fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

27/01/2025, 12:49

250127-p2nz3sznan 5

27/01/2025, 12:46

250127-pz1wvsypev 5

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	AnyDesk.exe
2764	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2236	AUDIODG.EXE
Token: 33	2236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2236	AUDIODG.EXE
Token: 33	2180	AnyDesk.exe
Token: SeIncBasePriorityPrivilege	2180	AnyDesk.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe
2824	AnyDesk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2180	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2764	2180	AnyDesk.exe	30
PID 2180 wrote to memory of 2764	2180	AnyDesk.exe	30
PID 2180 wrote to memory of 2764	2180	AnyDesk.exe	30
PID 2180 wrote to memory of 2764	2180	AnyDesk.exe	30
PID 2180 wrote to memory of 2824	2180	AnyDesk.exe	31
PID 2180 wrote to memory of 2824	2180	AnyDesk.exe	31
PID 2180 wrote to memory of 2824	2180	AnyDesk.exe	31
PID 2180 wrote to memory of 2824	2180	AnyDesk.exe	31

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
bc1fb7121f43aa520e19ba67f2a0b26b

SHA1
bd8ad38a68d53e762296eb393e2ddaceb75f9d3b

SHA256
f729883e3a3f7d101235f0a178f6cd641f65170b1b48c2cd19925fa3d4cfe3aa

SHA512
647a2b2be15ff61e50bb7ac2aea54aaf40383c44bb0b24489e08632b4900ace41a4b323bfc1d987b685c359e13c4ac24ca3765c71fc5a43fbdd1ecf264f1a3df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9f21a0233d13599e924430eb50f7bc60

SHA1
8687610c1452090b3bcdceb69d7134e0b502ea6e

SHA256
471d5268906cc061171df223bfe69b203f966fd757850c91e3a9c4a304ce77ee

SHA512
b3735e3dcb5a477a841ddf6ec5f389f797e358ef8526607dcb55c9ac8721f4406c55aa25025fb6077d36b37e6bc06e06813e55ca12bba8fb7f46fa8c07354462

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a634b119f059af2f7efb44bdc640b8ea

SHA1
0b8afee987ac15f62e2746b00d6407bd5961a244

SHA256
1f3b3171f55394cdc396d2b0389d6bc43a224545c2399b1b7971a478844e11f4

SHA512
36ba34e7f84c79b984f40fddbb23096bd69df0c995ef4c3dede6d6fa1c5da34fb1aa741f53286bf28dcd56e5fc961bee4aff083cfdf17d776829c8caa8b54dc1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
80a543b63cddd68ce0b27113a9e9b0d4

SHA1
01d8fac60f57cc816c616fca3ce854a3b3efd326

SHA256
adc24c1f39393c050b0a253147ad30a9aafc6684307dd335efa8cfcb292de5e6

SHA512
18222e77a4d465176b7951804b26ca7c2407cf63b71fa3d6ed7153453be167fb1e865de4c00ce1eeaccdb9c937f69785a665c7f3106258c64ad6ff2494f78419

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
a2bbcea5c209f8a5686d0f897d70e6da

SHA1
f4149062d35048ab2b2446d486e8d2e480880cb1

SHA256
5ae7f5c18d2d05ad72526dd8257a81e7d4faeee25a84425bb3c7adc9e07b0768

SHA512
f2e2d7b041397f2134d8503a8bc5b3e7db67adcec70ffeabc16c5da882ffa3eefabade514a88b4e959a5ee4ec13ebb571a62ebdfe5f6d4fb88c0656de739495f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
1d6364b2ef2060b9335820ec0dc708d2

SHA1
b6324819193f363376bc78a5f6bb4f0429dfa57a

SHA256
e086739bc24c10bc9a65ec8f92bcbec8ee5d61a4846cc2e26b4dfea25977aed6

SHA512
2e7bc40911b2dfa80bd6e79f1f97bcfcda30d775228e2e6cab60f5b3a5cdac8ccabb98b5de7c2fe6ab2543e7e8015e852d57cc0cfb66678b8c6872fa830a6b33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
d0b6eecacbc67b91896bd2829f66d945

SHA1
7dbab6c8000f869ca5d8149bf2fe40a7082bb392

SHA256
2ad71d18dfa124652eef87331b0386496489071f27a57ff935558f1d5db29c35

SHA512
aa74dddf4fbdc60cf1bd70bd5c2b1d1c548324eb1bf083829d1e31ba7ecc5d7d1d4749f37eefa9a618198a1c6ab7ce770b06844873ec1b7a586171d88eedfc43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
36aa6111b59ccd56bcd7da837e205e85

SHA1
8ccda2c534f6adf46cb34c797ea3d8218b5cae9d

SHA256
a884a280948d5878380f03f0e7c9e11982b0af9e747e4c26215d4b370b376819

SHA512
a3970b31b95329662bacda625c1bc874864614798933787c0c9771dc3637caceb1e70d359f75e31975b8126d6a7caa0279f856bbbe0682827d1501f87888d3fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
695b0183ebdc0ba487e8f5edb1167fa7

SHA1
aa35373dc7aa1580c86d2eee5b9ab9ee5e5d84a1

SHA256
88899a404f80bab3ce3b9befa87c4ca571daf461b892322df8650cfbc2450687

SHA512
3f2c44e710a3bd981299d9be79267fee43059521eac7608b5ab96b193be9a775ef5dbc5cdc4e54ea96f111a9f00611b392c6f262abec3901962ceb9251b4cada

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
9b65bec3c0649c4b56f12744658aa7bf

SHA1
96d5f12ab70f6df2e8f762710cec458a87b331a0

SHA256
af80a796dc069712642b538d79f7ecc0e58b196bc83b8e456468072da7709da7

SHA512
3aa35aeb32d315d27096452309873f7fcb81a19ac53e7c4b1b5a2342138f75e1b262016217f89f7482bdaf2c0df6ccd089a1ce8ae207edab6feca0b18de42902

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
d891596f800687d5f34b4ba9a414b37f

SHA1
80d42438303d28ceffa2cbfa6370b60ba215c65e

SHA256
63072ca50d126c6f4e3833e66e15cea514c97429e98ae159feaf12793a4f1968

SHA512
ea58b77badbef993ac4841da77f19da7352a3feb8d98ff53a1322778a3cba7ddd695c6231c590b83748bb2c3de875fea7d5f774379972b0ccf27ca32841798bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
11a64019024c9fe962842f43b7b810c0

SHA1
499d8b7a902e3ee0080c4ce32e7f8411cc49b464

SHA256
86a924d25e8bb55f7c242e0fcf796647505697b028346dd5d28733df6e11b0e2

SHA512
7673cc858143e0ffdaca951e163cf51639a91396b56ca7e09d491b0197675f71a9238200c6e842480f39a2c0352d4da48854010177735daf5a73e9daa8b4101b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c4a0ed1ce63ae54ed3ac8a63f99d7ad0

SHA1
5834abf87f639a510eb00b0cc54033286f34413b

SHA256
176298a5c7eca07ab8408081e5de35f3300f2ae05d0515992779cbbb67348433

SHA512
1f6b4af4af54527428197033d0dedcd22c53aa6e22aa1f6a9f73e3a4446648df44c308f76a1aa03e6cbf269078472cad77fc14bbfc897f1a440a63b629dd5003

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7db0030eca0487c01e9edba2b9bd2d83

SHA1
57845b0931d3aafc1c7ada5b12c335a3d863aeb9

SHA256
cbdecb1ead293c3f951def3a801224a74b415f1f94edffe5c93c2c364c9ce86d

SHA512
ebf3a911270078b9ca7381a795509ab92cf9432473d2cefdc252da897fd523449e6b3fabe62bf5e9af693ebb7f41324bad85f8ca791fb14d3f58fe912cd2ea41

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b40e9445657e8a05204e29d8c710d645

SHA1
aa62d86f6c6df1210bd3f96b094f481b06961828

SHA256
1d521eb8f4b020ebd76921f488e3a8438cee656adcb14da648f4c909a1ab6e42

SHA512
d44305a6bcb6aaf4dae4656d7e118ba0021bab47e70aebf15d65df3e479ecb1173094a3e1ccf43036dd4fc69b53e268c20dc546a0a332a7217568f47fc7eeffe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6bcbfa39bfbf1812a2668f3991de5149

SHA1
d4cd254b365603a76eaccb328126910c4c6edfee

SHA256
3a6e90d61b339add3fd47e588c2c81ff75f9ea4da2ca024ab6bbee693b09ee99

SHA512
abfd7605a3608ea0aff0ba2f466b5d0a1805d6e62a47d92731016503f457cc2f7772146bf2aeba6e138e997576f1a75bee08c7e998553421d561e58712d4b020

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f3803a0fe091d84d172b9644558ae4e1

SHA1
c9bb0954cb04cd8ce9b133ac8dcc6a2279067783

SHA256
bdc59369d2051358a834c2061d338d8bb70762aa21d12e9ddbf8a517cad45f0c

SHA512
b2a531fa67dc73ce34075b006ccf1791a51f81326b672d04c59245dfc535126d17a16924e23585daeeb209a671afe80a2096965cfb14b9aeaec2a33a1ebc1b58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
85594f3d4c549c451083c23f0d4b52dc

SHA1
60e5044084ad4d0e5264321c8e9fca39741fa2d2

SHA256
8d75afbef04faccd6c759d776d27f7c66547eef902532c1c72c448ee5f262906

SHA512
b37e855a20fba1614fe909817bdfc5f40b311da9240a3332b86f971c2d82862f2dcf81b925d9f6059e363a4d01f623c930abc03a6e4f28ce86239d43db5e01e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bcb0bf4108bb994507c19bfea728c739

SHA1
d1dca3d8fc9bf22a7973f3c732357d435ce931c0

SHA256
35e94e882c179aa3285fa357cce1b9c2e9a54f34953fdf6a9a9cfde143e837cc

SHA512
72928f4b28d5598819191c08f4d0b58e849183a4dd00b196c989b5716576454fd5c21cb99e023878a51d3a2bbb514c5592fb1c9c8dcd662ab5940d864e0f539b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ede59bcb90ae495a690e265919216bb1

SHA1
d139212a1f4206dae7b14135f4c9b9ec523b5a86

SHA256
a6c2ecbb7c18f201199423b17854ad2c20786f904487b66548a185f9b31bdb3e

SHA512
ecd40bd1e8186c77a8710a02b06d410a9aef003025384fa6a5fb91ed61dec93e0927eddeb2d9a774ff4296f862afab082063aecc90eaa31c8f2cc344a2da734b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7e2b1c5bdd88fd62c6f69a1a5f80ed67

SHA1
8a11ec3a1a6dcac447cf8ad91d140947906f14a0

SHA256
4862e5eef71103a14c4e153b6e725a9bf94b4ade486e904a4bdeeac95e122ac3

SHA512
460272023cacd75f6c486bd74eedfb70ffa3b9ab1286177543b0fff9333c00872003220425f03cfb71fa324b980d7d8202f5bf01763858ea681d227291b7dea5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
2101eb07fc55778b06ded9dba6c425c3

SHA1
5c8c3b821101701ff76d5db6bbdb59e3be2c800b

SHA256
a2893702873dc88c93cefe6f9407bdd193ab34d979f104ec9236adf323dffafe

SHA512
cd4b8bb816c94e7b77091d91b9c153fbfdcc3b1440fce3aab83a151922bad691b7d17a20380b47945a41ee011b6e2cee392261312200b070fbd0568ee33093f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
5KB

MD5
4cd5709b566e92efe6953f7377ec4772

SHA1
e58f4fba2ab0ead57fa6091c4f618d2bc4017a0a

SHA256
262c4427f6631e0d9a36dbd1122e6f5b3f9a105cffa1d74667abe0779748cb35

SHA512
cfc88a153662c10e358aec30aaacb558955de1955a3ff972afd57a3ee1d8030c711751d2eadecd887737d30c529a81a176584be0676b08786410c1a0c9f5aa8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf77c062.TMP

Filesize
3KB

MD5
f0999c9a0e2b566f6651bf34e0471fe6

SHA1
2dc484f3bc9c45bd6c34b1ccee481ca2bc270fef

SHA256
7b8f65225c87d08ab94a156391e4f557c44f39094bab4423b381dbd66fd7df1d

SHA512
60400f76411832b7db25ed69fdbe949805f76fc3649b6b3e5c60d51dcb80bcd7fb0706665fee72aa87faf7abfc018ece1bc4186f700429cc712d99ac64403af1

Download Submit
memory/2180-201-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-281-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-300-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-238-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-0-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-241-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-5-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2180-2-0x00000000003F4000-0x00000000014F6000-memory.dmp

Filesize
17.0MB

Download
memory/2180-197-0x00000000003F4000-0x00000000014F6000-memory.dmp

Filesize
17.0MB

Download
memory/2764-282-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-12-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-199-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-239-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-302-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-308-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-311-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-317-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2764-323-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2824-200-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2824-11-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2824-240-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download
memory/2824-303-0x00000000003F0000-0x0000000001A32000-memory.dmp

Filesize
22.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads