d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

General

Target

AnyDesk.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
SSDEEP

49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1156	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2156	AnyDesk.exe
2156	AnyDesk.exe
2156	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2156	AnyDesk.exe
2156	AnyDesk.exe
2156	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1156	2400	AnyDesk.exe	30
PID 2400 wrote to memory of 1156	2400	AnyDesk.exe	30
PID 2400 wrote to memory of 1156	2400	AnyDesk.exe	30
PID 2400 wrote to memory of 1156	2400	AnyDesk.exe	30
PID 2400 wrote to memory of 2156	2400	AnyDesk.exe	31
PID 2400 wrote to memory of 2156	2400	AnyDesk.exe	31
PID 2400 wrote to memory of 2156	2400	AnyDesk.exe	31
PID 2400 wrote to memory of 2156	2400	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
72076d58680f6eaec8a07bc7d9c45169

SHA1
93409fc98006aee87a1377cabbf423d81349a4e7

SHA256
53340536aa3924ded282ec0c6312781528c6940a1ee1e1d9a728e52000962f6c

SHA512
2edf3a9d5c41919097bb0653ce099945c57b32bee4d8829c9206ef8b74f6a552f80575c2720ccc62ff3cd5ff770db4143f3e91a2a4a0fe0b460dd1ba588592c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
f6c907e878b03e3fab3dcfbd4d1e4a6b

SHA1
a5a87f2244235bb8bb86ce64eaf6bce7baefca09

SHA256
06ed98cff805804c9a6d6cf8f41043a9079fad68df69d3979823d62d12b34a41

SHA512
dee1c0fd7f7a0959f7983e2c2c30ef5e9ff769bfb1707b9bcc166846d98e4e6185b8358cc3d565a25f05444ae0d310bb78f67b575be810d7d19cc36199b4b5c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b2b6ee27c745c2a6bc666f77e7224221

SHA1
c732f86675e3b318b39657fccb063089be3af1b8

SHA256
4e82f92bb88b644cb33793fb3d48eaf3d5599735e59d5cb3faa54715d343213c

SHA512
90aa50087ca44e68f8b910572ca19bdb1e301d1cd1f59730cb25e7f451ddd3973e0b29ca391aa47b4cf10a401e17f01ade4c6f7c33e6e81e4fbf222abe5b63f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
a5a69678734afc26f7256604c88a7fde

SHA1
00cf6adf98e120af401943d52376412ebffa7467

SHA256
6a2a58c422a6fdabcba2a9a5a8acd72d5fe6d5f2cf4f67e98ecfccec05492d6c

SHA512
3ad2dbf81561291659bbcd449560551428d8b198a4dcec0ba3378bc5f00f4ff8daea830567e582ffcda2600a537dcce044328a4bc110eeef5219a0bb9bf84110

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
c379b503d45df7c3885c92d21851b4a7

SHA1
9a28ce1907c411e3f4c28bd8c901f8e2e910ef5a

SHA256
d10d9aab08591f5a640bafba14a32617927db0fa8c0ce916822ddaa3c5a2f528

SHA512
e84e5871bccc475ebb6c278ae3c3d9646267ea7110ae3953e3e5d952139ee9803de486a0e3b69f2a58a135335c2e5fee5bdeb4f064ba4c66880e35eca6da04c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1156-75-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/1156-66-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/1156-20-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/2156-17-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/2156-67-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/2400-0-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/2400-64-0x0000000001084000-0x00000000019AE000-memory.dmp

Filesize
9.2MB

Download
memory/2400-65-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/2400-3-0x0000000001080000-0x0000000001CB5000-memory.dmp

Filesize
12.2MB

Download
memory/2400-2-0x0000000001084000-0x00000000019AE000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing