Analysis
-
max time kernel
1050s -
max time network
1053s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-01-2025 19:10
General
-
Target
AnyDesk.exe
-
Size
5.3MB
-
MD5
0a269c555e15783351e02629502bf141
-
SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d
-
SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
-
SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
-
SSDEEP
98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 15 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend3⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\main.exe"C:\Users\Admin\AppData\Local\main.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
4.9MB
MD55c14a296de00ac77eb98ebd7830d09fc
SHA1f8ab35d128e469e6938401f8953ec7f7034221fd
SHA2566f69c27f4055784be554a73cda0ab8e5475a60e4f3588267cb45150aa03f66d7
SHA5123c3d97702a18553883a36407ec9be5b37db441964e46bac14034980e9661f7081a4c2abb974c12faa0bb5d3b9f0952d52c6c5d877dd7fc8644772958dab9c640
-
Filesize
5KB
MD58b074eb4890711278e2882c534e23d02
SHA1f094f97494a0d9d4372dde03886faa8150ec0a09
SHA256f77592dd0a750ae5149d1fda358b523cff964742671444f67706a532326a5bd4
SHA51209c57007bdd102e16f1d09379ae3fa596cdea1bf5b30057dcbe88987c5cdd63e1fa39266af90acfa82ada53bf48b5519b00da7473354370ecb67c35413c5e864
-
Filesize
10KB
MD5f3b20054d95d57b756a86b2e4461fc18
SHA1ea879f87cfa36a08ad1dd0f60efc0a27e76d93ef
SHA256ae4af8969b42cf60078d71180448765c9e38a8610919e2b056c45047fc688218
SHA512619fd766fc9881183c2b001839695214a66bd8a6d1c4538c40df5d89d8d54fcee278b4b74033a3e44181b8db033483916971848b5dd8de5cc972b5abe0e761a6
-
Filesize
59KB
MD5de3937f06a69b3d45828bcb252e8b447
SHA16ca2d044193c680d7cccd368a1235b171be7e331
SHA25697cd794404061878d104635b225fd5ee7c51d60caebdd27e3f14950050826081
SHA512f2dae6b671bf5bfdb1578b38b7699eccaed6af944f234e0c8557bc1ff35594189c18c222278eaf8298d5c889ee164a436fee0f9c4859263a53b99b37953dbd79
-
Filesize
2KB
MD59d9288a95cc45dd5904b11ce8e04e834
SHA1cb424d8bcc06d6fe06255cc589cdfa89febcc1c3
SHA25630557fcaa2acf42b4f5a1344eb662d4c40960719e00b64fe89d71328083cc7ee
SHA51297f14501325578f63e122e625954cf9e13080744cf0f6c6a0a58597fae01e35b5435a9a6f6560a2c0aa9e69481d3ac923e6eac07b13b8b3ed851b5c0392b44a5
-
Filesize
2KB
MD54672371be71873b3f1dbe29e30357cc9
SHA15550d12b0dd4a584755f666b0ea1c82f9809a393
SHA2568712ee1579dfe5c863685c2ff13145503a6941cb28245caf3e8142944ee3f23a
SHA512f6442cb639af68d246ef6991c3f2125773f1643dbfabe0ac9362c9eed89eb3b21fde0c6dca22bac352a58ecdfc5ea717d042b8f1bff387d21d3f184e308ea0c2
-
Filesize
745B
MD52d081fdc221d283c94370435addc3a7b
SHA1e9098dc3b628f14408bbfc68e9c46d69a6a7612b
SHA256845a30c94ce10b3e9ac9a7952c8cf74569576012139273c1a33222d31b9f9d78
SHA5125f0cf013fbcbfe0dc612090ac748115a36f3331dabb6faee116d7d9f34ba0e5d9686bf9025180baa77ecdb2ba49d0fe435fc483cb9734ac9b0e9765d56c4218a
-
Filesize
766B
MD5423ee4bbd661ef2dcecfd13da84c5987
SHA1f9253a1c26d369684f9d99a3c28c6a881b52fbb7
SHA2564a8a1f19dacbd87604d8e5e8cfb9cc6cdb580d4c27d3d6a54c0f14192bcc2a71
SHA51212f9c48e66bc3e756947330ef63bdb7db9600d09f83f30489731b40209f75e64357bc0cb8b4c00657d216d94acbe4c4644b58cd15b901d33b461d8de37091b74
-
Filesize
775B
MD5d73fe5c7202a287cbf6a5225be8c181d
SHA1342819ebae3f0adb3ecb5fd884332a287905c915
SHA256715d56519efefc3a1ce2ec605b93d2868df0660f74b5eddb1debe65fc7d608fc
SHA51270cab1ef5866bf935d9cb3b420953ee60c9d54d039c9618cd3a09e45cc3cd2f69c66bce0f705ef46ac2005182b53f4ccfba6d84fca092e205401b56bb524abe3
-
Filesize
832B
MD5dba22b9c941417211a3fa9a1e582e8af
SHA17a867b55a2308754721205f79c8cef6daf04d0ad
SHA25630a60a868f7bbab4c28b1f3fd04a4cd4b126bc665fecced78f82afdc95a7051e
SHA512acceaf72a9ae916c3796a11926c537f712cc3b85e450c662b8f62b7c0162f97abe7e020bf3e610ffa5bc9754ba4e680b374ce96d9ec2470ddd6cca373cbcf7b2
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
468B
MD542fed9a70dbc881d891e800f188eecb2
SHA11c03a4d8964386c3def1c67dc11c098a26d422c7
SHA25654b906a0f07cb24e8b44a82c0c9451771616ea739bd2bb0ecd5bb6495b6d4946
SHA5128c370f7033aa13e2da71d373b62484888fefc4685060598d9ed02d6cab891a8a220d1fef1b090da94a283cf64e372a22d397db8f453185d70de3b4c5934a2f4e
-
Filesize
468B
MD5131d3cbae532a57396f147cc875526dd
SHA14e4641bd5d627460e7201e38378d9618de328f4c
SHA2566be0e039fc52bc6c1813b3083f226129f3c89f6e2642ea5d361877453443b8b9
SHA512f062503d8cb330ff5a71085ef0c5e2f51702542fdad76730693b1b54125c53812d268d0dfe5351e9b637beab209854754c1ca6138609a1fba981a828b93987ca
-
Filesize
2KB
MD59d8710a2a7e9226f60d6b5be4351af3f
SHA120686d9a4ac1ab120e3aa4d4aa2197fd7bc67ca9
SHA25654ec3dd7f3948c4e5f815fcbf4b27bc2c462e425c8946112000df114f0430782
SHA51252d738abf1917e4b0a495ba50650fcb65c50c0b8895cb27f915f580f2c2218d913f0aa918d7a3f0f8e3f28d850f8f72e3f42219f1f48659be835bca7ffb70fe3
-
Filesize
2KB
MD571c2c3536d38075e6677599082b65787
SHA130a86f6ed2366e354eef4ba1bb5ee794329c3dba
SHA25611afab01683fb99f4a42c18b678e01b841ec0912980a252e4c0aea8a9352682a
SHA512afddf81a770e5ce01513dbc4175639430e1ec14d8ad3f0ae6c886167d42284eaaa983f31cfd49bb72630f2809b88495f61eee92b26985f28826829551caca5a2
-
Filesize
2KB
MD50476e1ef01a14af7d5b34eaa9e8cfff6
SHA1d4b007da2d2d7ba2cc10d245c4e607f336f814ee
SHA2561b4e5edc47e22d0853289878754e1126abb7edbd931d2f47adee7727f1118493
SHA5127872bfc0f0452094cdbb7f879cbb87b4202a760c6794349add8e7164a8ff136d6019ae645a76014dda628e2e0be9726d3374e6b8fe47eb77407e43472fdea5ec
-
Filesize
5KB
MD5b173fe704d1d3aeb9e3d5fa1426a43f9
SHA18cc6f85ba7bd6a6d20808f2d143210a3b52407ab
SHA256fab35574300505501c5cf9eec92fea527029f2b08c3e028c9e75faf2fa514c53
SHA5129eccc5669ae3fe6a6f3af43235e1ffdeca9e36d0a033aceda2566c6d0d6a5df50031b1e503d82fc45bfb9f23f009a2f977d1cbecabbd240ea4d4b2f324cd4d11
-
Filesize
1KB
MD58c8365a09e7c0294962b354d53481fb6
SHA1440204016c14a7c0c5f54c3afd65ad2eb791a83b
SHA256bd23c52dde176b55439776d90acf217e97eb288d3486910fcfd10a86095c6d89
SHA512e36a8902e51a5bca67a8a3d044e707c03f36063caea346ec4909d10e501a2691b3211603e45a2626324e182a2ba38c02060d96d4d23a6fe0b4c19139b1674c47
-
Filesize
5KB
MD527a49f65178e3a7ec37fd9b57b983a81
SHA1ee516f8ebbf11e2e200ca516aaf4d84badb5cbbb
SHA256c3ea77d2622aefe8efa4333ba619a59227feedda11f39249fdfce5195638d7ec
SHA512b70b9337a5fae864b2175d847306abd14dcc64ee258bf0f0ed71e8750b558107461f8d17d91a5903e73d875ae500ca9c71a6bc76b683836ded3d3b31e3e123bb
-
Filesize
6KB
MD5e9670a42f02376d5c06e3e73105021a2
SHA1b255ecc619bb17a3413e9473c88a1617c7de2c15
SHA2566bdd6798f2e6103909661516a6aedab79314df4d2a42a40853ebad9b5e0d18c8
SHA5120958c97ca4b59bcbff1a56ce5119007d759b2330638edd3705e0ea981a9f398dd071ef5d0001f2742127cab010b22a60a6ebaf65c3d2aaec9158799b73ec1f79
-
Filesize
6KB
MD572f335bf3863392d50e97033b1a390dd
SHA15bde42669e001d050180e3b56e2ed049d95ab2e4
SHA2566c0ccf90b0d1313ceaf7614a80effdf2072e370bcfe0cf029cce4b2a1a82e78b
SHA51232f60273a54dad217c1a8e26f203d12b99899fc4943d29bc1babe1062008aefdb4ee6703986bb8db009832746a7f0f64c9b3625d0dd4c221af36c338cc06c7e5
-
Filesize
6KB
MD508335909f2af5b71c66d6791473cacd5
SHA173d475e4bc5c18cb8f1d069a9f4d4975bc412ac3
SHA2563b45509642ff0829fd77ee03691eb5278465b433e7b762d21bfb18db0dc79e42
SHA5128dc6bffa7efafc027646d561767fe0c07720959e7b9720cc5f096be1558bb9586a5f5a2c54d94d63f930126bbc92eabf2e8b2321abc7f779002b064a7c995b39
-
Filesize
6KB
MD54aa05bfce5868d2111af805633d735c2
SHA1f1ba2cd1fdedf4c9ea5c951e52cbcfc2e5be2c1d
SHA25622a62d0c8859d8ee006c239c976a54d00d0d8a41f720a53244f4523cf2382153
SHA512b97d08890f84392a908bb186e0b36cb7c8ff2aa3d7915e3526ee64c2663aaf40a816d9669ff161b46eacc091c087492cde4e84774cc5aa36334c23abc70921df
-
Filesize
6KB
MD59d2642cdcd54d17a1251af6df907483e
SHA16a192d9ac3093cb9b02d067a9f4d2dc3df012961
SHA256b1feb99ce0b1a0ff7f744789e27ee9c92c44dec0e41a1d9b74366914b03db05d
SHA512bd82189629c54ccf3d7855be8889ecb646710c7204c0484c2c3555371380b2a75a8481f1e7810535b39f9c4796779b4d6c792345d0984e1a64e1f9e39c88460a
-
Filesize
5KB
MD57e0bfdabcdb8d2ca0b7d1e9e8b266a35
SHA11d0d341841ac7fe4e7ea596766e5eddce7fb47a6
SHA256be23ae98d54f0993eda9a4a4d31719a4c5b659fb43257981f7875d34b301a9f3
SHA51249b24223f085d2ba2a7f325529cf7379ed1188217ff57fc7cce2b8693491184611ee1dcb56f63afb7ac26bb1760f9c9aa3ba0ffab14cd3a264947b298da3ba3e
-
Filesize
6KB
MD5177c0e4350ae0074771077f0d42475f9
SHA1b0d092d444f0d2241d6e63e7fa8970fa736bda6d
SHA256764aa13996821faa53dff50b6c14f04e827f5b3b6ed5b5e68fe6fd5f148e4ea2
SHA512a1c8a9d26da29ecf39b2a03eb3d7f7f1ba0249d514e64d76db690a503f8380f80491f54aad84c3349eb783044be1c7532489225a6de11ab6f8045174fa0cd3c3
-
Filesize
6KB
MD5857fa2a72ed37a1f5234ead8f7684528
SHA184084c034054e81afd5c261efa353f873ad3f358
SHA256a85e6c71687b49bed364631e0dcba0268233a4e8ed890b5d18f94e906c261c61
SHA512619b64182c681e006b4c7285c193bbc33055232a3d9fc699b7e708d1933b757c2f33dba47c9d430baed188b3c588f379ef77e929d6ebada0118f47f12f46531f
-
Filesize
1KB
MD5be76b543f4a3e5e71a177f9efce847d8
SHA15de0243c728b65b4e57d1ac6504a72acf704966c
SHA256be2619b08b8051b0aa6907945edf3551cb9caf56f3570a3b04e068986fd9160e
SHA51240579f5642c213199559cfbd46e9862547ebd0a9035272e15a2cc14671390c0a14c7f79325449626362d8f4eb2da9e75bb68d3d7ea4b206344753aeca4112dff
-
Filesize
3KB
MD5ec19b8a97e03db8ae42ca67349402d65
SHA16ece7cb1a082132cbdacfc49625d0f6b74128c99
SHA2565c36b29227a71369377bf2b19ce6997ab2728560fb54a75902a1962453772cad
SHA512767927c18920de2ff6d8eb6ea689fb95c230044e44044cefea245fba5d22f33bdad55a7afa02b7aac5363c87ee17c58ea63c894a02753616c8f578d97f5367a4
-
Filesize
3KB
MD50a860294630477c322fb5a244622047a
SHA1d85ade1fa880abc80400a5be24e242b53d72d4c0
SHA2564828a819d700f391bac88db7b746cf55d24178e98fbf52cf65e00abbfee91142
SHA512ccbf9266ac0da92b780c2aa379674623fc1ff8ba267305ba03b8d2eb40d0e2faae15264ebb32176095d500436a2891c6fcf906502983c21be8e30b7fd172b6d3
-
Filesize
5KB
MD54b480c9f5da389d488768cb80a63af49
SHA132f9c4728b74d60b9d2e46853f8915b1b196d5c6
SHA256da235ff4cc96331eafe9fe3f1591fb0cdf979e1227947ab13fa2af01abb7add1
SHA51248fbdaf1a6f82522ee9775ee78d57891a707e25859f98562c4e9a2b804b689aa96ed12205524d05d8b099f8ede8de2560c2783825b7f418894dce4752b0b2478
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
17.0MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
17.0MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
136KB
-
Filesize
7.6MB
-
Filesize
472KB
-
Filesize
272KB
-
Filesize
22.3MB
-
Filesize
108KB
-
Filesize
22.3MB
-
Filesize
108KB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
108KB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB
-
Filesize
22.3MB