fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

14-01-2025 01:19

250114-bp1w8asngy 5

14-01-2025 01:15

250114-bmeafavmhj 4

14-01-2025 01:10

250114-bjndyavmcn 5

14-01-2025 01:06

250114-bf5h2ssmaz 4

Analysis

max time kernel
210s
max time network
202s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4440	AnyDesk (1).exe
2776	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe
4440	AnyDesk (1).exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2188	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2776	5012	AnyDesk (1).exe	77
PID 5012 wrote to memory of 2776	5012	AnyDesk (1).exe	77
PID 5012 wrote to memory of 2776	5012	AnyDesk (1).exe	77
PID 5012 wrote to memory of 4440	5012	AnyDesk (1).exe	78
PID 5012 wrote to memory of 4440	5012	AnyDesk (1).exe	78
PID 5012 wrote to memory of 4440	5012	AnyDesk (1).exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4440

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f5febce9-fdc8-40c6-afb5-11b119761324.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
71a6b59e08e25451e52675c842fae23c

SHA1
565a97673954a9209c7a05fba20b89d10b88025f

SHA256
5b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6

SHA512
5cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\~earchHoverUnifiedTileModelCache.tmp

Filesize
10KB

MD5
ef4d9165f280b4d556f349f896b81ce9

SHA1
ddfe1709a292d9900687d4fe0b4c8b2429d848a3

SHA256
8add12630f4210146f1c0f543e34f61810eadbb6759b6eb3a6303337155c9cb2

SHA512
e8b2c08605f8c3c9eaf0a8f905e65829ea2ff4e0d45c79f171ff685e80fc74e4f7858b4975fac8ebfd4dc3b21a14fe571e446889d4022400e84d8193053152ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
6dd601ec3a4760bae267657977e77a33

SHA1
8a0a9ae9cca6aba2132abeb87eb521bb92e98c74

SHA256
46e389858e889620c2bfc970f4e3dafc4fef37400fad5a82926b3f2426b6d3d8

SHA512
94ad37cca14b658b3e05e3e845d2debd66b0c1836ac148e300342dc726cb2159469592e6b0e9e0aa279828ce5926daca724ef0f67b1debd3efc32f063fd20fd6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d0a6f9152439e22a923b4a01ddf2d935

SHA1
719d9390b28f1baf801f8b4c754a3a736f961436

SHA256
9b8e3c4ba88032be0634baed87ce0ca284c36c2292a50b3e79154d5f97f53bae

SHA512
050c28d3f2d2752c260b05c86806472936ec4b91c6fbaba21f3c4ada6b6eced5e2bfebaa1729b3c2165a27bc1c4915ea254ea9fa5d01f5dcb8521244e44f77c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
97350f66d4b18d421ba8944c996a68ad

SHA1
89833b186b91df3e1a204a2f3b5cb85629dbe3c6

SHA256
865ad26bc58f3985a894b1b967e685b797a549c528664c68b057941d2c9e9e17

SHA512
6377fdd4ea0a65ed575c24e3675b1acd00ced3c91f0736c337dfb42d623f1a285d964a6d9217cf10cf35e4db89b452e55fd12d0d6d608497d00448125c2d592a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0ab975796ebba15d531c3a53e28d587a

SHA1
59d23c0dfd01b587bd2f2d5c6d0e5037c799a041

SHA256
59bd6932a2dd4114df8ab4f89866262c6e56a7c86f3caa050fc89f4a93f1a1c3

SHA512
2bdcf57f4d56b40bf0d4a707ec8e3b93caad22dd450001491ea184fa463df63c7000cd5ac28448529dc4168c365b9fc05b4c8d2d31219c5abaf899254fdccb3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
a252cedbd13531e6256aad820e6b76d7

SHA1
2d6e3e5ac68ebe2c1a4e1058e827d9e82a61b9ed

SHA256
e554962c39b834e00791041dfbc5baec23e313bce04b55fc439d41969d09b757

SHA512
31643b364be1af322fc0a09cfb5f43567e30b173d22ecd41d6131bb1d5bf366905538a01d96c61791e4026b5c019eb639861295648b207af9216f064a954b134

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
b1c97ce3be6dd659eee55b35f1f76585

SHA1
9384f85cc476d7216784909406d1675e46f33142

SHA256
8c2a47ed71f3e2dc8e6e885665b3247423746a71d3d48e2c731dc49f3470edaa

SHA512
f7ea4bae22622220e1df290fc90d18fa4f456aff8bf5647428cecb23e57e3cc96dd9dbb5672b6a28d59c2963ce161be753039abc5cc977f693444356eb67e237

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
dbd1186fee3973142947b00cd68c1414

SHA1
3d18e504f4908762a7c13ce94616c31d0dbdf259

SHA256
82b44912125d2a291fd9391a61de7006eaac1551081d395e9a57dc0d16290e3d

SHA512
47d3e041cebade1f59fd841f62646b329e31180de885ad4922076d73b99608c994377bc6c6668a43fd90547e68112ba47082addabc4ec8944524b6d3b23f92a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
a853c70ff7d33e6530fa4ecf9955e77b

SHA1
50bf7722ba9f9a9d6147e6fdc5f5e9d27f442e66

SHA256
6f691a4fa1c7eaada5a6e814c192c94bd72a973a4adc1cae6267f60ca3db0307

SHA512
3dd44a5e05aa83f0818f173f6dac71003f6d06894f1044db647a0d9484c19d028b0e3b81fe5911e14a1ffdb80dd49553b944846b3017e9430a3fd050dbe55e25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
e5da745525521021c6c911424e3f261a

SHA1
b5fc7a3acdc33ba5066db3ce426f9cdcd76d6428

SHA256
d6a52ca892d4a6b50c983aedede341365230613f46310d4f14145b94f2392bf3

SHA512
5888eab255fb27f453e86084c50423461f0ccbf640b2ba9ab0392e593d5f635bd1227de8ad03750c075ebd4bddaadef0da3eaa81ec5a9056ab36a9e71b7156fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
b41224935738b3aa2eb9ce2cb3b1f298

SHA1
546c19e32b598aa0564b80800405ea2c2dd36f0f

SHA256
f899bda5f5d4d2747ec61d55570ac5d32951d6f06250673441246ce65186f0bc

SHA512
b607aa02a7c7ce25fd38819a3f5985b00aa90144e13ff25c2c37b9d653a76f02a0b71c2a22ddcd635703015802b1938110f9db2339d610256620c3dc40c55da9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f811f20ab1cd5014ff3389f3a75929d4

SHA1
9b58c5c8d2c2d658c420690956602bcee781f5f8

SHA256
494f79154ef7dc7188bcac518905fecad6b5efeb934b6ad638b802d5780f52cf

SHA512
9561563bd31f3f43b8fcf244ce556bd3d176caa4e456bc68d276b8eb4c84179dcdf5b404ece984793a8b5f5dd6866c211897b94ce180636d4d69743103665b9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3ae60f94a30957c0c5fd490d20bc0994

SHA1
b79c278051eaebc154ae611d8c3b474f192524d5

SHA256
d9b59956ce6f2ccc15ea848a3a2edcbbee0acda7f030475e657133c982ec43e5

SHA512
e0b3a84d948adfa5b60d88a0d387fbc39fc290229bd65d94ae35d9de8adc26634441eb6dedc9dd29658734335f8a60ac7a79a911ab9953f9ea7db591b834d3b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
3a8794fd7f0130b202c49a8f049328be

SHA1
588263ab8e37613d2a818dcd02f03c0c9a119ef6

SHA256
2f71e7ef47886e24d3167e49097bf76d515905b5804743bd6f7500c5c6cabe30

SHA512
430d17d6eb17b9a0876201dc9059ceb28ceba815afa4e17b6dab4cdb1b2fb110d22bca44120bc847f907c2e237e9a3945112734993a680401fe4681a651ad61b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
7a3181b32b26e45f293ef6b7d8d8d62c

SHA1
f9a3578e96a670d0a952e577686b6528f2f7d6b8

SHA256
7527fe6a20867ef372d1fa363c3cb79609b59e4ef60e05af5eae80799cd6213f

SHA512
8b2c43add60f69cc35f792ea4dbd26fdd609051348b6aad492047eb7d41b57b3fce976e94ad5a753ca94f3fcf489fa132a387ea88cecb4f13e5131e565682032

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bc34ab1280d67c8d5316e4f0ff832db1

SHA1
f7a21699d9fe58e172c83273dadf6fb919da192c

SHA256
23836aaeac144bcdd38866d5cf3ab056840fdcb8262659f06fffca952c37b7f9

SHA512
faf990e616320d03701fe5cfeac62aac527a24376846598c869fc57ba0897daff67f5ebb1ae4ffa8e6ef9b26efa6938f49f55b24afe8f2a8af5f431bf19b5143

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
637e8a8226805f3d25e1e2e7eba6a07c

SHA1
1c140c4b8261b0125405434f345ec7f7518ea5f8

SHA256
4c30e89c625116e6ec717d03861788fa8fe4b1bb17de7e0f6759e840ea8e478b

SHA512
42c62a80a08ae466453a2cbf51130f5f21afac66c433b045c74c7694b56b147d0b490fd7395202a4dd1ca3682cffdff2554732580a36c214c409314983f43d9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a8b823b3aed143cb0b35e4d7e81cccb2

SHA1
f87aa0f92e17a70b50fc3ddaac497b4d34ae8bf5

SHA256
5b963371e4ee4552078edf322537d826d5d72c290e442cda7a7d8b0b728ba791

SHA512
4bd09b2cf05bba8400f591a88b8eed146aa890e0f7d07cd3ea6951015edb9db0f0774f767ed7b8588227eb0c940543bc2d49d45451b37d11904c7a4b2502af71

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3cbfed1697a48a3362d37557837381dc

SHA1
0b4b42e23fddba946f35f4e84287ee33cd5c5203

SHA256
8369c0c76531d29abac95166e5708bad919c9a54803fcf73551e3c6d0bf3d370

SHA512
a4b753f17805fb483e1532732979ad09789593b65819adb58944514cc10b4e486c688f7eb6a0f50dbf4648fbebb9f88e90aa1d08fe42ada196cb6619b9f1564b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5fd2c4c3798fb95dd46a5da9a1c5c0c8

SHA1
9b553c10d39f4d46337a01675ff474d4951a2643

SHA256
8cc1af29e9d4e6cb5547ba3ab32d2a34678b06a060076af4be0c1ba91093ae28

SHA512
32773ab14031f48543005bab8a9badcfc6ef350af79f55b772ff59025784960d2452eed7ba25f4df624b21e294d097fad4118d250a656cb1fefe79fd752e9ba8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
56605b7b533e8c0d91f831bcf6092755

SHA1
732a37ec9f776fd1317a6bd9f09fe4afe4839b0c

SHA256
6a30dd1d75ec1961b3118e97176aa7d0b435829f909734c8c2e33f5e799fb02b

SHA512
a641e04d36d37c4b24e40ef17bc9830dde988a66110cce32e861155b3deda0f20289f93c0e221a2dae97fd541c0f2188d932dc712327e00722d34389bf62cce1

Download Submit
memory/2776-230-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/2776-10-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/2776-38-0x0000000005560000-0x000000000557B000-memory.dmp

Filesize
108KB

Download
memory/2776-41-0x0000000005560000-0x000000000557B000-memory.dmp

Filesize
108KB

Download
memory/2776-42-0x0000000005560000-0x000000000557B000-memory.dmp

Filesize
108KB

Download
memory/2776-14-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/4440-12-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/4440-231-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/5012-0-0x00000000002E4000-0x00000000013E6000-memory.dmp

Filesize
17.0MB

Download
memory/5012-229-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/5012-232-0x00000000002E4000-0x00000000013E6000-memory.dmp

Filesize
17.0MB

Download
memory/5012-9-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download
memory/5012-1-0x00000000002E0000-0x0000000001922000-memory.dmp

Filesize
22.3MB

Download