fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	AnyDesk.exe
2924	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3004	AnyDesk.exe
3004	AnyDesk.exe
3004	AnyDesk.exe
3004	AnyDesk.exe
3004	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3004	AnyDesk.exe
3004	AnyDesk.exe
3004	AnyDesk.exe
3004	AnyDesk.exe
3004	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2924	2836	AnyDesk.exe	30
PID 2836 wrote to memory of 2924	2836	AnyDesk.exe	30
PID 2836 wrote to memory of 2924	2836	AnyDesk.exe	30
PID 2836 wrote to memory of 2924	2836	AnyDesk.exe	30
PID 2836 wrote to memory of 3004	2836	AnyDesk.exe	31
PID 2836 wrote to memory of 3004	2836	AnyDesk.exe	31
PID 2836 wrote to memory of 3004	2836	AnyDesk.exe	31
PID 2836 wrote to memory of 3004	2836	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
57e7c67f8c3d6a087e58269ed412aa0e

SHA1
3269a5f782c01d3e0c26dc4ba5fa490b16fde18b

SHA256
70a77659b5ba210a34c27dc5d40b860012af768513751cdce8a7624e57d07069

SHA512
ab29a5eb7c65df1e0ef7a919cb179a5b74dd42fd1702c6bca37e8f2c7a0d6af8774820a2b594d95096c1892432419f76608be00ec9cd4a75b7433f3d18d293b7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d250b144d528eb2013b7928f5dc98d61

SHA1
683a2efd35c46dc346749590f035f17db00e886e

SHA256
f411c8f49c40a9f90031b91c15cbd9882eda2ec2f11998ac66b8c97db8e011d7

SHA512
2bca20e5d3d3c69414b75ba0de4693059f6b7576fecd995d1ea651bdebd88add973c570ea67bef7f35c7014f8a786f6a0ba750d44d4040dbd09bdad5031f6b55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
32273b292c9bda5fb27a0d91a9a4f067

SHA1
3d98785b420abecc66d5c6c74309fdb8532b4085

SHA256
57251f6af250cc4d88727be1ddb683af25a9f4dc53601d2ee16f607a1a036b67

SHA512
f97669c343e5981ae1df4feff2a2f078f4f809c983bd981acbe7d48628e6a7bd97abae14bfebab44a80a58b3824f09cf9ac24ef0163907235b7c2275c8d954c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fe730c051bb980521f2e07eb0b6fcc8e

SHA1
be0c6849253447030c78bac829d125aadc24e677

SHA256
d9ad49c7bb73183f319cc2eecfe6f217a636caee4f59e68ef81d2e1b028add3a

SHA512
4e1ea9976b69b9748fefca9c786a4f0aa43ca8f25cec7551c37a42951bff57c990e1a47c1f0d736987eeb206a443dc877380bd830cb5eecff93c3dc77c1a9f9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
64145e97d14bebbb14c692ddd4c0371e

SHA1
ca9aaed7acf4c1322f782812c32ba8c6a5ef6471

SHA256
efb72e8b3400a1bc727c840d65ae5c6a7ff8250e04cc94b4ca5b46379cfccdc1

SHA512
60324e0b9998119323dc73452d3e1c3cc86424a34e497ceb5120b0634f887cbeea665ac30f775a704a6d4b9d2737031d5764bee0698f2e5fd34802e309328712

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
7296fd36817579e5eb4de9db5d0389f3

SHA1
f26479922a1f69d604dd8fa25f226df9fb493d79

SHA256
1b0c54ae1e1ecf0812898381a726b34f289525c35be3afa96fdd2ba9ad8f8ba8

SHA512
254137d7fd88b0b35cac20beff857b0cc9411c61f62e075fadd33016ea497c590de437f7da3fa411f3a1cb7787f29613e5db7ef7eaa25cc57c88162041474252

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
7fa3712834fa895e4449778d76c68f8d

SHA1
43b4bf3275f3347849200a8cdc6b3db3eae216ce

SHA256
69572f045f6d631b4f1e7ce95cce847a1a03b1551e987d5638c469039e32b570

SHA512
9db9098ed92f0ad27db4a6877d9452523a0bb33f806a6e09d508bd323ebc26b039aa823c6605c6430ea1e7bdaa42d96fb75934fa5d7712bcc45ad5460e007ec9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8a98fa902519cc4eb16feba25cfc7dfb

SHA1
b0433afc0bc2308bedc63d9e9b0e193a5255e7a1

SHA256
cac6ec1c7c44bb04848597ad3d3d47562f31e27838a938dd7bb95f18d81e19a7

SHA512
6d75cec7f711c170199749ff792f44d3e9632dfd7c084892dfd6a7cc8cd1111de3cafd32ae39ef12940e22b67fb69e77439cb8b722299f93f37a3a3c6ad23d3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
80c898724cca92a74f3202b583d10b0b

SHA1
910ad48af7856797e69ed7274fa0cab0a6c1d77e

SHA256
3f39d509c2ae3c1c9cdaa01d0af24dd6b3cdc3cc0b49b129a926dddb28563ecb

SHA512
7f834f91adcd93bfd2e6c583a02d874456caa2aae5d5c0b04bd71751c6b2d1a8d4d3fda327aad29c820239fcd96294887f40b4e0b6e769cce493051f06bc468b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
16c7a1a513cb37b7b971b2804579d3d1

SHA1
63995ca2509e54f66002df369147f6de1a9e0817

SHA256
53f8d8a0ff1e75b8e2714c0688eb6242d8a76735ab6376dfd54781c17ff654e1

SHA512
125c2f46c71c78a0f198b60adfb1d194f758540c855313e8b515f0745ac0dad68306800803885fd2083ba05ab025a5aa32a2db30916d94a32a8a50c43ad5f1a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f9e47067f6f7d10bd59ebf6f1058e53b

SHA1
c42a1c6ebee8aa6f16221bf7a3310c935acec155

SHA256
adadfdb0e1021559e87fc05de21742d1f96f9104e01e4a27b0df4a70d93d9ba0

SHA512
414c9167eac7b24a4793b6fdbfc1c7483f732988a6ec7ab6e6ff76015713286f3a59ffde1de1562ae3b5b2827ccbe6e5b42a6af423f2ef64b0af59acecfb74ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5dfb0a04825f922af8da2883d718f179

SHA1
d17d14836646b919ad626875da0850ff747efc2d

SHA256
c28c4e0b186c2ceff73015c5a36b8e6a61be08a80edd34f55c24b5c61fe9c8d0

SHA512
a6c23676cd90cf113446e0c5770cc4c5a13a850ef19bf194bc50b35e90e71b33f0936059d097aa492756c3ecece30e7f8f52ce50945920b77355146f95f1e7b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f06201a3095b92afa380008d9d0844a8

SHA1
f748f6ecae601b2958387ec07e252e7788853ac5

SHA256
ec641afe6b0833252041a459dff1349c390d1fc495bfa5d8e65913e264a438bf

SHA512
590130b69a876c643427a8c91e52899344c6f0de33f1aae30398919f69aa100e227e85019429b0292c94623f98aa155ac167ac716aa92c35f2545fe784de38c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4e1e7d84cbdff193977de3f8d8457951

SHA1
da0df00c74103e590c71516efd1735148b4ce9ec

SHA256
785066d0ae29956963f405f03ca5b6a9417e337fd48ff0052773a331af4b1561

SHA512
3785714cf032fb415386dc0779eb0c1691d363090f005ed144797de1ca9601ff5d3445e29b190a1ae18e440a8f1ee32851611e23aa6bd7469a901bde67661b5b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b9ca431d626a3f8b024af877d8c6c205

SHA1
182cfa279f4d4171f239d852de7a1578cd9273f2

SHA256
5dd47dbdae0f9abbcb911605070470d5f9dee96c0afbb357056ab76756cc811c

SHA512
51ecd9343f8bf76f00b1db09c5e7d01af09b8922ee3e1ba8f47645c531de58e0820ae5262c2829fccf72d100530e1e6b47112b065866bb946ffc6670a6c51b6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
dcc397b4029a17be158b35f1be849b79

SHA1
7f3c4e7dc6df153ff335f912be8da6736848cf96

SHA256
bd9e82f1ddd6105900219888b8c0361db4ea1bb81060ecabc2c1d8ed98e82b34

SHA512
c10fded2680f4e056e434015f896f019761d8ccb6bfefb628a26688787717a4695f137f7a77db4eeaaf8513618566c8f289b2399c9148e728c87c3c056439e50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c38f99226ee869972b516e24749f9ab9

SHA1
bc12e64cdc1d7dc4777f15f9e1099295bc38c1aa

SHA256
b2779f93a3b7fb0090fffa6104add63486881c8ef229e53514d1d6dcbb381fcb

SHA512
c97de48b80566ee20b7dfeceddbf16b7d0b04d01d006e542060c49e5f797a699afe0c47172d84a09c561fc0c8ac28f52c9bcc4a9b40e758215c36befe7ce6368

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
0d81e65186dec1cb2dcb13d086b88a88

SHA1
3335b70dd3d437b26a3bc54e0c5ed653c120da0c

SHA256
b4c7447f22338c7e2927f7c60b31d0333c72ef5712c9329e6e65868f6345c443

SHA512
956961ee0d37345fb68994592c5ae2acccea0be630f92cb9723ff21e4f673b63cc9564bf26d3f3a8a43e3cfdfe58da8a16db970613af2b9d6e1ccd9504a39c7e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2f4c7c138badbac6a6f3981a437f0661

SHA1
624ca0d75f34e48b9eaf026fd581cc071a8bab58

SHA256
d7dc73b2a6c652c38d9a283a1ba83c13459ffa3fac6b71e4c7927037381dde20

SHA512
75b333b360ab087799e349d04ef1d11ad3713e4d2a0fdc2d4b999f33d0409e7de7984519135baa521a03085d7afa264f4086009f11dc1e26c00714f4f558c25d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5d16862c6fafd8b8492542930d6a36fa

SHA1
df58152fbd3c0faab03d38e7a6d39fabe8e1f3bb

SHA256
1d2f89ba4e6b96555f6308b97d1cab1ae0a636f5e719f90d7aabf710008c1525

SHA512
d16a6a398ce4cb30143abc4acac7be08cc33d48db842831bd8d8392e99a952f0ca8ddfc8314e27e94fc52c410f384a62f0c907a848cdf4a80d54c3d0b6ab8165

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f9d856f1e2195f1d41d13ab0b0e381ca

SHA1
4290990af0bb8128d25728ce5c9729e31f746c7b

SHA256
4a14f561fa41855674250cf4c13bf4eaf1b34cae9f24fe7982f1aa21713bf594

SHA512
097f04a60a043b4843162b012bc91dd384fe9057f2306f521ccea862ab30aa27b5147b094b404919c1737b9032aee66466483c48dc420105cf7e4649d2bff3c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b771adc81bd71739e043e4ac514e4220

SHA1
e0af8d63e2692034d91f2869525fd31f0bd9a439

SHA256
f4d4a6db5ae3078f24b5c5afdcdc4d20a64e0fc13a10c9aac47cfb1d1b614aab

SHA512
2804388d2003b60ea544aeb4b29130073af6aebe947d35f799a5a7f60107e0605f6f6af1fc99bbf05d8c0ef8ceca2fb55b055cc6a7e5bed8244672d48bf1af7c

Download Submit
memory/2836-201-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/2836-202-0x0000000000984000-0x0000000001A86000-memory.dmp

Filesize
17.0MB

Download
memory/2836-9-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/2836-0-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/2836-2-0x0000000000984000-0x0000000001A86000-memory.dmp

Filesize
17.0MB

Download
memory/2836-307-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/2924-203-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/2924-12-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/2924-308-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/3004-204-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/3004-10-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download
memory/3004-309-0x0000000000980000-0x0000000001FC2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads