fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
121s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29/12/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	AnyDesk.exe
1800	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2492	AnyDesk.exe
2492	AnyDesk.exe
2492	AnyDesk.exe
2492	AnyDesk.exe
2492	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2492	AnyDesk.exe
2492	AnyDesk.exe
2492	AnyDesk.exe
2492	AnyDesk.exe
2492	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1800	1832	AnyDesk.exe	30
PID 1832 wrote to memory of 1800	1832	AnyDesk.exe	30
PID 1832 wrote to memory of 1800	1832	AnyDesk.exe	30
PID 1832 wrote to memory of 1800	1832	AnyDesk.exe	30
PID 1832 wrote to memory of 2492	1832	AnyDesk.exe	31
PID 1832 wrote to memory of 2492	1832	AnyDesk.exe	31
PID 1832 wrote to memory of 2492	1832	AnyDesk.exe	31
PID 1832 wrote to memory of 2492	1832	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
9d025c1f534ac8819bcc5111b1b90e40

SHA1
724260beffdef12958c64f5684fd1df4dc7c2f73

SHA256
c752cc24bd813a52964b8867d7570d79b10869046e7e3229f95a5502fde1a5fc

SHA512
9a819e767b3645e18436eded06608781755dab7eaad378e2cadee24b8cafe62c541c0ad464d16dc170b723b47e6a8a51b5666484b3056cf59d1fe0c6db28aec7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
bdc65be83f84edd722fc0a5a9d8eb98a

SHA1
68a217ff7fc6e9b405dea9460c48c293fd1e78e5

SHA256
a7e4395f94f8aca5f5becbd2967f19ef16fc0921fe61ac27b25c8ca3a8fce868

SHA512
b9e6060a564b839904c54a0896f66bd594edba0b1821ea548dae812cb83680b305d9de491fc7e5e463801ad4c99e503b9a2edb2a867d5f5d5ca7850f49793633

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
94994fd06dc0fa6408423ebdd8d1e462

SHA1
2ff5d4e18f0e711a69c3bb3c67efc01a7f9d10a1

SHA256
56caf2b184786fec232f63d26913f96c90e35fefed1c9d11c39805b01550e5f6

SHA512
dad70efb5e599bc7232e686e5fa0a490d89dfb90cbfabc382e02b1c7a797ae2d8407d147d5e46856ff3c83f69ea42a2d26c2edcac019635412cc03fe94db80bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
232762e4ee89b718fbd3a6ba05361b1f

SHA1
dcdcf491b52c661e6b31f160988d57c377fb2070

SHA256
52fdba55b7dee3106837eda47828a72f31fff6249baab2bc939d569f8eb107cb

SHA512
9ef57c185e6d15806cf04d3eca258d12a10dd734b3f66fb82234c77a91146eb14e4cbc7499633108ca21e47f6c85e1cf68927998075df50d63b63072358c902b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
9f675723ccb23fd2d7d17fab1eca86e5

SHA1
f14740bb7950ac5aac70f99b1dd11e51fa0795d0

SHA256
82b2a45d2ab87fa8d8d49669dca3ef02c386879f35d3c156021ff1b6509c30e9

SHA512
390695425677d873c8679bc6390ad60d5855982bc4214d00c5e12fa89acba9a7a073c31028b045b8b9efccd54e05f7972f6b82bfa1a378cbb908a9c0c2687732

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
6c3331d710f28738a6137202560d5b06

SHA1
0eeec3b162654a9160795edafc54c4e007f8e68f

SHA256
e17a6e08fe51b642333961c57505d4c265d48bc3d19db359e9b74c1c19f6bd57

SHA512
d8af03dede9c155c305bd7f6297eecdf4d45413a450d280ca7e2c87d28aa4cc212a2bd14ec0ae2233300c1c627037ae044a7ec077564995ac32aa9b3b1915af3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4a57e900ee701f10a65970a2a5a5c3c9

SHA1
0bd7fddb1d17a688d6f7b46a3ba0033a19011201

SHA256
993be9469a92e213c6eca220c73427cbb9f9051a1fa52d1c382c30a0ea31913a

SHA512
e73a229aea4d6c2c58e4576d5a6b3a8a4e7de1a153b394218acf7895cdb6f1a6d5587711e2349da73987abd0871b51fe2baf3c2980f8c7de41f61387443b0de6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a4ab9c86e338d44e3120d0aa3de78ef7

SHA1
0756c357b51bd777215cbc21f4f99d14dc66aaca

SHA256
72ea55781d8a99a2a0ed121b80c48d2c4ecedc0317c1537b67c76bbf3b5459db

SHA512
cfca6fa022213744661a0701d2ecb858b29567b19363450d80c7922639d594850538b4b3f4774dcbb36dd96a18ea2c4c7a84fdf0ce4d5b3c24b680ddf6f6005b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
072130c5c3e64675e219452094a64594

SHA1
c73948ce6540acad0315a555c83e27d6d0b3abbc

SHA256
b71d6b0b00f436305be50404787b2a99d9d7293e26e448fd8d1e8f042e506778

SHA512
ec803c66e97af5e8f45a171acc8c4bdb10048e2da588cbca0e8d41af662f450a46a9e95ca6c9b22e8dbe89c709aed7c434e5fff394aef38075117aa6dd49710b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4fc985eb3c9154502ece515306070197

SHA1
ed1a435325fc8792f56fb973fcf0717bb02d3937

SHA256
10113583e90d5c8807b276d8ad2fa0cd27c87a6fc8c35e06aeeeb24af572c483

SHA512
37ce934b7d073fe2b20ba0a1cfed7a83b94f91df4a56290134bc8a468ad01ca5dee7d50a6d94f2a0cc6fdf62ae01610cd664d2a035ba2d5cfc1a560adcf985d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c3c25cb6e89758a7167b434adceb9227

SHA1
aaaac51dfb1b5172412b079017dcf25ec6fba910

SHA256
0df5cb2778803f4cc9ef5ca9db52b01b37cedb09a687a4a0f5a2117268507212

SHA512
1e5bac4fa4b4cd070e141b8033edeafade85b656c814ca45c432fb6255a6b7f0379cd7295854ad47ebfcb881d56a314674000df39c5dd3ee820d5562dc246bfc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7528bb34e60f21beef2fcccaf44f1b13

SHA1
ff3e3798c0d1561eaf786f68b1b0a19c49ff767a

SHA256
bf59bb60caad877541e10dc85b7202c32c05546c7cc275c948b46694bafbb67a

SHA512
156400170f17b1e8c851a8261e0da7d16f46f11d47eccecf8fd10a222ad88898278013de03d650186962c95a8747a1ed1e0734dfc5d51d761f1cd9fa6e7f6954

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7841c04596b39ba52b11f98764411f56

SHA1
6b00f66bddc60e80cbcf2bad3381825e76eb2008

SHA256
d23d31529b0288098c81320398c94fdd1239231b4c8d668a8673796ad896ad8b

SHA512
5eb86b459a0b4d0fe18dd4a54092d18bdf432af5e75e49f11edbd9a4d0f949978d28086b60b321d395796c846bfa912169d87518eb2c223f27f062e60c2c3dc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
80d71172c1632d5cf0e483c43995fbda

SHA1
e42558782e3c2143f0bb21d09aa43d92a59a3166

SHA256
fb714ce58918085d6e31ed4454bbe8a52519556de3d338a7c7ffa81a85c93288

SHA512
c578103fa7da1f707bb4dd8e274d0cad6616bd4252bd901057402c05a074fb4144b509a925925be907905b6e090cd395750a36f7330d42528471f8134dbd9dba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
67e21e8cf6b939fab3d99b7d42670228

SHA1
bad17c8b163ff85ac25ae0afced563d36a811463

SHA256
8d055f0d93546ec3f639062021672fcce10ae92020cd15a189071ee0e1c958d4

SHA512
b2d42f1160c7a90dbad27cd4f40d3618a978534ce9f9bc36d67fc8e88ffb2ebdcfaaac2516dbe144a026582d7768b8e5196c8d3bb1379dadc2195f72f8e67c8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a6cd1cf508461ae030537d8930a4cb3b

SHA1
ab0462231ec583d433a066927e9c8776f2c2a6cd

SHA256
05b995bb2f6eff8edd73f56dd4d296b2b36552d3ec06c74ed4d90c253de69932

SHA512
4f772c17fa423ad626a41618f6824d10acb3abbd7ee43166d760ff3f8f35ed3c9c26257837fb9d55991e6cbfb19659e1725c7ab36c8f9f592af21e9ccb9a8517

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1a6ce2d4ce10a47553e88734344ac34d

SHA1
0c0311777f72950c217940932fb2e5ccc6a744d8

SHA256
11a5fcddb84b55f31d67e35f7dc1d8555868bf981eee68a27ce1ce0e4ce66120

SHA512
7614763c1da4343b4be851bc17ab6c4943ae3b5697b601c89eb52b86fe16a83f5d65596baa1ada626494be5930f1a0f8be35c8133b5afd8632f9c9bf64fd9478

Download Submit
memory/1800-102-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/1800-251-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/1800-21-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/1832-2-0x0000000001324000-0x0000000002426000-memory.dmp

Filesize
17.0MB

Download
memory/1832-7-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/1832-34-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/1832-0-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/1832-248-0x0000000001324000-0x0000000002426000-memory.dmp

Filesize
17.0MB

Download
memory/1832-249-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/2492-11-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/2492-103-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download
memory/2492-252-0x0000000001320000-0x0000000002962000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads