fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
1791s
max time network
1803s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	AnyDesk.exe
2180	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2244	AnyDesk.exe
2244	AnyDesk.exe
2244	AnyDesk.exe
2244	AnyDesk.exe
2244	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2244	AnyDesk.exe
2244	AnyDesk.exe
2244	AnyDesk.exe
2244	AnyDesk.exe
2244	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2180	1732	AnyDesk.exe	30
PID 1732 wrote to memory of 2180	1732	AnyDesk.exe	30
PID 1732 wrote to memory of 2180	1732	AnyDesk.exe	30
PID 1732 wrote to memory of 2180	1732	AnyDesk.exe	30
PID 1732 wrote to memory of 2244	1732	AnyDesk.exe	31
PID 1732 wrote to memory of 2244	1732	AnyDesk.exe	31
PID 1732 wrote to memory of 2244	1732	AnyDesk.exe	31
PID 1732 wrote to memory of 2244	1732	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
164b8770334560dabee020c86b2d95fc

SHA1
5ea3022de9b2fd514ba782cc95f8c8dd1aacabd6

SHA256
0ec4733e2f24a280b6a303725dccb06f671b4df812f49d969061bc0a3d48782f

SHA512
228df2ed659cba6ecaa112e5c05e65da31e28a827de62717a3a5f59de217be8c7709d136a751f6fbcbb1a18f98fcef4102602dc3d45308513030519c7b84f27d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
f70c0e1dbd774616f9951267e205508b

SHA1
594eb411b0e1fa7057b87ac43bd853beed347e6b

SHA256
ff6843b46a0a49eaa761bc7533fe6e63b338b207b81496eb2c171d4240fbc452

SHA512
f58210329729f9e27e194588c24422e3b5ba134aaee67daf8f4dfbce9a97504344eae6d9d7604addd34c5443f6571d68dffd0a17cfbf261ddea9847f08df7184

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
eb639d7bb0d33bfd73af9b08027b0f24

SHA1
0ecaac33b57016cf83bfa32e1096982536a10601

SHA256
4f389a107872344ff125b72f5cf7d588c521716c384a0702c4b3dcc7b9e5aeac

SHA512
b97c1b18a7e08e4d49afbd816dc3e55432d5e7a891c2fdbfaa6d012d733af5eeed4af0f76fbde7c90b0529e61622f3b71975d64fe7d8d825b067213946b4cc95

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a6d43df318fb7bc3d4698c4f12fc8e07

SHA1
c29aec7a5f2038a15ea512c85379cbf2e73cc188

SHA256
f96f8b83451b986c0a4c0c6ae5fdb4af319fab1c32a9a1d0ab17d453a8a632d5

SHA512
a77e239769d4832c6aa9dc314c5852d541e5155b0e93b043dd1409ea6856191e10dee33bf3bc8b5a465d544146c82fdbd80fcf028986604d72c08244a4a76c55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
bdc29a14dfbfa7d373e938edefb88925

SHA1
4b2c73fb146bd3f2f7f49e037ab7af028666b7b7

SHA256
dd10e58e95ad4a5249ae416db4f00834d22ba6bc7e245591128f5a882d1ceb48

SHA512
e66497b8e98ae91645cb38fd9b3a6794663265a138bc5e1edb6158cc749df772d5145a60fd0f524ead6f3758b3f9532a36d816c9087faa2c0fbc34c519f99ce5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
fc5e448776945782a1eaeaa4b42a8e77

SHA1
9b667da9e6ae3a8247bf03c9164f8d0ccd45fe64

SHA256
16a3983c5170ae2b56866d21029526e375430f1b270115b4412c30365ed2acfc

SHA512
77596656e9824369768aaecc32f06b1d97bbd34c5633ea6ce912340cc3987ef418c330d02e85e1eba8fefde278dd395d015918149ebf3b74e2b7a73b54310c8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
6ac095dd4acaf7cfc22d315479236706

SHA1
a05e0ae03cb261037e5218687a694a8585df9a32

SHA256
1c209d426d490dc8472bfcffa3c40a96cedd38a6f0bb64e9b283724161a4565e

SHA512
097bb8bae49e900a527ddc4e32ec6c9031c9f15c9c279850ec6f4d1f42d725243255945e2960e04c6223eaf6bf39e063f469052d145de4f0fe8ddfa979d9e379

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
3c74ac6a89aeb69527f8f19dfc43ecc4

SHA1
dab774a6f27f2162d57e755ba118c37e78c5ba0c

SHA256
f195485d24be2a51932dfd626565fb68ccf8026518b3afae5fcf8b25a0c3dbc2

SHA512
871a6c0665d1f90e24298c3550320d1cecab318be7d3441a655e73146cb7f4bf85cd214b6f5a90180603dd7d4eeb4b7dd9cc3a27b0ecdb6536d21509a596cc30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
3ba4181b008fc1f7021442171e922327

SHA1
055c39b87a83d62c721916f1f592b98d2e65b480

SHA256
c63d03debe165a63b3b07b058809263b52a97d0d3ef3b0b648bf410e1c33210e

SHA512
26b8e6b6c58d1d995ff802a0dbf9641158440b1ecff5081483d3e2e08a348224278f1ddce5bab2afc63dd5ddc7d89c52dfb4eb9101fd822506847f3e7640d2ad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b3198a0150e77e9f518cddab5a0c84b4

SHA1
ab8863cb3504bdfbda3d5571c434456520c71e8a

SHA256
8ac73675d654c81686b75e6c224ca5aea161b1f7de975d10062503917bc5373a

SHA512
7a871bfca22e80224260e70d431b2d83767baef844d7fbd77f08ab8524af983f75878279b993d3eaec4a96c06d927c6ebe6ea0849e3b70062724b55adcdd1a53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
15ac993f906c5b43cd15dfd8c62d3c5f

SHA1
60a39b9278017f4a5162ca22a746ec35f674d36a

SHA256
deea5ccb22f765e6d92b54cf24a10b796013f057d0740d1b803c7d82ac5ad1f3

SHA512
bfc7ac944c6998f39a1013544065bce890492d731bb292db4019ab13a9e9180ba92b2b20a0acdb2e1523fb8d0a532a28c5d12958ac46e133bbb610d3500fdfb2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e862e8b224bfad9a58b2834612124dd4

SHA1
0d916d58f05275781864714e10c21e2c734cae2d

SHA256
55775d7774edd4307d896f0d42fb28f8d57d6c8e8420e9377b70ea1b23b45264

SHA512
b253dce1c2cc7ce9ce0a6333cb78d4bb585db060e49b56150d150e4fb44b80cf0cdbb97f7a9569dee1ae9ebf8b28bc18bf0094ab466c35aba7b76e5e11e51852

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
460e984c70df93277ec2c21e1d5109ed

SHA1
ba9b906ebd7b1b11710336eaae095446e0cb9c94

SHA256
2087598cf8b09ba3405c80673ba01d8b8bff971a39b3b96e6f46c1ff27dd2565

SHA512
4929a3b4b4c3ab3fe1f43231ec6a31dff381764252846fff99ba38bafd995cd72e0bfc02c6e4ab5e78e16f27b95f35d8b4a2b12d760add5df2301bbf84d3abc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f64ca1dd2d07cbf437e3f2d447d70b47

SHA1
2d662e750277b218da74bdd444c96f869aab84bf

SHA256
193ef994b87ad70bdc1625fdfb95072f23d20982dad53fb13f274e4836519347

SHA512
e6dc78b7c83c0455bfdbd23aa67e6e63703b4c0eea3decc2ff84e7eaa49f73dce749c9840fb1774c844719da068ce4d700e845758348061e71fcc040588a4796

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
34387f8ec482fc75ea60af23c055ccd9

SHA1
1d3915af2f8c413d420735e7b2c821426f469b0b

SHA256
fee00d4b5f06018e68e71a6e934a51066f58624b659f251ffed9399ea6678ff7

SHA512
44f991cbd3f57fa348c0b1ccd69b010239e6f966491d685a37d7840aef0031fe55ee02c82b534700a14fb650d93e8d5519d4557c0c12fc57927e263412664cfd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
05d7ef977e3b58f021f700ee6a360e54

SHA1
e15ba1a14badaa65c02208e33263cc4be0c84533

SHA256
134c68bff571164d3080e11b75f401e0e8e3e7e8886ec8553e69ba94f35242bf

SHA512
b072ab96f0c861dced3c35f36e31477029427af08b083cccd39f19e4fc5c1966e524770589f1e40d24ca49fa5ac81013d65ca79d5b07dedb6684d15a99bd00a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bf4087aaea404b1a1f79d8df0bcb1e13

SHA1
caf5c3c6e4e176bb458701e287bc3e6e54566462

SHA256
4965e776481465ad5a4a8ef44a03f802368aaa110c2d6de00d4f61afd2502865

SHA512
e683fe5c2e8cf2b21d0cc99e568c98b653cb29fbaf009e86d5dda7f6c086aacd1f703ab1a79ade47d11986d6cea1fb4035659996d5d044399e5d0fe9bfb563fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
83076a3c926e38dcfdbfba36548a116a

SHA1
4fdb0421826fefcd5c9a525eaaa759d32e5db8fe

SHA256
d11e3b3d44c1a152a4372022277d86f42d2b5f1f7f3d0bd687adea063599adc5

SHA512
4a1f3493b19d194058133d17cc4c29467a0f71ba1a06df2eaa7028a0976258ce4eab0edc54a25dc58baf360de2f8ee0a0eb2c7052caa1312974439c51581269f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
00488ec1e324940183377b59f7209c66

SHA1
78d89360627ee3186777b66f23ec6d64ca6184ac

SHA256
fdbf9d0c069bc70de3d7aad20dca5e38652b9d2d8aa699bcdf14a99be6c010be

SHA512
cc7e45b4f6524c038c6d273d26d94fcf2b74f1a220c7289b38ab0a86cbbc82446107ba6848eb8192479b28e74cc0a40c08bd41370d213413be5684ef8fe8c2f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2eb5f5bc62fe6e6739b09e3e7ce30054

SHA1
43424a9585480f209b3034254d439deadbe72cfd

SHA256
ae0c9aa684335fe496f28b93445b22968a31efef708bb06f96c410c8a92a7d9d

SHA512
d9d18a2a49d0267e03fcf48d03d9af6f797add2a6050fbfc669d86fd102f4cf430329e7bd25f28170dabc51cfcf05ca457ead4944adfc55224c549d9879c02d6

Download Submit
memory/1732-0-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download
memory/1732-5-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download
memory/1732-2-0x0000000000134000-0x0000000001236000-memory.dmp

Filesize
17.0MB

Download
memory/1732-259-0x0000000000134000-0x0000000001236000-memory.dmp

Filesize
17.0MB

Download
memory/1732-263-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download
memory/2180-12-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download
memory/2180-261-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download
memory/2244-10-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download
memory/2244-262-0x0000000000130000-0x0000000001772000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads