fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1793s
max time network
1800s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	AnyDesk.exe
2868	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2868	2348	AnyDesk.exe	30
PID 2348 wrote to memory of 2868	2348	AnyDesk.exe	30
PID 2348 wrote to memory of 2868	2348	AnyDesk.exe	30
PID 2348 wrote to memory of 2868	2348	AnyDesk.exe	30
PID 2348 wrote to memory of 2192	2348	AnyDesk.exe	31
PID 2348 wrote to memory of 2192	2348	AnyDesk.exe	31
PID 2348 wrote to memory of 2192	2348	AnyDesk.exe	31
PID 2348 wrote to memory of 2192	2348	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
3058881f2e0761fee95143b5214f067a

SHA1
4798f3be67362bb21ee9df761046eac528b32697

SHA256
d05aac36b7c37f5861fd70fffb81186b49c5818f9ee6a4a9297e397d456d3737

SHA512
0feee1d6f51bbc00894b01cdfe5b0452357a3f54fe68c204d138c289afa7974580d51f6edff9af4f8d6ffa064bb69d0bc2bc1b34625b958d0d25ba74fe416768

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
575120d23aa29ca6b9cdeccfb11bfa83

SHA1
69ea583b9ef71552aaaf8be48e58039d818e83dd

SHA256
4a46e31bd52a694ffa681e9a2cddf6aa8bf6b46846fc3dc01f9a58b0ec5f6a49

SHA512
233ea589b9c166856914f3ebac7323be82607c543b110a39db2c468306b4cc569ce1bb0512714ddff376f2dce52355153f4be12db53c2e8cb91e0ef359799043

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ffbd9cd34b5f5553dd3f24dc9fd1fb3c

SHA1
e8ee4ffdc23222d38715483d21ec0950e50b1541

SHA256
30777b073bb6c442819409de9d1c9ee0eb76fa4907f20475ae3bf7f2151575e6

SHA512
3a82a21dfb9680012f8183969cf7d0a3d6564dc0b2d41a9939861175d231b2faf6184f576926db95ff5a98c636439b28dd9835987bf50f1acd7c08d7d057caf2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
58d79b0b512c5552d8b9b9c706130db9

SHA1
b4e79a121245a9dbeef7aa3417aca9bb272585b5

SHA256
2d9f1290875a3c82d02aa2d77732822324310fc5183ef63465d22936667d3661

SHA512
189cc5106610b6f723b8c1288cbcd526a5348f85b114c187c21645d88ca8f5d5c831aaf7b76493bcaec66dd872d7c9231d07054dbd81048c7d99556a218b871d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
18bb833df18ba598e146a35ab967670b

SHA1
12362516811c9324617d2f82465fe90f8e8b40c3

SHA256
268540a2dc955ef4b92663fd0de2a282530c6e051b63080b5e461790f99db48f

SHA512
21d7c44295dc3cb858baab4bc6b4633a60f1fe29676305e75c3ec75324f093c0d8e8241c7ea5d7a91690ec55b8d87b01f24b99cebe23d3af8f49551e041a14d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
799a7580f600065fad2304428f0f90ff

SHA1
ff76433c0a8a2c6cfa1629d9f4fef98126905f93

SHA256
b073b6f89dde7cae0940ee598d821661867f7e0c47608cd7e54e4fe09e885d08

SHA512
6e82e8d01424997b7b810ed59dce41d91e8be6e26672d61fe4dbc32555ab240aff938ba3f4341520fe42579ec19cd2526674ac83371974787eb074722aa2b135

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
a4b6e5a97588ed39ebe97fa9a0fe26c9

SHA1
94375f6ba8e33cc1632878b7efa50a6f54118983

SHA256
fe87a9282cb31cb6e585f43ec0917a330084804cd2fece9761038ab91491e402

SHA512
7f3caecb795cde265ba40f84c9a4c71045fb0b430525d391a1601d2fd90809766dd44a43e95f9bab7a4cc0b8fb3c7e2e6168ee442b34336c7e8be52102bf1281

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
f56e09a65c4286080c67def3327ffa35

SHA1
923eb4c9e4e69a54add5a7d12ee0382adbfed612

SHA256
56d47bfafbce728cc852d2a9c08550d43ba9590eb7587e0a4ec3a5a4eed16eb3

SHA512
565258a21563eea7ac4283c84346759b072c95d9a0f82c4191dbd732182daac83f66e472f86a101a8f726bcc045f354444f0ef3f47fee9a24f359923d9985dfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
abe3a8e746bfe30ff266e379de97672f

SHA1
11b30035202c5e31aea47c1a77135a4d38289769

SHA256
8c4a0b7607bdd8000b799b1bbabad97fcbff9e22f1dcbb147664e16e0757d1ad

SHA512
fd9f326a5ca12abac6ff9088bc030c5e0680b82b7f64a4a0c514fe28c864a893c8363af744df9aade679cb0b19262a69454d1dfe6fb22df64c1c6f0b2e80520c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c80f3b557f083b5f6e557b4dc402ae66

SHA1
e390090c0f91b6ab6d1d8e23f61c2f73b4a4146c

SHA256
1ebb253033083129643812d8bad155a0738f22ee2744e3f2368effe0dfa621c7

SHA512
158b37882891142e04692e993053ff543d245ef0cabe62ae5f098d0fadb5b5965db9974efb1f48fe4b61a13b8bdc8ad00307823f31d8236873b9636d0a4b379a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
46ac766aacd499398d951eb19c711bb9

SHA1
b39f4bee27768079316e50690f4bfea30c12a270

SHA256
f04b908002cadb834ba952b8fc039b987d4a03de78b2387417f986647e7e8857

SHA512
b5640945bfb98bf7cda4eda2d8f55f433750f9195272d85f6a022cbf6176c1ad638bd3b534147f82eb7889a2081a7a15c489902c737d22462f77ca17df7c88e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0a49f553a356760cb77a3ec31cf57ded

SHA1
e380bf4fa006cafd846119669a1863b3f5fa2213

SHA256
9ce1f93b60cc96d6f1fd8a63b8109549c58c87db3f6a094de8e884f7b51c2855

SHA512
62aca5b4ca5637f1627e26013e2eea71902e94a99ebd02ced7fb4474bf794b1cee706401b4544e0d9987c362167f480608a82b1adc125800908a1205e3db41c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5a71c90772c72fcd10b345eeb3c960b0

SHA1
a4519736dfeeb3ee9b39125fcc1a4d219e813385

SHA256
f2ae11289a7a7ec199ac2a23cb09d52e98813166ca9b0eac5f42420ab3a35f1e

SHA512
1143741542e602c4197cadabf2f0927b43bfe968ac9d3d49add7b9933f54253ff3d8786f4c9bde8e35a38f354bc111a4680cb1d761335dc04859c1cd9782767e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a6b2f00e71f42cacd0d7149a1666b512

SHA1
692121a6b969f6a489fc3a3969a3f1b5aeadbfbb

SHA256
acfd4fa0c66613649a33cbec377f6a2842fe8cafa0bb3cfa68157bd1e0daf978

SHA512
0c9de20b2ffb769085ca03c10475cd361c78e69b1a568038f3ceba096fa0afba36d910dd7655eb4452fbd0069a79fec924cfd5e2e0599c54f58b164e1fcc69cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
20d1842c3b9ece7444eb462f680894e1

SHA1
2ba9dce435b7c4a0a3f4989c066038ddb3ab25e6

SHA256
8e21148e6aff5a7dabcac479e21d3a02e43904a151e6cc891c2903da29d1c4ba

SHA512
f64269831d78d43650c1e290b92767cf97ca997d46aded5815f29d4ce59bf162d21f4237d49d74c47a683e75edfd8426a556364a06bd639381b9ecc7d321b115

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
88522f89c102cb0e01e7b0724dcd1796

SHA1
15a6fcc1322b6ab3fe13d1e73d578371c933b23a

SHA256
931824dccf94baf6265c24126bd5654b0e9b3739109343c6ce49103e1854f5de

SHA512
376db5e55bf7a0a15de789b185aa30355db356d50bad0e9986110d17399a526b454135d98653cb6328d1f90f80fb09673025949a60e91538e9ab6094487e6c2f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
def0d1181e3de01b068471d880bffd7d

SHA1
2f00236a36dc0b6755dbd881955241d7065b7918

SHA256
4d38d1b432cee454c813c63d856f6f7958a910c3a3b8168ba761c272d3d32e7c

SHA512
4b6121f7bc7ec65dc63fc99a38b9eb6b27bd6b12ee83104268161deff42259715e5e9ad7bd87262f92e241a043096b6ae2818ecde7a5d08dd1fc381b6643c0ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0f2a5309128ecc6092f34d7d6dbac4f4

SHA1
58411f14deb5fd11f23a93c5ceb1bc530e2ed9de

SHA256
ab95fa5cf9ab2238ab08ef5c256d0c0ef7627daadbd947d4ae416b6cd490660a

SHA512
1714c2e62fd38363c9f7f804a7121cff00b3a36c3ac456b0afe489773163ab9b8f50b406532f71882374cb1b81de875571ff4a09fe097fa357f56148cb9eeff7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dfe626bb0b3ddf0dc4ec554817189ef6

SHA1
f901aeafbf1d39dee42ac50ec54db5dea1199df8

SHA256
3428a1784eb71adb4c20a8d0fb91450b2d0a42313f7a516e603228716da23bb9

SHA512
fa6584d22c852dd1030517ab32f741b25eab0ee91ee2d0ad5fdc35807af7beea6a2742726e2ab14a1026a3e09eb4ce79c885f680dc4a5a1efb8eeb668c30ed69

Download Submit
memory/2192-10-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-280-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download
memory/2348-5-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download
memory/2348-2-0x0000000000A84000-0x0000000001B86000-memory.dmp

Filesize
17.0MB

Download
memory/2348-0-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download
memory/2348-277-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download
memory/2348-278-0x0000000000A84000-0x0000000001B86000-memory.dmp

Filesize
17.0MB

Download
memory/2868-279-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download
memory/2868-12-0x0000000000A80000-0x00000000020C2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads