d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

General

Target

AnyDesk.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
SSDEEP

49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	AnyDesk.exe
2712	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4648	AnyDesk.exe
4648	AnyDesk.exe
4648	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4648	AnyDesk.exe
4648	AnyDesk.exe
4648	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2712	1260	AnyDesk.exe	83
PID 1260 wrote to memory of 2712	1260	AnyDesk.exe	83
PID 1260 wrote to memory of 2712	1260	AnyDesk.exe	83
PID 1260 wrote to memory of 4648	1260	AnyDesk.exe	84
PID 1260 wrote to memory of 4648	1260	AnyDesk.exe	84
PID 1260 wrote to memory of 4648	1260	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
a7a83e2896e00c1ca6f9eaec9b11d344

SHA1
d0a90def3bb354abb7e65a3f5e833a7c196a2ca2

SHA256
6c2ddd1f89ee1442c8a2f8c999b6c5d56f36f0fb744c38029e6864221709437c

SHA512
17997d64e3e4e3be1e1c78c60e12ad437003a668f8c0dd6b7effeac018a7cfae66771effadd5f389950565765a9ee7298429b586609521774330034af5cf5802

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9d71d1e95bf6d7c18c0d4ff91a1b3f98

SHA1
8dcc2a20eda1eeafcc87076f4e14de3efa5e347a

SHA256
46a82da883c3107c0968db1985d3eb8eeff8f89bda30097714457748c0c6a6b8

SHA512
abeec373a2618dc7c4dabbcedaca868d6d73fb6a6d4510a56ae609dd34891f396a2d92979a9131260388ebcfef07adf442407f9a8a5cf5baf3ac9bcd4c9b30b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
d391bd559230f92133ae18519b399f6d

SHA1
5fad5dcd38e26c211ff3e318a67e5e337515118d

SHA256
bfa9014c00a81e4d4bc74cdb0021435eee5d0f06e0dfd1d545beb9f7bfb1a317

SHA512
6949ca6f1454413e807beff635a223b57547ac87307210577fd3842d8d3fc289526c09c61c2016e1c34fccd29cb4793a93111fad8553f1a301a79abf323743dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
f9d8e3fb4e06840173ee61985a8bd875

SHA1
76ea855a46adc1311d960f84af54ced400bafadc

SHA256
deb4b334910443775da82c51159de358c529af6854e85d183b1841290afa61fd

SHA512
0b10131667128de26674159b15f361f7ed29828d898832a7f9e4e7ee4afa7f6f5ea61c7684598d1463b3541514e89b1bfff20643f0a45aad25eda65f06c9e7be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1260-13-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/1260-18-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/1260-17-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/1260-0-0x0000000000554000-0x0000000000E7E000-memory.dmp

Filesize
9.2MB

Download
memory/1260-3-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/1260-1-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/1260-57-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/1260-62-0x0000000000554000-0x0000000000E7E000-memory.dmp

Filesize
9.2MB

Download
memory/2712-19-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/2712-58-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/2712-70-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/4648-21-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download
memory/4648-61-0x0000000000550000-0x0000000001185000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing