fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe

Loads dropped DLL 2 IoCs

pid	Process
2312	AnyDesk (1).exe
2248	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe
2312	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2248	1704	AnyDesk (1).exe	30
PID 1704 wrote to memory of 2248	1704	AnyDesk (1).exe	30
PID 1704 wrote to memory of 2248	1704	AnyDesk (1).exe	30
PID 1704 wrote to memory of 2248	1704	AnyDesk (1).exe	30
PID 1704 wrote to memory of 2312	1704	AnyDesk (1).exe	31
PID 1704 wrote to memory of 2312	1704	AnyDesk (1).exe	31
PID 1704 wrote to memory of 2312	1704	AnyDesk (1).exe	31
PID 1704 wrote to memory of 2312	1704	AnyDesk (1).exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1db4967a0fefb7198d63252f2476eedf

SHA1
bbdcfbcca73f885a4bdae58590bd89b0fcaf1f3d

SHA256
ce8d79ad2e9c615a9b705f4453ee82877bc9f8f1cb55feb423e70e6deaadd14f

SHA512
314a0ab83af8df5fb9d0359347ad0a7fe7dbb66920122e5ed052a5806a7783718b8278008697f9c63a1ce6963e3c1674a03239a81d74de98d2461a4b0459a491

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3064e53e7d788c280a7222e1c82f4c28

SHA1
9d7450f363f95987187c29d520ba866058c1f798

SHA256
44273ff342f9dd54e765a8a39fce30d3192da9ff79b5010711b8ca27aa13d65f

SHA512
918a83f9b85d6ffa3b0c0d2da5a88bbcdefca3e82a74e022d309dbffcb990394cb14f93ba65b7a5cfd1a8e06b76ca3da50216a6e371ec0d5783d81d83acc8c1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b878f1a7e37377c534744d495678330d

SHA1
a6591bdfce45f6b2e38de49828fb308dda900853

SHA256
03914552199b44488fbbe7242194da1853c7658c8b02183e15c55a1d9cd06295

SHA512
e918ef013e68d812fd3a8d587c24eac0467b47adc4f7cccf5f46c0bb2cd0b48d47102d3a1cb64a1080141cca21400580869ee6fa8adc2d338c5f6f8a025c6dfd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
b0dfabd0493ab79d813fcd0c52ba8aa1

SHA1
4d52b0ec042ef5d281eee20cd2d7d70d8aa0b897

SHA256
cca8a73e491ab2a7a45a8abcbf41113a100c3d9e5803bd19b0d60fcaaa6a67fe

SHA512
55e30a167a16c078e4b505aa07237d4828294082966d8ee5faed3536bcc38451905a798a09d526eefcc969a96129d62e8e98b7445bcf85ec321bf266950b8087

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
8bf7ad98048f59bfc12f57d1ae70ea12

SHA1
b32d715444af2374c8d4e62a28c64552b1d21251

SHA256
1cc659b3ebb7863e7a0fb4c719ae2e797f44d33f688bc6b74b05bbbec6bab939

SHA512
8df6461264dd6af163ddcdbf43d7c78823f3a6e16bafccac5c1530809b359a682a5426dc05407dfbe9646d1d885ee979f6afc86c68e789180f1d4f11c01a99d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
0bd82c0db6dcc26382e88aba58ffe04c

SHA1
bf0ebc84b4582b7283db3339091b7279df721bdf

SHA256
b3b0db3cbe7523bb8018ed5c05b14441978234dc0f4ded4b23bc89f1819aa768

SHA512
e61d9eb17c57a00fe1299984f75202775cad4de13d59f3b7f040a97a02bf0315605aaecea60cbab8fb6d5d678ff5ac99515bf27bbc9d938a4dcd22f27cb1e639

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
e4b423ad12b1795fca492030a8b7b8e2

SHA1
4a4b1e7f5e4cce81b4d3e1da88f017cfb0640752

SHA256
4c9b78edddf1922046547281dc8d55323eb4898ede917b118fb73ce983969367

SHA512
0080fe0ce0d2a33f9f27ee38d4abb47d226545f3bdc8b4402f57131a32d12512a653e264fec90ed157feb486c0d9c9c294678f96575c8e3ecc56f633b1854f4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c71e8b756e0e54cb58bb6b9e9ca483c3

SHA1
998452bb25bc4d2f2f73998064f6dc2464d04e2a

SHA256
2812cd518bce24d7b64ad9c7b99de736cde3c7288cc166a3c6aa58249059288b

SHA512
ac10ecec6d178bbcefba2819056dd395c3ee8f5871029c8733a0195741b3b046a7dc2dbf06ac6de7b2b6937e97ee62ddf47b75394748f08be7e4df81573f320a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
969e6400b740025eeaf18d084cfed823

SHA1
56f1b0eebdf56e43ca40e0734ba9cc188b913a9f

SHA256
b692ea975d4b4c6f84c5bed8d895ba77eabd20dee6ad81edc480b29adfe1e7f1

SHA512
76c49790c9ce692596a5569f7b920325215f6bca944a24ec9534e9660fe7af49db4571c9dadf631bd41e64950274d3813d69dd7830bd3888da098eb3b6d6b2e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5f07efa70d59c2d40fcc3f46fe7936b2

SHA1
2e4fa0575ce6d9730e1deeb9fdc3d982a6bd15b9

SHA256
cb8b6631450c133951d1a0c9642b7857fdd8c97d73d1c371e577344f8f90131d

SHA512
223063a68e799d060a4055598cc6031c07b2f5c3b849391609fb37259f99c9c679de59805eeaa17e54a0c55680f12d18cbe9579c35ee6c44a52fe262bc79ea0a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
258671f72e57f1953e28944391a784df

SHA1
608c31c8d6412475c76540b63d81b6798b473f67

SHA256
caa68f25bf4c71b8c85bd7399682c2e6516fea990e976e8b5983db1b0796808f

SHA512
b128643201b15c9af3f56a67cae3ce183ad8d6b6e55ab0a1113626888a8609d3555129334a6c24635f95a08c73fefac61bda0a02c5e80eafa75ba6d8b64ab1b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7138c71826e4b1f5dd2278380ef87256

SHA1
b53917026ee429144f0151d07ca34ac59cd90d98

SHA256
b40df747eb178460ed20833fb418353f81d7fbc711f5a15393194bfb63271143

SHA512
bc82180e60c1df55930b1fa6e681f499f10f51f9ff81daf5072800003e67a173c0030448b6729ed5edadda8e8b36fd3aeb11703dea3b63771741d91424e1d3e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
bbf33cafd20921882c7a9e97d4ce03e8

SHA1
98b5f97976523ea10a8e819f3ac503621f79d0a1

SHA256
c46ee0dae02df82ed542924f5589a72dbf4dad08e520fb45f9eedcb933a8c660

SHA512
ac0845ff56f3ce63253b09d7807f2c88312d82ec7b8756db7eef0b4cac8ad40919d51b23e8044a9722a9ff02cbf1e81a17aa83c91bbba7e0004ab0a1d7ec0033

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
47a746f04631657296af485f5ab056c5

SHA1
2b541eda5c9951413ffddc31c904bcb3097c8f1b

SHA256
6f65d0499e5def3b8f785f172e569f2865219351d86764379d3fc8afdaa60137

SHA512
316da482d8438f4668d0c24415db9085cc9a4e00dcd99b511c47ca355be1a17f6a159908cf712e721252d70e2d2d08ac5fed110574997a5bfc7ed2cf72576e31

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
19f695c86fb9f2aa48d946605e18f616

SHA1
25c5b22b0335fd714911cb69b112492ab1870bc8

SHA256
7345444338f02d091162bda8814585cf884349ec3cf32d6023fe2d1b4f2ab400

SHA512
2414992186620c112df5553bdad17abf4e6aad746eaaaeed7e5c6d792fb8ded00694e387369505f4f5c4c96513bbe1f31ed880ae26a83521e92ebb6df13df698

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
32581c085428944321a9da7adc0346f8

SHA1
a9ce272d9a761e12b251fd83ee99e39e20372dc3

SHA256
4c3dd6374ddec6c084fae19c9b1bc88709b128e9e4d3c98f97296268952d5407

SHA512
86365331190c75b6569dbbe5a9e7bb17d138e09d969935707fb9241c7e35127db8d0706484d850106e6b8be4cffe2289f532c31efbeded3ca6ae074670d30971

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4d0a59e44cfbdcc2f719acc460e407a8

SHA1
e8044bb1f27d9bee0e890d986dd2f6ec5cc09d1e

SHA256
999f5a87353d35d8538e36e5c43c2d96176e50a3984c734c66705f2223796d52

SHA512
e0723327db2ea459609edf141a6b8b264c4bd40b82df80e5b3b42b5ae8c6eebaaf84d5bee37fe87c05aec6ecf50d211ae5d7544983b72315bf3d2a5b12cd16cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7eb774c1c8dd126567c3afb15bbacb60

SHA1
ca081f7dc874d1dea6bbd9f00968a485ffdd2a9b

SHA256
24c8ee2f35953a2609a7f682b108c9ac7b14e664db8239b0eb46560125d61fc4

SHA512
cf04d0cd953316ce5750dd6c50ceca7823ef968aa4c77b6e7de84826ced47368a12eca748eed31bcac8e51c6aa5c8ab820be87e3838bec0ce160d0170dbc5d60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8addbe6775d42a164e817fbaf2ff8899

SHA1
171535361fee5736e7da79428f6e52b440938050

SHA256
5ccc1fe9f4669e6e37cb394df8984760dc6ba25845feb598e1a9ffb3b555f83b

SHA512
7959af5ac647a9a278c00f3048f33147a8ef400a17881160eb889de8303f387120fe5b5ca5e77de4b238ef9df1b3abad9ea2fb61a89303b330ff0242756ad7f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08419c459990c8b69c6e742a91a66ac0

SHA1
8dbda2f9c34aca5be60c2d2f7d88f31ae47be0e6

SHA256
e641929ded44790f7cd88ab74a5a864680cd02c93fbae07e01c4a0a30640fab1

SHA512
76000d3b95a81224ba25ff394e336c4af8f872bea99606d5736b72b2d312a59778ea08143255d7caf9b686806c79e50f383521758d23ac1ab67a9d3eb7cc98f5

Download Submit
memory/1704-264-0x0000000000954000-0x0000000001A56000-memory.dmp

Filesize
17.0MB

Download
memory/1704-9-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download
memory/1704-1-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download
memory/1704-2-0x0000000000954000-0x0000000001A56000-memory.dmp

Filesize
17.0MB

Download
memory/1704-265-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download
memory/2248-12-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download
memory/2248-266-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download
memory/2312-10-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download
memory/2312-267-0x0000000000950000-0x0000000001F92000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads