fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
7s
max time network
8s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2256	AnyDesk.exe
1692	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2256	AnyDesk.exe
2256	AnyDesk.exe
2256	AnyDesk.exe
2256	AnyDesk.exe
2256	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2256	AnyDesk.exe
2256	AnyDesk.exe
2256	AnyDesk.exe
2256	AnyDesk.exe
2256	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1692	1320	AnyDesk.exe	31
PID 1320 wrote to memory of 1692	1320	AnyDesk.exe	31
PID 1320 wrote to memory of 1692	1320	AnyDesk.exe	31
PID 1320 wrote to memory of 1692	1320	AnyDesk.exe	31
PID 1320 wrote to memory of 2256	1320	AnyDesk.exe	32
PID 1320 wrote to memory of 2256	1320	AnyDesk.exe	32
PID 1320 wrote to memory of 2256	1320	AnyDesk.exe	32
PID 1320 wrote to memory of 2256	1320	AnyDesk.exe	32

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
7e1203215f75f8e3a68848a89b525180

SHA1
49ce4da8c97f5c560cd3b4634438d16f27d52604

SHA256
2ff66988f45ae41633c0013aff60cfe6584896e396b984e891b4c65ee4276896

SHA512
8ec2b1c93795cdbf9d19d7400d72bf5c7c8cb420a44a8db9462bf3cf8231c3171f045eeb8c32b4662f036af5745a8c088e54c42e19a23fadd86b2bf1ff505584

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
da14d57563f7b1268797901f3206e916

SHA1
c7d6c8053f5b28fc6d01ee5fb31ffc1ffab0b333

SHA256
c46bb28db7000c62fa448cc1e1ea81ea0901e8c48ac5f4682004c8aca083a4d9

SHA512
911858c0a6e9c5837a102ec7466c8e59c2c11a3569082199859c3e7575e8d97e31c6a19f774230ce6a129b77e3edd88eb30e62a74b9f76a804188200bce71429

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
10ab8d1718613be00b2e463475619b6b

SHA1
52e2a453cbd106b05f9bd24d07090772507ea3e7

SHA256
ec3921c7ca6df5a2fbc64f4b9e1fcdda8c49a1ae0996b19a2b9650f905a46282

SHA512
0396a15e3efebce6c85198a9258853a079b6599d9681dc5aadf4b082b9faafb7ff003a5df0be1951102fdd0fab1202d9e0f70e420dc97a707aa75b3e9e2d361a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c3eabc711113dd1b915524acac0fdaa9

SHA1
55130efdbcf91c4b71228a3b1c1b4738d7f20aad

SHA256
9db75a85d57c570e886c4298036c26dda6f10b10d6abe1531188de0a21f3e71d

SHA512
81dfe374595b45f9c4a80c5814f19ec3b638006c7362a95f6a7c7349a30c09a872db8571906b4e392445f9fbd3f2dbeeee7ba752f535c8cc6da0077aa27f9f68

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
744B

MD5
1b8bb11de4f9e1c08704bf9b81f88ab9

SHA1
15af28e3004d92f5149d66d1f116b63def3dce2a

SHA256
43722cfe04712b5bf6773e50503da2a17fa5d70e4550459d2e7a9789e30cf334

SHA512
7665d965fb44568aa150f5a47154a9ce0fcfb482008af325a6df6e4df91928c1d412e6f5c6de515263fef1f1c3755ca3fc8e50109e6d4d8065c829e261b38ddc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
d041d63ceaa897ef3f887a7b990637f1

SHA1
cf5c0d202ec66c16ebab493810a6dba1b84f8543

SHA256
789bd5a01dd71611dbf07d43184a9653a29605319bf04e55ddc6397c41edb9d0

SHA512
36c8307ef6fe3f7ce30ebdc0e5716c9ce50ffdc08913225f0383988ae3588108608d0954bb07c35b3f393f7592f50350fc2e42b4ca9293a033911c46066493e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
05063f0aac3ef609d5179e39e13fe0ee

SHA1
015ad0977e8d461e33a653deddda63ea228bc008

SHA256
2ef99a51ca6ebb4fb55c8bff745faaf35252084d8c98585a6091d3c06936d937

SHA512
ffea240cad935727368dd7fcf926c5aebd42bc863e322bd3a54e67587e3b0cdb27473cf7c47d431e3ccb9b5752a42145129cf815dbaed034241d969046ae2682

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
19cedbfce34549fbb99e9656a2e9fa14

SHA1
75576a736ddcda18ce20fa7afa425ed60782e542

SHA256
e452e6006139a41fb569ca0ccb90080cb9cd875f78ef936f6d7699c9e49a6452

SHA512
94c8cfbe37a36d5412d02cfcdcae8c4e45ca26be969a571db38c83b0e0c09e029a75725e644bbe13109a1c4e11e76223d6238a93f33f0ddcf77cf132dc2c0a27

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
337a52c24eb60b4b9cf63993d883ffbb

SHA1
03a174c3c37b1633c45d047a580ca1c836681778

SHA256
a94d886f0f20b4857e5ae9d71e0eaad0b21d74e257b26e168daa3e93afdd374c

SHA512
ad1f2d4c27132b9cef9f2fc4d6b65f8da032eb2ca4fc41d3c96361324e74e831cdc3d4cdf296d5a69f89bca70590ffb830b5ef261d00692053e19b4b66d5b344

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
09f54e6d958969dd28c90c0b210e44dd

SHA1
1a3d5ee510c6b61e6f8de45e8ee24616fcf1caaa

SHA256
ef8ffe93f4b855abcab059a742dcaa79f3c813770186cca1e9647f582e4766d4

SHA512
8a1b46322117b4c8a42f384b9387dc2df11dd1b523cae45e94d1b3f58747375dbdd12dddce7722a62cc65fcb89784545d679f1d4ae80e2f0c24535ae6e848e5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9253cf2b7ecfd0b2618c424290a85404

SHA1
226dd431d33fe9a213bf1e35b49a3b558f792cb1

SHA256
ad1e9e73f99c195f29800dcb670c8e8e3c99e5a43c4bf4e19e6e040997bc054a

SHA512
b2230587f74116f5abc93da21aeabac435dfdb3b63cafc3eb75e9452bb1692089551c190caa70bf4bf9b2a4ce68f197aedd7d4e4744ef3ef23c892379276ae39

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
90eb2fba13ebdcdd0f11a7f859473c51

SHA1
8053a5ba04244887843c0f9ba2e0899ba5358544

SHA256
c38d164398f25598774c2cca3e9293c55cde4cba1fc9e73739747b9df0b22302

SHA512
d42c0b3757f049f834fb895db30f42ce8823cabb9b1a7fcbc80fbaf847753e7ccda9cb6b56a09d6f576882d7e6b2a1e7748ca9a327a7ce162202e29067c9a497

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1f6dd181e916a792b9f4fdcf01cfde60

SHA1
f6cc49e261a0db46bba817abb6e0d0543cfca1c2

SHA256
c5080d4446cbb9eb54d7f8104721c90ac7991b952000d07ca91132aada5c9cbf

SHA512
1d879149354e875590132fc0f6a730eba9afead357a7df20664a22522de5c6b603f86c2beac83e15bd5542bf10e819cba76daeb0e6536c785cbd6f4a2b0cc6c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
92667509833ded528709a9da2aca5ec3

SHA1
44f44fed9d1db447e03b20647da154b7623893e0

SHA256
2363b6341288a53ff757c3f35d111c0f9d97f06e9f848851e546858299c4a333

SHA512
7a40a8c6eb98cb0714248e8b4c74971b26e20b20ad94b13e8fbe111df90e146ea903b1faea898164ddd1f6cb02b093570aee7365a5dd90a07be1dde16355335f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
36eec5b098960fc16241f9ffe6e2b5e3

SHA1
3da9e4e0c8ae83c1add0e577370b1a08c93d01cf

SHA256
909407ff7d641ef4c67b33f019db89062f4d94d34a5d90b250a8c8e70b06f015

SHA512
d1d78afc43e7217960f952c05a7a69cf1fae259595ecbbd0410d6de8c5791137710798ce38bd7fa293ecabc4f957007b6b5e1479974c2ce671d49ccc5b11ae4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
758affce5b2f69d6fa0831751668f71f

SHA1
da12817e5e5eae39e509e879de8bf1b3400cc99c

SHA256
fed285615869ee00a6f0b68eb889117f62f5b64f794a01f0a1958b86af508f0e

SHA512
28b2c1371c149c09a4c47143cc23eb233ec8de4ba05564fae0c41ba9cb694d4de9972209447df356e05fa3ec2dfd83721b343b4c26fc03c30da95241e06e1151

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a6e1b170721aece91f277303abe4e701

SHA1
6e1170c576ec41c026f91cd7d6fc65124d5f9abd

SHA256
0577d957666f7f0ca1bfa0e73f39463d1056e1c05ce5e159e6d425fb96cba96f

SHA512
077387aa631bd8e0aad2b0ab50125c748408cb6099cd21f12a3c9f85c6d295a6491f6a556f5469201f0838905ba5249d232c7dabbbe4990ca9aed1819bdb5840

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
dc9f538905269f625392b934ea88d148

SHA1
661ccce016060d5f38cc745055d93a302ff2cfed

SHA256
51453ebff905e285e1446838c8e726b4963bd3bd5140616b0d967b865c7ff220

SHA512
80818713ff1b67da16f6005c5b693721324cc0532de440ad8d0e7a2461154014546aadab27a24c765668f27699bcaeb0017877da746c91c49425462414aa8fff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cbc82c7b773a99964493528ef905301e

SHA1
c68648d71263d1601c9b68c87a95deb1d096c78c

SHA256
08c554560d081db1242148bcc8d30b825705f053082bd9726708025023017339

SHA512
0436e40a0dce8495a854c7f73a81cc867b72e879d1882734e5c4c00596bdc8d3dc2e0c129f024372975bf2e0eb98d461d92d9f60c0b06dfce94c408f2cfd77c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
da59d974c48244115450928c0c946996

SHA1
55d4c1cebdb31ec56deebe23de3529934d6534d6

SHA256
ea5f1ca884eca53b1b126d1476be985cb31c6cd7e4fee7dcde03b165979dc60c

SHA512
f78aaf1e1a1269d187ebe749ff9bc972270cbc07e83ca05030b49bcdca38917825ff22c07dfd9bc3deb6e77bfddc5502643c55c7f4ead09287790421df11dbf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0c92313e7cec7a08b753d5445a9b0230

SHA1
96870980156354308ba98b7ac438e180ae897e13

SHA256
23c53262d9b5b1e7453fb99286c2f9b6363dfcc83e7c2b7a586b200b8eaaf919

SHA512
744ab06e55f9baca8787c1ecef9c19e2bbee1a6197529c5f826a66693d3df5c3c54d5c98dcad16eabedf6044c54555de69b2783fb7a9163436970a3eac889c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
00ecb4c23e765221c03aaf0ebf99c379

SHA1
9a5ccdef49708e3600864d39fee260889e5cd23b

SHA256
14d63b700048b979e06fc7396e26ff1e855aca4eeb4d272cf2b48e057e969a5d

SHA512
b99cb9d223289aae7b02374cf02a7a1ba3c81286670ea072097311f444a2bc73c4624bd7e26a649e2131c29b0368500be313d3f338b57e6b5c3da00eca90896e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1105007a6490015a4be923180b7ace4d

SHA1
fcc7341be704a36ac178f0a7860a4f832b8cd06e

SHA256
3809acbc02e7ace18d2f531733b1814353cf278cf3c74f058786b72db6442a37

SHA512
926feb1c645fbd9a281ca5b223601a9baf2f5ec99d03d7140183329b34fff4f7d7725f37c20a2290c4cab677694fd4f7529559425ee1f4e56c015371ef21ea7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
73e6572a2a919c7d90c9b02dbcd00219

SHA1
13b5fb1318e624dd9c0296dbde2abbddf358cae6

SHA256
c6891c3c1f0884ffa3e5f52dd5d0a07a59e07deee2f041d283b4c4f8cf0c4bc9

SHA512
7e619d153887a021da8102cee6b39738d7d6eb2d09de57cca4326efbe3ba18c46ed0879a2ecd18f8188c103d9a761f0480bcfde952fbdf696fc057cf56f98e09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4be233bf344a66ec9bbb5362365a544b

SHA1
4d195698c23178f1666453468e034e8942211b7e

SHA256
6c681f61f7cab2c37a2dba5e96b0c817f83483b15b8ddee1cc1b6e8b5630c93d

SHA512
8a50654a70882d64385455494bde716f5f157ba1c33bfbc90693ab80de23a14a526c16e180e9ed174508692ee7824d0a42fb7cd90d53f87e8a8a0751eb9d7d42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8db19bb800daf698bf822427946a2e82

SHA1
d7f5e194512e2bff5968becb5c7659fe9d731232

SHA256
568aeafd918065f5696f37c69bb2757b775ce0517c522dc0096e1ffdb7212b56

SHA512
38eaf8666c37ac918a5b76877616bdf73342df0e58481c4ce8a7ce27cdd339d270c4242829785cde6a44168cdc92e89e3cc6d94bcd8fa6d8cd8e361175c9866c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f0037debf759ccfbbd846779f555c27c

SHA1
c498897e14e0287149e7a9db6f3aa35efff088ff

SHA256
8510f0280a1ee6ee53aaf38fbd85f99adbdbc6d2913e1c1a424e162bf6fa66f0

SHA512
4c8fccf62e2c94b0166924f67a286ef8f399ce0d0d7bd58ac8fff4a9cc104152eee2e8d3353ec522f4285c3e89e20777d56a60bc7a1195823f5c90028aa6c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7b3c48594c0c016f03e002bfb9be6e9c

SHA1
28b95c0d4638f3defc85ec63c30a200e4f97b40f

SHA256
289b7732eb562f94bb7730e86cb3ebcb05d759756de14e0206987c413021f2be

SHA512
2905cea82c5a2ae9dc89320f70c37d97df0f1c0c78c9b9f8b21aaf354fb49d39a3f4971282f5298c9f83e09eb19231252d3b640ca7a509a321872b1f729da811

Download Submit
memory/1320-1-0x0000000000B20000-0x0000000002162000-memory.dmp

Filesize
22.3MB

Download
memory/1320-2-0x0000000000B20000-0x0000000002162000-memory.dmp

Filesize
22.3MB

Download
memory/1320-4-0x0000000000B20000-0x0000000002162000-memory.dmp

Filesize
22.3MB

Download
memory/1692-13-0x0000000000B20000-0x0000000002162000-memory.dmp

Filesize
22.3MB

Download
memory/2256-10-0x0000000000B20000-0x0000000002162000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads