fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1791s
max time network
1799s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	AnyDesk.exe
1588	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1172	AnyDesk.exe
1172	AnyDesk.exe
1172	AnyDesk.exe
1172	AnyDesk.exe
1172	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1172	AnyDesk.exe
1172	AnyDesk.exe
1172	AnyDesk.exe
1172	AnyDesk.exe
1172	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1588	4620	AnyDesk.exe	82
PID 4620 wrote to memory of 1588	4620	AnyDesk.exe	82
PID 4620 wrote to memory of 1588	4620	AnyDesk.exe	82
PID 4620 wrote to memory of 1172	4620	AnyDesk.exe	83
PID 4620 wrote to memory of 1172	4620	AnyDesk.exe	83
PID 4620 wrote to memory of 1172	4620	AnyDesk.exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
dca492e40a9bc89f37df634ad9c81261

SHA1
c36a2d437fc0914adae2f8ff4f1d8daf3c4e9347

SHA256
74c05a6f1850eced0d952dea63fc4c7ee98c6fea9805aadfa248a9d46d984898

SHA512
bbe44c2617d7bb18c7154e66d55e35d524e32307dfe6b7fe9c9de51fd38f1373bfa360fa55f74ad6a46eb23ab3352f89116b56deab29e5aa654215d72b316d27

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
ebfbc64d51ee88cda324196e52357084

SHA1
430944eac77f51370fa69f4bfe9b67048e496868

SHA256
6f81bb7c458631b87f4ed3fe7a09734c503a71eccff4c1ea0ef67aba98b913cd

SHA512
ba91a3a69f87e3bd29980d1653f433668e7636b0e4b69788e1ca08f0fca25072898381a9fd27ec28357485c11e13ff37097ded6315cb218649dd846a417d1dfc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
635e90ac4a0517fc6a3373d9b8739098

SHA1
6bfa69ce95f7433d728fc2e45f1a010ed270b0ec

SHA256
e8332234a5227a63d22c001065aef2775f88b3cb164b614154b2cbef6b588e3a

SHA512
3b0ef5e088a9ab902f06fa946dd38ab0e867f404589094d3d4fb66f7eccda78ca873efeac7bbba3fdccfc76e00e109d368267131a6bd6d8a6b13a8977b648924

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d0d8940efea5c0afe98e426237bbab7d

SHA1
17ef8bc6e7cc6818db6cf5c7d2c9581d0568595c

SHA256
c87a0d2ec2aa5bfe7d99baac222b8a82805ea636771ee4d586edccbbcf48f641

SHA512
1879b5ceb725b8216bf8ad001e405d90e1793ccfc1f156cf2d04cae83b1f491b849d894bc43f6f0962e24c3d2c47429d643b8031177b6105d6a003a4cf45c56d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
1481c317fec08587a6587b19c48e9c57

SHA1
159011d5cdcbe33e8ae6a8901077698f2c702ab1

SHA256
0d632c6c1fd05da75e4fad4f64aa25c7ba4e5b0a3045444e1466bd002256bf59

SHA512
5ee76e3fce2972cf1889ef323fe67cf75159eea00d7eeea48c9e83011f0eeef722b3f644b339bdb9793b50d502b3fc40a2cbbd52082bac922cf8d8216b4b977e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
25855475a27522ee9a720268fceeb4e5

SHA1
0939ad6812667fce02d2c3714204810878df6c63

SHA256
cd124f108b4e5f37b39204c445f5d938bda746d70edbd27cd9bbd83754c81f33

SHA512
1c5f9004363e195305b26c450ad4f2dcf602aa58a65bc69fd7f279b4c41fe77a4ef4d94b348507b7f756aec7b6ea28af847172be2cd2e4e2bfaee2611163d704

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
618a3e33155841c9b585d315a360469d

SHA1
1a35dcedf83f95ea808f9f7cf1de7a0672f56c75

SHA256
677a00dea4be3f41d1d01a98b6cc18d2a8e24d02f42139697602f9b0e33c5c72

SHA512
be3e5c463a41fc54bb77ca0ddc280aabcf6465028489bcfaa27490016dd5891fc3f4cd8642a24ac0e1a5a09fb2c151f7a17532cb858f350bcd959f544cf3207e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
d41825fb9c0b99f4c3822959fa4d9094

SHA1
c1e4d5791bb0808450ceffb13493ed1bd3278287

SHA256
71d6d61ddff96f8c68505c2069c62427fc83968e3f2e8cf6f24872dcaf55c42f

SHA512
e385b2411727be28be75ca2d0d7506a338d217ef8cdc2bfceb6cfee572c004e7248dff6a3a502c4092b75dd22ef14eca89aa168953b3bf2f286981e1ca4b2226

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
015e2f9c546d64651f2eae0db8f47bb2

SHA1
8ab26cc509d5d7796381c0b7fab57d75db907297

SHA256
13100b7613edabe46ffa57586b6fd074c05fba616df6ab393e84c5e38c0c1280

SHA512
2d49aca1b8ff2d088d343bedf6c01fc7d228b02b5f9c741de58a95025d7de29425527a3c6658b592e2d8f1680ec4fccf4089f91eb7f8d962c7a16f37e36058ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
df564ed0a309015c64e87e34c6b5686a

SHA1
a3236bc236e8b4a24451e5e5963b8d10c589ae7d

SHA256
712ba89633ff240b928b226ebbad26b0352738afdee730e863e79ace90c75fef

SHA512
3888c479f46c6e7df2815841dfe3ed207b717a552aa580c98cedf6e86a8964b16cec33ed23db8d0d381196b01cf7160b05df913166fc0664be0bae3946063bd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
98a268e20ec9d56d41d0197ae57c736b

SHA1
25375b302979a436f05b21108f58ac1a7896f470

SHA256
5614a00e295d85402bac53708728eced01854abf4e6382aa38197a2ebd12f513

SHA512
c83006b5e34fbac70abe7bb6f6efae551b8d04a56fadd14ee71b892e93bcdb0d5959a22eb7df146bdba028ffbf1564f29524a94b3be3d78045e38712a9c39fe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
a40a49e1fb356692e7af82c2e49d030c

SHA1
c8a58157600fc24d453fd7880171d14802881283

SHA256
ef5502f8847b07c44e9bdbd26951a27346798fce74ec7b7913177fd593a7b4cd

SHA512
a5b2e54c4a2ef7795ab513767bab09d037072f11e127230a1776908289d0f96892874ffdd5c602b79b888521865e6228b28cd29f9fda26f0c0402a926d96c2ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
68b73a7902e022687ddc0966dd93b8ba

SHA1
551f20275815c88aa0428060bf4d3562ae3b5551

SHA256
c98aefc68bb6b054d23ebc74ec1f07cc4aac6832204d3ae015610770e614d46a

SHA512
613fb99850b941d9e564b340ce97de7a79a729c6a7e59c821c144ce2e82753c6f80914674be75d5acae43fa578f70791c5eb1e388b0a1d177158564dbc174677

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c0e772f34206b9ec4d12961791775c9f

SHA1
d6ba07dbdd218b6dee7628b5dbaf67cfa079a5c7

SHA256
0dbfcc81d10355e8a13b188a4bec185960eb53139ff2b01f83e410c77227d234

SHA512
11814e5cad82e3d4ea0c1729c03660851691eee1b3374182504ab0ed2c941393d61fea032c4a345ae15c63b3378e9c6249aa50cef9d2ac73fea2902ae2ee246e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ff3dc3ccca0c86a18a82d1fee64f6a79

SHA1
6d5a01bab55a4aa507235112c9cc9667806eb462

SHA256
e05538e27e694ec6590a37f801ac8b88d27097459cfd5a35259470266e2d0995

SHA512
50eebd6749313951f2f3c4e7d936da08d87bd8600675c998f081b02e95cae1fe79cbcbcda5601a3abe27ac3c5a8596d60a9c5bd8e21eca21d08065dd298c04fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
e83d3c38ab9c0c7d7fe4c9fbfe590998

SHA1
90bd7f00736191fb69d445e279a371523740e839

SHA256
b82788d3699b0bfdfa0a47127471f085d9497819c4b4204ce132cda7fd1893fb

SHA512
ed2dc1b52cb880c8d78a1af28447b335237a6c10bb813f3fcbebc36834327a825b3eb689797ea553e168469bd1d19bdf84c630e7c8ab4254391f582f769dce39

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a6a0685a9b5355034b83be18fe31e855

SHA1
22e7629019da85764f339796188596c405dbcb88

SHA256
6e965c65c930b833e6c69d257856b105be100a60f53fbbe93fbf00f448ba8f4e

SHA512
dd24cf54fffaf7ebd94d7cf58cc1f1cc2c0fcf297562621590084ce3d6822c7911e0017e32b90c593958f8be47885cef43b2e2cdecd69d31ba0c54730eb5406a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a7bfd29d9528328ea75d5fd193a579bc

SHA1
4afeecc139dbc69d79824065628eb8568cd2c6f2

SHA256
1d7c1b52c8597981264e53a7dadc1fc93a172a467cec4d4c6cf1fe938452385f

SHA512
61336e37a3ab6eaf020a7b41e39bed1dc8b1295fe74db31af9c0d8c0dac32ef8f535516e517d7186a908a864f2473bca25d522d2738df621fd514dfaff92176f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
49267569b535b08ef3918c15aced2d3b

SHA1
0123c3e8c38cec7841b96df9182dd35ce852b4a9

SHA256
2a6bb7a2915ebdf52534699f10ff616a50fb4960b563ff09eb60003e8d5f8a44

SHA512
64b21d85f232ed06b55a5d7ed0ee0c78e14a198e67cf7e68ba9cbb4ef58de3ce047b1f222914949bcc8c0018b608b5d8ec487dc95167c8f0376b23187be4abdd

Download Submit
memory/1172-12-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download
memory/1172-230-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download
memory/1588-42-0x0000000006410000-0x000000000642B000-memory.dmp

Filesize
108KB

Download
memory/1588-13-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download
memory/1588-43-0x0000000006410000-0x000000000642B000-memory.dmp

Filesize
108KB

Download
memory/1588-39-0x0000000006410000-0x000000000642B000-memory.dmp

Filesize
108KB

Download
memory/1588-228-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download
memory/4620-1-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download
memory/4620-7-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download
memory/4620-0-0x0000000000864000-0x0000000001966000-memory.dmp

Filesize
17.0MB

Download
memory/4620-226-0x0000000000864000-0x0000000001966000-memory.dmp

Filesize
17.0MB

Download
memory/4620-227-0x0000000000860000-0x0000000001EA2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads