fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
591s
max time network
601s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-es
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-eslocale:es-esos:windows10-ltsc 2021-x64systemwindows
submitted
27/01/2025, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3776	AnyDesk.exe
404	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3776	AnyDesk.exe
3776	AnyDesk.exe
3776	AnyDesk.exe
3776	AnyDesk.exe
3776	AnyDesk.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3776	AnyDesk.exe
3776	AnyDesk.exe
3776	AnyDesk.exe
3776	AnyDesk.exe
3776	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 404	3056	AnyDesk.exe	85
PID 3056 wrote to memory of 404	3056	AnyDesk.exe	85
PID 3056 wrote to memory of 404	3056	AnyDesk.exe	85
PID 3056 wrote to memory of 3776	3056	AnyDesk.exe	86
PID 3056 wrote to memory of 3776	3056	AnyDesk.exe	86
PID 3056 wrote to memory of 3776	3056	AnyDesk.exe	86

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:404
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
c07823249cb40b497f5640ad09dbf7d2

SHA1
360f6209b199e82d20829d34ce9f5bfe31a82c89

SHA256
f30c757b4f8f66547630e308b0773102bfcf2aa32173354f4b17e30050a99062

SHA512
0099f3c126156bc596812c705b6fcdd22b1ce70f9514924ed3480d37e4851a334d3f76450ab0db44cb278872604237981cbc56ab57fd5f431b0a5a049c00cd3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f6fd9fc61f362d24a73652ea145f500f

SHA1
653711f30e8aac5de348d6b703321f73bbd96d72

SHA256
34511d61e61e855dde3e71a01d62835f3e216c845cb7b919ae6d2f4bd3d29565

SHA512
a0f10d08f6cd3e2c6adf376bafc096a4345acccf9883f181d9491337e4cb39a39fd6390fbae79d1a7d32f455fdd77122ff24a40e91c8a7403a945062f449848c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
83d8a25f254aeca25137fbea6ceaa34d

SHA1
58618ff54ae6be28f84acf05d9b324b95d3ca412

SHA256
fa8c5fe670758a4807a1ea3e142a1562a8f88b972166a8c26be05f5587b99d67

SHA512
e24236c3e643ccafa7da510c9c70584d63b83efb3d300d5c41b998680ac4829687745d6073b7d5b03208d2616771a3a6b2f4429a0123fa98598e619ccc436458

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
53182fe2905d50b70d5c4c4f23d08715

SHA1
a81f441aa095c5af7aef5edc0f4d7ed9d34466b0

SHA256
a840b363e71fcbbfb731b7c0756eb2415c31839f69f9e7336948d5ff48787fbc

SHA512
432e59d8a863701b51b461a8536ffbc456b6adb51f78249c07d9bca07b3aebaaf62481109d263a1e9a2dea447a05623ba53790e0f6bfc0e9ba9bf92e399ea483

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
774B

MD5
cbe25d0b36d10b255a2e67ca92819fd0

SHA1
0c3e55c84f9d512b037e830dbda183f6eda6029f

SHA256
49f2403a2a26449cf2a079b7a7c1fecea09c64d23ccaffc9369438297b26c067

SHA512
e64fa5066c9d8a511d4c4f168288387321d1d7c55add445d89efac1454220ef07c7fd56770dac156914cab31d643326c220422ffa285ee4f4334f6eff5d14b42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
59c277869d114a2adc60bd1d361529fe

SHA1
28a3e4393a5d4f9d1bc5bc1dfbeda2829f9782d6

SHA256
9250e3039322e5f5cea64729172830ebda459ca7cf8400c18cd3e16ce2c04a64

SHA512
6657b5ccee7acf1a1b7a4290dbc162845a9a0a2259e0a9c7d2d528d3a62bd8771d679ef071b39efe57eacd4a5eccbd25f119ba09a24fe64866929fd0ddde7ba1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
4e713726cddc053cf6ffe3fd7ee131d0

SHA1
794b5f2b63f3840a860693e9db84cbf6b7f070cc

SHA256
186dfc727fb49900a061fa15eb55d23edcedcb93714b4e1f19e721f85bac1f2e

SHA512
5c6fdfd2471b459c9066ad139e4d340984e4e96dd885ad24a23da4bafc7befa04f3eeb5bede7b06e301fcf29e38f6e44672c991c93486ff9f77e116ae13d5629

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
53b332685f2a883a1998c84b2a533c95

SHA1
8c426782224ffe1ef5a66d9abe366d7aea7c3da6

SHA256
dc332fc2197d3033b385e4e155d394b1b8a35a431b9c8c4f91cdb79dcbbe01ea

SHA512
d498c00cd7c7ec53f882150d25f57f622f8904d8d45f23278c5d56cb1b91da6921e137482364396e356869062579befa0ec3ef58df736a55fd8d202b671d9c74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
269245d88cb50b81cca6b973077e67bc

SHA1
e8ddcc5d1bc3dd5cee98c4ab775324a64f131d91

SHA256
b65f97a8698816317973683126fdaf129dd1c3a3cbeb247939599fd4f109f89f

SHA512
bc031de9a6b62d8a3e755dee825cdef2775f8b85e584effde3277a9239f79315ac69530ebaa24da59261e9c195401079122689726437b05b0d2e63c36979fd5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
c9c44ffb85e48253f18bb9bf8fed636d

SHA1
a1f453d65bcc49d128355a813f55f017dbecca66

SHA256
656c894c60ae07dd24a100308b86501bb61c294c14b69b5cb3b9b1a14351d352

SHA512
7d059591dc197049c7608ea1a5963c5a80b346f2fa2cf31cddf9a9e2b4089679d5af2e77d6d3efff64a3dcd414d9faed3f840d1340604bfd9881a139a9385a91

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5da4c8e7b625f2a5a3707daaeb4864f1

SHA1
45a8c151753c7655c9ca1ae7cb6f10d7834e06dd

SHA256
44b934f27431e4507766cf2f5efabe9bec804e05bb1f08fdb25ba07a653da920

SHA512
611f85365dcab5df39684c8ca66e1c72484bd5f902df3316d2f51f07edfff35e8cf87fae3ad43b768d1362b57ddb6a01900491aca5eb669aaf7ec152a09c80d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6e88e016fb01b340fcacf11ee6e6e3fd

SHA1
57c96f2b47015cc0e1a43453260400223e5d8efc

SHA256
1c8ca5fd3af651229e46e9595ef6f69fae0e3d6cbb90db7be36c221245c1634d

SHA512
37c4e757addc8ae6108e26ae4b6160872307aeb4435f7888959c7861c57c49a5e1c4e48d9651398a9421958e580582c487e8b7e9450e5f9c77b07af0cb6c0d0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
55eb0ff1cdbcc5b7977934f05e2ff5a1

SHA1
362fc2a779da849e5399d18c04c347f3a71a5a67

SHA256
d3c30524a602a43bf4822f67bdfa27c2029233485244b53951d91539b3e77797

SHA512
32d4339494fa0f5ef11165cc7f0c928af8757a0ad9856cae29b0993ec52cb8c59709260247e655f22ec01142b60a8ebef415b40f695bada0b30dbf47dfd8d204

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
00baa8dce2ed1e09566ccabf3a1a98e7

SHA1
1c93986331c9081caf4176ba104e686e12535693

SHA256
5c46d343fbd4ec9f0ad911b2cc0de150e7ee84ce16b6bf347647b99b71256603

SHA512
bfad0fe114552dc4b79b1b21c7dbc8f912d678d17d0ef15b9f72cc6363c5e4b5ab7021214f4330ff58f43d800b59aab427f02943e5047fc07f0a7f531608630b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ce43c784b283c1afe0a3a3b065e3f29b

SHA1
59a13faf7f2c9757471f449150ec0302ec30ebe2

SHA256
9791b9605791b3b4ae66e25d2a5ddd59f62c41c66394eb511aad853434ee7b85

SHA512
8b6b185252a765dc15fd4d36ae973e08d3bbacba7af7edf18d65ca2333cda736b090f7de1fa524ba97fdf2229573b382007ba33da01ae4413827f39c92ce99ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
de7216b523b3d16283c3872c07f8a974

SHA1
5b0821b094d8e34b8cf13927c8f8253bd892aeba

SHA256
fe765c9c0b0ea96ca5f05f4067f5b3166c2a924456d0715ca044fa670e63566b

SHA512
1c588e9cd54d351a8d9ac01922a2d537cdf2f3ceb16672442de1f7369340cf79b51009fa87d88f9f3831b6862cf48eb4827a2bae5e142b8e326e0a95c1b58a33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
17ec3093c99d7572afcbb53af040a0d0

SHA1
7fa5c646e9b60f9f48fd63f172af2b0e575eb3d4

SHA256
3dcf0676c92b549a42f7318ffc12869cbbf876cd77f1801085414187ecae5a67

SHA512
131aabcc7b3ef414018e324bf3e7cc960d29312c4f6ef00833547ec72332b4b28d0480b3181e66a0fab757f27fe1c9bc58a1d27a416b5a66f757e976c5a72828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
833c84de8125aed452d0b6af2366eb44

SHA1
410955524832970dad74e55687c30e9110ac43ea

SHA256
bd09cbb7a69fe26bc529bdb445d6bc1ef4a1dfa5b0f16a62f507e69c403b6794

SHA512
1b57a684f321341410d5c812dbf0bc364aaa7df7aa311552cfc292e3babcd63c768bd04f79130267850799829cc5c51792279d0d9974c2d617a2b14475c8ffa4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b5804cacaeb6ff811102e2fcd5ade92d

SHA1
7b64888de3233698d8f8697e49ba5195c5b4ec8f

SHA256
317ce811bbd52ffaedb7d8d99d810b0e721ad2446b28af3a244f3fb411b1617a

SHA512
0131962dab40de175a85b114108d9557a49d7e18ba595550573b5d4f75e40afde9e92a4aca546b185dcb60b66ebb4f62b07edf637a3b3778530f26b1923b713f

Download Submit
memory/404-41-0x0000000006270000-0x000000000628B000-memory.dmp

Filesize
108KB

Download
memory/404-12-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/404-38-0x0000000006270000-0x000000000628B000-memory.dmp

Filesize
108KB

Download
memory/404-290-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/404-42-0x0000000006270000-0x000000000628B000-memory.dmp

Filesize
108KB

Download
memory/404-185-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/404-239-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3056-0-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3056-1-0x00000000008F4000-0x00000000019F6000-memory.dmp

Filesize
17.0MB

Download
memory/3056-4-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3056-183-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3056-289-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3056-184-0x00000000008F4000-0x00000000019F6000-memory.dmp

Filesize
17.0MB

Download
memory/3776-10-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3776-186-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3776-240-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download
memory/3776-291-0x00000000008F0000-0x0000000001F32000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads