fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
141s
max time network
147s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-01-2025 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4840	AnyDesk.exe
5036	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4840	AnyDesk.exe
4840	AnyDesk.exe
4840	AnyDesk.exe
4840	AnyDesk.exe
4840	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4840	AnyDesk.exe
4840	AnyDesk.exe
4840	AnyDesk.exe
4840	AnyDesk.exe
4840	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 5036	4836	AnyDesk.exe	83
PID 4836 wrote to memory of 5036	4836	AnyDesk.exe	83
PID 4836 wrote to memory of 5036	4836	AnyDesk.exe	83
PID 4836 wrote to memory of 4840	4836	AnyDesk.exe	84
PID 4836 wrote to memory of 4840	4836	AnyDesk.exe	84
PID 4836 wrote to memory of 4840	4836	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5036
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
12d803aa66eddea509c4d3a9259a3aac

SHA1
cb4208b8131d21130d5f1df12b7397d2297b506f

SHA256
b6bd3cca360ccde574cbf549dc5e8283765a5f80cf99ef41ad74be3b1cb31aa1

SHA512
bbf37eaf29dcf8b00a7eef174f3d7b305d734d629193767739beb8649ae51c56d7609c564bcacff3eb3bdebf6a4152008931590aecef85ec38192455ab01b71b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
8990f023dfbac6cef32fcb2250e19be3

SHA1
bd1a96f9119702aa29eb7f82b3942d0064661cd8

SHA256
fb5ee97fdc147bd488d18be94c4cd6fe39923884086cf0f4a159087082df676e

SHA512
f822ca06955db630c1f8d8e3746901fbf832d1ddaf9adf60e6fcac7ef8ff06754a722ad3c2fe2b372fe5402be3093084f0f1fe3498ae864982ab3dc9e300f944

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4e3e0df8cbe91f22a8aa84905a113955

SHA1
09a6f35310a5742bf813909372f254d3d424ebf5

SHA256
71ab9e9561137c72da93d5f46ce9f13681ddd1b128e241475c533841b62cb156

SHA512
48456836a1cced0e574ad00230438722dbf328abe0e7fc298aa390326a16d8607d026f2408cac8e42e6aaf35963d5e50e522a555cfdc946d9ef7213539e4f4b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
386ac66a28b0d63d1c8e9bbe1bb163c2

SHA1
7ee649003c47ff1f62d1706496a8925e73f3b9a2

SHA256
98a9e0372988d904d505e9718ad018c7d426f843d595f7d3477409cd89babc9f

SHA512
13fa7bd238daeaded4542e49766dcbda60d5b1afc28816bf19aff6c1ed246170368df96b39c0d548648b41d21aeaf01b2778e0e52741909fa224247683418631

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
7b671f08703807803bdf715ad1db3c3a

SHA1
cf99b78aab54ee3f92e5d057a12105f666875805

SHA256
9388247a02c317a5b32775813ca45b502785c6563be1145348dfc76df45291e5

SHA512
119042ce04fa2f64132f69236135a7956da9a4b8da42c508c5528ec7336bb42d738f5f510537201aeadab52cad40daaf751fe3e706068c3e386b9a1eb438f5f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
f46acf5c773bd1645869bb8cbab559dc

SHA1
b60834d0d65f9d682b1c682b968379e547e7fd20

SHA256
f5cb4315421f9289cfdc09b9d2f093338cc4b8c05c0196c6c5c229d3de62e03d

SHA512
75493b13aff6ce73c3a14f5c884dc6ce1cfa14ceb1c278df46d8fdd124c17443114e25f13f893af15929469017a3f36e4efa19f46ec83f7f3c6df6a82584c1fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
c2c6b4c9641a94cc28092f004c35d257

SHA1
635d5b371757068c96ad5bae8ea7e0d38e3762ca

SHA256
a7ad9c1429528e7a092f620e69f8ef00f3be9f99267ff81c5598bb2abdbacf9e

SHA512
e35799c358441a265a41650387453531fe97e1b0a57d65bb58bb2f615877f3cdb42c7ed51acd37512cd0f2b7b0e12b03550127dae5b87baef2bf091e0f43a604

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
d437d288b190aeba694b53b6e1c66f0e

SHA1
9d5095a2ada703bf5eadf7ca4bb9cfa5e8a78f58

SHA256
e4598de211f044776e69be39e04517f8245739ce326b95db341a84d032f735ec

SHA512
594c0c6285c61c90182e203ec38c61a2d9abd163b347af3809c5155174acdc7e7cd3e22d747a5c8dffad16770f39483ccecdbde4ef4fb668d29aa35718514b44

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
fd8f6bf311b9a588660cefd91aef7c00

SHA1
243dcbdf68ba5c24d0d6d3516c4432256a2f10e8

SHA256
0b13e6977e3f68f1f45446f4eccc1a8ae9267cf2594c0a88ac509d2490fa4d23

SHA512
7289907024b023ae2150b999d4d8e799b01848919aef2996b0a7b0ee89d40e7d09b5ed8558ed1d7a49f7a5342591e2abb95ff05d46d7c54139b0f2436d5155db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
26583a1d16499f30354ffc86a94e3f39

SHA1
b00cab4ad1e4354ca3557d5914420642748afc7a

SHA256
c81c108ba1c87781c31899062eeea791f780204ba7c526c79db702146b241377

SHA512
6f9fb74cee05b5b2774e772e39e97570490e7b10c53ab68549074630d00ce4ee30e7df2f6401a44dea14f977c9d152c6faf60fb475a3b5be0dbe72bf770f95fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
163b166b1a3e784b8e7e92dc2198d991

SHA1
e9bc8ae541999b3efa3c351b5d4249d306d605f7

SHA256
98c673964691031fc8c6b77bbfcc62a8149e9e9fbf0198f8ce439dfe15592e81

SHA512
c7bf618061fcf8082f3dd588959d3d51c6188cdb0a5c35646849b8aad70f3661d7ea7e12d7fc83e92e06b01bb3a42011657528a3357d1fdf7561836c9d86d77f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1bc8fbc64a4521ba558611feab8c4d36

SHA1
73103b0f78224711eb4eaaf83f4d883e3e306c86

SHA256
2310644b07f46ef296058351e50cc5fa17b0c7e395cfe0f0aeec0bfcd6b64427

SHA512
a260ee2e2df8134437c2918116272b3ba839e32c2986319ee2fd0e3b58668117b47b8633f2013e9045231d031da54a8f9a47ec6243b37e4c1f187af1e456618f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
47a4b1d70a0479fe66accf0966292d25

SHA1
524f71253558e0b0ba5af3fd264ae485d8bb679a

SHA256
bbab7ac8ba77467f5b588a599276979dd98537961c1ed7295f14dd8c5e859ba1

SHA512
e4aeb114eb5ec26214ee714880e142a8df7bb0953f881eb4f59b45d06c5f132a3772987b8e0800b1256d3c08b8a66fb463e6dcfffcc9264d7da43076548c2166

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6a6f07ac8a6c5c31fe2bdd7f4a49cb82

SHA1
d416c5f8e13a297abba01886532d389ab05f387f

SHA256
0789ee95cc3d5de6fb0c70be46d56f59cabd4bd00b60670a5104265b2d367a0a

SHA512
1e402ec616afc38682c879c9e5d0c9a333cc4963454c96d90a97cf83a23a5441a49bee43bff449771d261d3b8c2c0b0ac4cd3ded64ed7b2470bb6cb87ddf0518

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a0c6b0ed3f0d5b8dabd03164d4728de2

SHA1
d55c80f1057162a317e71bbf5d9c769b43f9c372

SHA256
4439acc5903a521050d649d46bc5b95098049f5014d58eda445bb952ce35bbd6

SHA512
42726dc0dbb8214dac62b02e146687ac1e6608b62c9d5521133159d40f3bacd6540fbd9a46ec2a7c2220be77456d61d30bfa67355d203faae3f067747a7878fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9a482540bb992bd7aeb9175c05f626b1

SHA1
6954037a0edaaafcb34a81b0c7a6da982bcf0b0d

SHA256
8ab567c6bc81fd45b03f7c05d17e6e11b0904c16ec7d698aed1afa4d5d80966b

SHA512
bdd5fbdb2f5c23fc5f64ab827f209d986de4afaf457cb109035fa6e7b53f39acb08959aa488812ef75cc356f859e9bed6d26ef9aa24180b2f7242c23afd42bd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ac6ed759b93a69e666ef23f77aba42d0

SHA1
99eab693033908d6be21f905784a53fa811c16d6

SHA256
27e26dc59e4a3a0e59cf120d87376a18385383c1980a6e573b43c91c371c3340

SHA512
0d314718b1ffc286fbcc6107759e3da5df35a60a2d5a5079aaeaae4a8e18191d5201975137a4e7eaad64db2b2c660e1074fa33759f6efa9e2c386fae744253dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
07507c6735a86128853576feb86a2f3f

SHA1
ccd81d6d97799d7fca0f55be997b06c8c7417f7d

SHA256
11b9edc00d637da30fe9f485548f3de2e3dea58ba6f7b3d09e07163fedcf2e61

SHA512
36fa81ee5196052e9a55c969c3523536c79a8761b002049493169433764d3da1e70854b94dfd68ec5db96b39d81bfc245b3ead49c06a7fe7d588ad18950d11df

Download Submit
memory/4836-0-0x0000000000F24000-0x0000000002026000-memory.dmp

Filesize
17.0MB

Download
memory/4836-4-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/4836-2-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/4836-195-0x0000000000F24000-0x0000000002026000-memory.dmp

Filesize
17.0MB

Download
memory/4836-196-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/4840-12-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/4840-198-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/5036-10-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/5036-43-0x0000000006850000-0x000000000686B000-memory.dmp

Filesize
108KB

Download
memory/5036-14-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download
memory/5036-42-0x0000000006850000-0x000000000686B000-memory.dmp

Filesize
108KB

Download
memory/5036-39-0x0000000006850000-0x000000000686B000-memory.dmp

Filesize
108KB

Download
memory/5036-197-0x0000000000F20000-0x0000000002562000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads