fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

14/01/2025, 01:19

250114-bp1w8asngy 5

14/01/2025, 01:15

250114-bmeafavmhj 4

14/01/2025, 01:10

250114-bjndyavmcn 5

14/01/2025, 01:06

250114-bf5h2ssmaz 4

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14/01/2025, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1756	AnyDesk (1).exe
2824	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe
1756	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2824	3492	AnyDesk (1).exe	77
PID 3492 wrote to memory of 2824	3492	AnyDesk (1).exe	77
PID 3492 wrote to memory of 2824	3492	AnyDesk (1).exe	77
PID 3492 wrote to memory of 1756	3492	AnyDesk (1).exe	78
PID 3492 wrote to memory of 1756	3492	AnyDesk (1).exe	78
PID 3492 wrote to memory of 1756	3492	AnyDesk (1).exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e59ba89f9678ab020c90722a28333738

SHA1
4f7af5d20370a6d247f7b3bab804dbfb6e0893bb

SHA256
4822dd4f823cd1f780010ca930cb32ce04e5ad528caa3da4f9226089b1fe3f9a

SHA512
2e60417bc4921b52f65e59629dd765527aeb80747b0053cbbbc372e364a800ff8cff0d2fdc120467417e67616f21b25638cc9626e4f7d6e56da4436777dfa19f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d1ddba5b9e6c90c656572bd4e322a7e9

SHA1
5deb971c087d46a3d38bc69353379f41740c45a9

SHA256
09ca26df06ea442aae37bacda0d771771b8b950e22afd2f158a4319eed06f16e

SHA512
49a5758406ccb7de8a30a1d4fd1888ea263fc6d5b6e8261acd75271263b19f412ac9ff587ac0125b3f63b7a9f6e3dad8f7ab1c181fb3986479eec5b1192d641b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8c18632b63971d778e17c3266bf5b747

SHA1
321f97005f6e2294d0eb44147db507c76b08ab18

SHA256
35f23898c3d018605cb97399de1b78ab25627157d1bb04eedb18e6c89d7f6dd6

SHA512
8f1bffea7efcc9cdc596d8dd2391b6794351cdeb37d3672292926a5789f567cf6ee5477bafa2e3b2db94ef7ea9fd123325b10a21b2df184405878a322beccd1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
bb2ae3aa8fda0fe8efaaa04a04e0004f

SHA1
abe535b8536f741c788d64e413b70bf277ebae4c

SHA256
f6100c5c776bf641b7ed149d3e214df4d58ae8acdcffbed7cfafc7f3cd8f0a3e

SHA512
a9afe5fb09bb85f57135c84af3a9aed68f795412f6032877ca5b662d8e6eccac83dc526a447b41ba6e1fd9589acd145930bb3b89bc2f532bc29f5818a62b51a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
775B

MD5
a1bc01cd847eeaeec8a02c5c462abe8f

SHA1
623b435aa5d28ae2bd594e54ed28e06fae517598

SHA256
47852cd5736960055ae1aae9019d2751c6ba7c28dfd8033f0318db9f2adb2422

SHA512
6bbd7e3c8c31407fc30a69bced86cf26c011527c4e4244b631d784a4a9acc8ab59dd93c275d798288bd7f5ac70eea7d35d0d7463b7b5227e1bfe8d1e25bb9806

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
9a247260bde3856b934839b811a9aaf7

SHA1
8a7efa377f613a9f9e6a85da2dae052b81340615

SHA256
4d026a3ba6c6197240e185c2bdf71795076b10bcbee1e710f0a27cc6c37c4efe

SHA512
72a2ec2f0d0f972b043445c3aa27be146e0aee1cbe83706138d50e004b477221c64ec678f66f3608f193482a440e34f8143cd595115290db3a31c915d80d35e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
bb06cd2a2e3ef7142a376b53749976e2

SHA1
f5af0cb9d7766b649ec7d0136a011268f3ec39cd

SHA256
bc2af8bba18c987957d44a47de565284fa18157f3996886fe2b6316bf83e545b

SHA512
cfd227ddca643e285d4fe579b874460aeaa01c7af4288323d2119c19363ddea7ef96edb098e1e9c7e55e28bedc192a9cc42cabd2a6028eb0ba17e97f1cf8117a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
0645ff9f90f8ffff3cd07d5cae962f06

SHA1
22ad68a0a92213de8d40fd5ff792175ebb64113e

SHA256
91e985dffeb208007ad5dbdf544a9ddf3d95a1b7674ac84ffb9c6ec3e380651d

SHA512
18505510ed4acaaddcf4a46cf4ab553e6944f7f7584920b3adee8590198d3c758c44efd5d8d7478642a2948f1c77b0c7589c0da3549c5fe710c156c10f9b239e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f8f8cd11ea1cb23141e81846fa234fe2

SHA1
1ec1328840c6cce162fd18dc111c63509825ddf8

SHA256
8cc292f5223843a58172e507c73d834ce573587307d9f91c48d8368445beccab

SHA512
cae364562d777b90c78e49feae93d96fc20206f7152ad2b6c16f9585d4da196593f3010440ea1cea96275d1149817762cdbd341d7968efd98e48c253395d9d1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
297fd27159960464d607afef350b4779

SHA1
f303640908bfb09558748781eb624310ddaf9702

SHA256
4da38b83c7253b6ac6667ba714e2c5d333f83272337586e9fa54f5f796f7d473

SHA512
db09939574d09cee54ec55ac433cd44dce8a1fb4d7b1ea7bbe7ed7f616fb75ead42b59fb895bc974e2b7d99b87bbf7b1fa0189b423e32f9238a7f714318f3466

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
58ad24c1e866814845432d53dedc9272

SHA1
bbc12f8baeacb7303dc50d7096cc47e4bc74d12e

SHA256
aebf89f612e67920fda6f6aaac0782ddfc8ba67e9d06852ae508e6a9094aaf34

SHA512
0a166cb03759ff25923a7c16eddcbe2371b0cbd4ec7bf3562b00f7e1c3a975242f90705fbda198d9d4ffac9f0389bc751e0276a6accd6b54d62f15aeb58c89e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0b60916723260753a6c23d6e0cecf674

SHA1
189da5e5142a25e6fd0ffdea646f1a5ebd337394

SHA256
91e802dddc758c6c02f23d7ca871d3a7b8274e2c9d235dcdd203723fc26a5cb0

SHA512
5a034e3004e3025cda265fa808c734af3818d544e53b4bcab917c732b347142e37dce8f4c46420431479049fbe11e5eb485d3bafb105c2630d5a9fe6bba8a899

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7ab2c1efa5892a9b82bc42b73f340ca2

SHA1
a0e4cca917b5b9ead56cde89c43b2fe2cec66634

SHA256
5536249d284a6ebd8399050737b79d3287c46168b9155281bd1d5f647b579aab

SHA512
b0ea65b4e2f57fb340abfec77668d941ce4cc72d8bdffa5058269213410e3d24481dd6fb88ddc5325e1510bf80499741beab928ca538d9a4af4d453adcc49872

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1aca2f69f48e308ce9f2639cb6e011dc

SHA1
20e70f01889a4ec220ba07d021d113cdd951d4ef

SHA256
de9765b0549e7ba60fea32e05206951eb55a6a826584ab4b8d6ef275b893c6c6

SHA512
aac255b84d7b51c91e51d82b7b0a100adb868ecb10dc17ff80916c900a66f39c4d4b2778e35513e28c28562b30b78f4727fcfd2a87d5c8cd69fde18544b0dbd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
10d3cf0bee2e9eb17cb6e2a66fc1b76e

SHA1
522d934b5828dc0674b047403bee830c24f771c6

SHA256
5cf1bc73e4f7cc61676a1de758c005e2f9e38f833dcbe6d011278cf5a1bf2b0c

SHA512
81807c4d94e61115610a76eb3ac1a70db014978b61e4ca2345dbc46a0003256e1a1707dafd0e83e90ab64e5ab3255d763ff4c232f2f72c25e13c89866e1c6e3a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
edbbff76869ad068cb7c5d06314a04e5

SHA1
a6a57b24502384320af660931289150303026b7f

SHA256
5e179bf841eefd63211998c2693a9bc04b4be53c804032c39231af6cf8ce2bd5

SHA512
9ce8164496babfd7c8cee070fea1505cea4ff806c21a875eddd5e09354e9400f903bdcd4e791ccaba772bc55b8ef58aa1095af9c581a628779e772e053ec1895

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
757fa78a4b4100b3c51dc74367a14f51

SHA1
e6ffa70caf72a1ea222c82a3923e40df1923b0d3

SHA256
0dabcf92bf2007122a4ba4f59d2e11df49f30dad79a0e1ddc3991919e52a6372

SHA512
b7c672662bfb930ee794cbcd1ba5b86d198845a99e4aa4ed7a41cd99829c7238b0472624b5cfc0594b87735ac6052ad681a9f52ff3773df645c93cae75ff22cc

Download Submit
memory/1756-13-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/1756-11-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/1756-235-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/2824-43-0x0000000005590000-0x00000000055AB000-memory.dmp

Filesize
108KB

Download
memory/2824-39-0x0000000005590000-0x00000000055AB000-memory.dmp

Filesize
108KB

Download
memory/2824-42-0x0000000005590000-0x00000000055AB000-memory.dmp

Filesize
108KB

Download
memory/2824-12-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/2824-234-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/3492-9-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/3492-233-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/3492-0-0x0000000000414000-0x0000000001516000-memory.dmp

Filesize
17.0MB

Download
memory/3492-1-0x0000000000410000-0x0000000001A52000-memory.dmp

Filesize
22.3MB

Download
memory/3492-236-0x0000000000414000-0x0000000001516000-memory.dmp

Filesize
17.0MB

Download