d5735dfdf6e7bfb3947436e06645eda3cf95970a43cc78f8fa58438bf508f117b25d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1bbf82d13559268f9952f38e13f34498

SHA1
b36f72754894b6efad503932364fc40efcd6239b

SHA256
343d900c7a1230412f2454b0809f7b4a0b1153995d8aa33b7f8ac5c90c4918e1

SHA512
d18d15464d525c493c0ef179a15dd7017b730bcd5b6e927c96df74c46ddfb93cda09968a92014e3be54f020c2e4d6b2b5b9e704a23617b7a746f8ecd3b9e7009

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fefb1f3cff6dee0722dc1e3329cdaedc

SHA1
de02007297e3627b024775ab1cdbc51e111efa79

SHA256
7704738690c4864bfb793e403faeab778f87bb1b5a83b640749bcdb11b298b5b

SHA512
907e5d6cdc41fd85f5fab3d36c5738a3cb3837cd5bc19668339017706f658cf6d4a6b68160384b9386659c3c2e185d55d56ed716f373b2ba51db8f541af47235

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
59fff6ad8a9d8e52e93199220fb3a4d1

SHA1
83eaca4826aa29c276bcc38490d22774a80be1c7

SHA256
a5c5458327b731ea9c35fa2b94c3a101c02591f98eda56966cf2dd863e385a9b

SHA512
c8f6dddc87d74c8ff0bb1c1cd0198da17b64bd02f5716bb91c2fcff68f0d49cf2bbda4f117d22866c81b76a2843e003cc603d8fe69abc17c1ac6c6589f4da840

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
669B

MD5
31ff37734aa500f7e51291b513f94b64

SHA1
6b78a589d0a99f576337e282f000adac5ce5a8c9

SHA256
774b44b86a6d265b6354e222956f555ab2ac64f6700899f64c81c69fc14765ed

SHA512
f4eb4955cb7f5f4c6064d7fbbbcba993f8462bd81f669f0e8611c84177d4612b21eab070eaf5849df82f839ce7e74168185802040cd2487ec2ccbf6a137bfad0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
5eebf67a68b25eea39810c40908c57da

SHA1
08be7dd4af5d8a04c8b866f1979643e9d82a22df

SHA256
6b13aa746731506a59678820a6d00549aa6505e5bc303aac5552c272ee570d51

SHA512
4f0a3a8a4e3e6239c4f4404299707b05b9c319a5cd210b4d13c1f991a61584ba9bf760bf5b04c11cd9e0bac086a6610e621d0f241ce92c239f7431a23533086d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
785B

MD5
5da3a75350c7ea3307b1cdc380da1b41

SHA1
44eafd5058e9a24fc372c5473bb2ce85cf17e10c

SHA256
2e5561fd5a9cb8c11a483e4e0124e21f190227b3e1864502fbe89381eb952a54

SHA512
89a7a817cfcb458456fb2125d648b0163a472a92adfaae795c85adab6d30a9c5c488d866f115262cbdd01df81322102145125ae7a026c79bfb84e2b9d51deb50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d4f5170802e1048ad601c6926dadb85e

SHA1
19cac96594be58f843a87a5ff75ddb9821743b7d

SHA256
c05ae8f75899bc6a5f7794af2dd68c90fc9951c13f12bbbab9aba9bd55995584

SHA512
4b326db2bdfa3c6a71b3e0181504ee583aeba69452910a62bbd8c5e9f2aa4d0056be086034177f03f408cc0d047c76987a3bc4d7f91761d2deafd25a6ec84bfa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
db7865333cf5b1e5d96f1a34f9a5d301

SHA1
cd2496e2ea6cb0c9723ef6c39c9ea12668923d4d

SHA256
de79e89fec98084843107959f2f69a959067f44f85132131c3e2eda0cc5195ca

SHA512
20191e7d76ad89299b4306a7ca59f993f7dc1d547affff77f86aabe8bb70ec9f71f57507ef397a2bbd6c1cc947011efce62f85b341a168585769ec2c60386613

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9fa7ed2a0eda5bab954b052a7d4dfe03

SHA1
bf1babf7c25d9f4f2e17bda152aed257db641742

SHA256
8f0aa71ad08e28ee34aeb109476b57992ad3d0e6d24c7c79c448371afd3d8d03

SHA512
cd5119f1a67f95207162e5c6ced8d615f158d57b67e2af61e507b08f7a3cd4e8fcf0c12782899ae8839409413af1e347d4c2928f3d1c1a084c8cf96325455216

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7d55da0e98e6571593b248c9a127bdc8

SHA1
b7ac3aca9cc23947390fa4b627c3f6985ad3508c

SHA256
706110d4d9f636d8ac9ad1c442f321a918d3f68e5ca5c055cb5aa67ecc724eda

SHA512
6b27b7e169bcb1467dc816b8e3e50b34eadc8313591baadcb9c92aa9f4d9a7fe2e8b7b84c9daa59637daf22b9fb40eb443f242df558d6ce47a1ebeb82852aa77

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
424ff7f43066271e9a7cd6c666d1ab5b

SHA1
b7a4ddbdf95e4d76aee3d718901c9ce862e593b8

SHA256
55f98e63823ade62b631e7ae61baabf076a21f8e6582baeadc9e1fc5eee7fe0a

SHA512
be89fbcf84c4d02d31ab3d1ec48cf29a68d7be5ea3e173c98da1355c65bc401a2ab316713242c4475c3dd65d993ae9fb67153e9a24d655c15279f780f42da2ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a607b0783423e51daa189ebcdcdb2715

SHA1
1d8935b52b161f348d8a24555bf6d3be5197fc0b

SHA256
3982f0dd9efcf7bcbed9def5c3ac13c8689be8b757c4b050c247917895afe85e

SHA512
2a2ab1302b1259393625ca157041f96a806d45c555ec2269fc31b7ae4bce2142b1d0223b862973bb25ec2ff181940f88ebe4a6209389f4a3bc1123d3efa52411

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bd07c47a3c36ca2bbdb57ac3a7972a18

SHA1
f70a7451ee7ada221ab3da799755190ff074b6a3

SHA256
c46aaebf3265074dbe96a027f27be1c7ab87faf570c34d2a1ceed0d47b83f81b

SHA512
508f38bdbd4c456468a1bf2a7ef364e160d34bdf6b513cddd0d16d1cbe7fc96c3d0835d4379460988b6a47c16506ef23b429615dec672982d875e8e2ae4466b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
346e592484570af2aa813e060b0a9f06

SHA1
4afd6b150832ff3053e2623cb106c4e3976131af

SHA256
6e0cffb525dc46e9051ab40af87b98c1e5bff7591594d86fa97ad344ea7125da

SHA512
a10806bf10eef354548d08d8f6360fa24711343a75dbd1822ec3f990e9f539d383eb5ce564c1d72b8e02bd258c0566d3bc43068b5f825455829bbe9b26b7efa4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4d66167ff5db1afe5cacf781a85be941

SHA1
0f2ade1f6bf1ac991ce2f34bd2eb2694a3dc57c9

SHA256
572f449e35a72f5ff86fe7e14d7d6be1a8b0fd835be8955383ad94da206b0706

SHA512
8650cae375b86578531ceb041548f89790fe037da0c0e7178c1d40ab876834152fd2cfbfd2a3f1bf81d497b533c0e21cdb31a0c33352c74e19bd1308d56b74b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
59be6f9a04c83b3b0c2688885b58f12a

SHA1
6426e92a4054ecbb9238eaafdefd6a8c764a70ae

SHA256
a128fd92145f5dd2c56739c8c2b99f681d716907a5748d12676ad23116114c48

SHA512
2021412c3cceb8c78cbd4fac0613a0bb29919757cd2c548029dac62903c68fc7cb35c77a44008069c1f2487af22f93111a865175fa10de0047b76ad22f5b61ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c606a0cf8d894d4d3c11a919d318e403

SHA1
3c53746e7611a93bc724d351b23c8bf357507087

SHA256
ccd752e4cc4c634eb2a918c063f89e783322f218347b5d75cb364044f12e5cb4

SHA512
7927667fc64a3c67d7656bde445175fbb77e60b5ac89135e5018fefbbef72edb6b33386572af267665f9b6ebe1fa8e99cb305f6313dbd70cdccdae4bcbb6550d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9e7b6766599788fe588af6b5b06b6870

SHA1
885d0c105754e026e3d68a80bbe7ab10e2ddc215

SHA256
c06ae06ef19e6ff9cbf7eff1050198e67a7831f266049abb1f6b81e75a59f255

SHA512
4a33d076efb78d9fbadb2c25ac849417de161f3352b34099e4cf3a28dd3ac61d007aa6df2b3d0c0b0fbf20b86ac128ce8ce5fb87cc62b1e29548eb40a0682168

Download Submit
memory/2328-3-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download
memory/2328-2-0x00000000009E4000-0x000000000167D000-memory.dmp

Filesize
12.6MB

Download
memory/2328-0-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download
memory/2328-203-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download
memory/2328-204-0x00000000009E4000-0x000000000167D000-memory.dmp

Filesize
12.6MB

Download
memory/2976-9-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download
memory/2976-205-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download
memory/2996-12-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download
memory/2996-206-0x00000000009E0000-0x0000000001A4E000-memory.dmp

Filesize
16.4MB

Download