Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:50
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20241007-en
General
-
Target
AnyDesk.exe
-
Size
5.3MB
-
MD5
0a269c555e15783351e02629502bf141
-
SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d
-
SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
-
SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
-
SSDEEP
98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation AnyDesk.exe Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation AnyDesk.exe -
Loads dropped DLL 2 IoCs
pid Process 2788 AnyDesk.exe 2244 AnyDesk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2788 AnyDesk.exe 2788 AnyDesk.exe 2788 AnyDesk.exe 2788 AnyDesk.exe 2788 AnyDesk.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2788 AnyDesk.exe 2788 AnyDesk.exe 2788 AnyDesk.exe 2788 AnyDesk.exe 2788 AnyDesk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 308 wrote to memory of 2244 308 AnyDesk.exe 30 PID 308 wrote to memory of 2244 308 AnyDesk.exe 30 PID 308 wrote to memory of 2244 308 AnyDesk.exe 30 PID 308 wrote to memory of 2244 308 AnyDesk.exe 30 PID 308 wrote to memory of 2788 308 AnyDesk.exe 31 PID 308 wrote to memory of 2788 308 AnyDesk.exe 31 PID 308 wrote to memory of 2788 308 AnyDesk.exe 31 PID 308 wrote to memory of 2788 308 AnyDesk.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5ae42fb328a3b180bf4171484881e1f28
SHA11ee38799cfe4a59c2989d818db9e2b14c55aa17e
SHA25619c48bca3297e7ebf441433e41ebd667eba365e94a3c18ba4a71014bdad1a796
SHA51261a9360742f547874ef215d3260b2b2321560bcf91e8e21c84da771614c647f66a0f20bb7cb3675b90185bdb74f3e8b78add78a661957d580a8a5dc851a0c0e0
-
Filesize
2KB
MD5b4b9372932501861da0d0c7d13404ed9
SHA1bdaf23ce320bdbc627118ecbc53722926dbede08
SHA2566f1dcdc05e34271e9ea8a8d5702d804b6d8ac7c1987c07e05102681d7daa3f30
SHA5127d799ddf26179feee32794c5d015bb0b6c82b0f7696e464abe7f8bd2f33a6dd6b4e1fdf5a2192d4d441f1091670fb0b80289b6e423da45ef3c7a2fe748b8a8e5
-
Filesize
2KB
MD5e6821052c83ede664aefa24780503954
SHA1711df9cda382a63f104319215811cd62c7f3df7d
SHA256efb913372b6ab19992f6d596896bba688f7c41cec2fa3f8d5e01edf0bbb0b51e
SHA512bb930fc939971e32fa42f69af8a370b22967bc17d30573c52545a8b0fac252fa5ef9d08578f57b5428975ec7671a9f480781860853819f041de10e7deb72a382
-
Filesize
745B
MD595d23efe1304e90042fd5e417687c36b
SHA14b1d58b2707c9324f1f1e2cc7cf897447a7a9f3c
SHA256d6b25365e0484acf44b445014342344298a789e0e5ef0e2f26ed27aee71b4837
SHA51215f4d0180b3b78fce9c1e17a99e76d3138d58662ece6079f67543c80a400fbbfde2f9c4b34cfedb20ab7cb84bf2d8bd88aa99dcd5a101a648fb5d965e1138f33
-
Filesize
766B
MD5d06d59cfbbfac8479aec097f51cd5e43
SHA1f0a04660061e08c389d5f80250ffb9be6b9402d8
SHA2565b78ac3c8526bd604c7dc3a2d7ece82136633801d3a731726933e23483f68635
SHA5124360e6938f3dccbb444e8b1fa8f1e4fa57dc07f003bd1bc7d526c3750d7648abd3048f77ce9d29a42ed23a942a78e26003af8d206e77cbe63dde22f5751a4934
-
Filesize
775B
MD504128c01f8dd1a7345728d0b9ae18277
SHA1a00aabbca178af752d2e32d3d86bee59fb82c483
SHA256739595c91d1d3b6b2c26cb0feac273c138f199616b1524491b3c8ec18b659cf7
SHA51222d90f95c91d126a0d7d5c2423a2dc7eb4ea4373eb95f4dd6ea51bd4857effb3ec0372ac5835e6a7c7d9f1e2a1ba4579c6762b95205a082a93c9be7952e719dd
-
Filesize
832B
MD5d958f005534d27d0c6ffd9056e7d0104
SHA1eedf6eba7f7c34e1ec54d25087c74377b2574f0a
SHA2561a4e0e385bbe37a12c9ba358ccd02f903a6ef844ee6016e0c4f742428648d733
SHA5128382e43fed6ca4d57a210b0b40fe51c4e9ba4dde288886e8a578c706dde33799097b72050a6856add20de68080888d78a24d55eafbd2c092fff6ed61e75c3dfa
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
468B
MD52ecff68d6ad8a00b0cb4c62ebc54b760
SHA10cbc6af5e156d5b1f24d2433d58e0743c719ad05
SHA256851dc87f6e057aa4f4d7d5ccf263c51fc965484af270dceae9ade21b1711c6c2
SHA512b0a5e52627c0eac4aa57456ca8efdcb97dff6ac0623c02237d899c41e659bf540921a1cdb00ee49fcb6d96ad7017bd5c80ad6692f834d3a1c928095bd40a7854
-
Filesize
468B
MD5760e6eb557598257abc04d43040af967
SHA11b544f59aac80aad34a42ec5a25191a3041ac6f7
SHA25624bc41735f55b35d19d399a4d41a098ef12731e90c4101f6ddc4254da1d324fb
SHA5120272d86ee2473cf7f1fd199bc07b5560559328ed741ce64d86dde98a9707f8836fa0dc9d73adc9ffdcc86f90317c521684853b452bafba5c717878777007580b
-
Filesize
2KB
MD592260011678167060e37fc904277e52d
SHA154e6f7e0d7321f5f0477ea5e782d83f24aeb5f65
SHA2568f52a6ca53c2155be2a667a32e6a38581c0dc6a84feab33e5153bd299128ce22
SHA51257096397877721851d582b496b963cf6dbbf676972c4d749c6d1fb565ae4d3a10e9e7c6106cc7607e9917048397fd1bb397aff05badab6cf22835b7efd9e0989
-
Filesize
2KB
MD55556490185b5833bf77f9a442b9fd9c0
SHA16d95d1c9ad3b6b240c5f009abce3f325f4c430d1
SHA256dd039ee9ab8dd5224604f82aae0e4c3d034692f5b2f756c580ec71076b1b0aee
SHA5125ab971e89c0c35d5e4dc63d1442ec52552c923e3165b91f944ebc789df1b46535e8da32b1a1df8726876f759abd06034bae23274a53b5b3ed77722e8da412e21
-
Filesize
2KB
MD57dda84de57d2c48ce24af75f01cd1f1a
SHA1b4725d76abfd6fe68fe0284dec7803d7dee72597
SHA25622a92966d60e38579c4da6c04384ff6a42d0c53a487f145922e0105dce17bf5a
SHA512e27526d11b3177af6c4bcf310a8c77c0b2afd9b982b594322d2fd396e2b8146a4d8f9d5dd549f36c391c6a80b2c41e58b0e844c29574cc19e01f6e0525011ddd
-
Filesize
2KB
MD554ba4442acc65dd960af4216e3931bc4
SHA162393bb22e6ba6942fe17025ae8db4d2f8a63680
SHA256b131127420e1289c38aaea77159164025524f45bffa16d7fc67f21de1f950511
SHA512e442a572d594a249a5bc2e48e41d39ba052a1e46cfb63bfb353d2493139297ce05c769be80290040dfbb987626a0e34fe46aa09a6a6eb889e371ac713dd8d434
-
Filesize
1KB
MD57e00b2a9b8013465aae15a9fd8ae92eb
SHA1221749db8af2697aedf4c0e83cc5ee6fb83a5233
SHA25678073695a1996e2e1f2482aedcb0ab0bcd28bbe22a774ecff4cc741d4a94e4c2
SHA512bef34923ab6871369668ae5104cc3e9f01a03e20af3699f940fa69088ee2ca847c45311070f065a4cb66bce291de3bc7de34447a8692f1c7c59ccd65acb65906
-
Filesize
2KB
MD5cf00c005e309493410e129d5471c44dd
SHA18a63991387a93390cbf3ec693673e1192483b13e
SHA2564bae73e8d074c6a59a9200de19c6f6f97b7e6e8f1d944ac157b207108e8d962a
SHA5124eaace2532ef9f51bf40d76be5cf0d7d026c0182e15e19577cd5a203441a4849a9df7bc08330995f4de820957d5bade1d7189e83584c0f5d141bad03adb1d2a5
-
Filesize
2KB
MD52f13658ee89d1d00fd9e1fc7f7aa6cac
SHA18bf1ddcf409f377c162af5eb07f40f73f5b4eae7
SHA2560cd37c7cee8e25a43d3d7710d0dc7c5ae71af2f7cd7ba42b4ac904f6e4bd2b84
SHA5120cbbb15c0bcb92123743ef43648494c1c7851f6439700c92fccf5f7bde928e505568c2b31a9391e0711d7cfe4c9a10ac602be6ae3552c28e813fa2ee52ee42c4
-
Filesize
6KB
MD5c09c06faa5ae09832ce3469a0da69729
SHA140bbed3d01e951e46743d58a7e78d410b6d7d660
SHA25659e41c980aaf279a188b2959ed5c7378d82dda95164ce51ecddb9d28bc0e7238
SHA5129734c08ee8ac232382d118a9fcd6b00c19bf2db5cac32ca8b7c4ca28b20dcbd2356e72cd6e55b3709d348345784ef90fce1e5ccbcb254fdf4620b47ad261efee
-
Filesize
5KB
MD513a5d9d904e9c19a10ecf6b3ac02e043
SHA1f439fc132a1a9bfc3cda4cbcdb768c774d2d2714
SHA25684a10990e520816bf2a1c9c8e3664f95cef6cd22e6c0e8e8142b68edceb93f9f
SHA51214a9c9e3064893132c7d86d032e2801783e8b3cbfb9c75ef864bc005330bb3150247ecca7b6509cec9a613399b3ad1f853cac5c9e4144c7c9b3b11d6b3b43acb
-
Filesize
5KB
MD50784d181dcc9582802a61a69ddbb62fb
SHA12a02f7f2f8523e21d74bac5f23813c2fcfc3a34b
SHA256ebdd0baf52e7360882c18d54ee3903bd74c7ece9af93f275c51ed78f1b2dcc58
SHA5124d7faf95922b84d4781d34b33927c0ede3a46029d117622a05a4198e44294f64ca2d2efee43543e151291373639b065af3ff3ae8ac8f4c7257369d90dd7b214f
-
Filesize
1KB
MD52ceb8112f1c60573823296718554abf8
SHA1a912e696e2ba188dd17edc2cac4cfc9eab8b21f3
SHA2564414f05273d1fece34db02803cc1043362c8723b2b8b26e1e5b67158fea15758
SHA5122865e979b13c5cb2e88e75b904077ef31bc4434d1e8245e52f46788fec8da5fdfe7316aafc884d90d7e10950fd6edf8854509758553aa406ef1edfc8cee80271
-
Filesize
1KB
MD54041b01c8272d934b1a51a7c0b1010c1
SHA189a7ba04cdda2dbe971e88f308d28bec6de94558
SHA256b6f1dd9157601a1f4422f2697903084d49a7356246d93c1523cc040cc1d72ea8
SHA51246f1a8fa26db0cdfc8ef258656f2fc85d4d828fa8fa9d5e6d9ea6ed0ac2a2ba08d103bb08438ed2cbe4a32532a903981dd97004264bd7cd07fd0310c86ead7f3
-
Filesize
1KB
MD598d678dad398979f795f1fc42a716448
SHA160b3615d2241094c9f1984dc5568e717b2f262c2
SHA2565a303aed231bb43f67b862b172e2fccea6480ee4b7ee7f39abd57ccc0604a79a
SHA5120448077101b62a169c51ae674b28346931e167cd69d286f0ad6fc076540d8a88fec04b76c78ff8f572c54deb3d336ae2afac3b25b5b250faf409989e2e8701ab
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753