d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

General

Target

AnyDesk.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
SSDEEP

49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	AnyDesk.exe
1964	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3008	AnyDesk.exe
3008	AnyDesk.exe
3008	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3008	AnyDesk.exe
3008	AnyDesk.exe
3008	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 1964	512	AnyDesk.exe	83
PID 512 wrote to memory of 1964	512	AnyDesk.exe	83
PID 512 wrote to memory of 1964	512	AnyDesk.exe	83
PID 512 wrote to memory of 3008	512	AnyDesk.exe	84
PID 512 wrote to memory of 3008	512	AnyDesk.exe	84
PID 512 wrote to memory of 3008	512	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:512
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
15KB

MD5
1cdf4d923f1bc84f71ca9979081abb23

SHA1
627214cb1c93a205361bd5cf066602dd13f15eb6

SHA256
7a9eba6cfa39f4b8c6aa981592b76f521cb6e33261f1273df8443c889c65c586

SHA512
4ef789840aea1c0d9a20622fce2370288f30fe75981bfdb9b1c3a5b941b5935d9283ae704b6d571904b7f205582b8bc20d2eb91c7cbf442e7869fb40df2125da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
105c89d2cb720340e01116ce88547d74

SHA1
867d545152346c528656760e29be3185b26d3744

SHA256
6062723c51565e154e12d5ff5edbe5da6f7589bf7cc9c568b43320d4749e91d8

SHA512
dca4422fe11accaa822c87a28e7caf51b849f425639417ffb10a4691e29b81c49dbf5a6c8f666f902a6c47884b44606108559227f08df05abb8bd6d5a5052b0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
553eb450cfc43c11476eb33e6f4b3ae2

SHA1
99f4c8c199e25d654f8c76888e03eb21e8901703

SHA256
8ed973663a56c076d5e4f3c3673305ca553b9e199fe305d02c483cd2190d932f

SHA512
e9eea07a17758ce7413ee6adbba56adcf9b6b372fd41d69dcdeb364d8f48b9b2a9bedcf5ee38ea2cc62a19af57b5919f80ae70a01def8198de1da6710a97e07b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
a95dd5a27e41e698b3cb86ed7a00c358

SHA1
2e3a8446818b65772c6c796c7b955f5f26fa99e8

SHA256
6f0f8ae98cf504290b00dbc8c6aae7e196e40f8eb3f5f3891f2a434602ac858d

SHA512
10bbb5aef1dc5150a93c11ab93b04c6f577b4b9485301b01a1fdcee8eac38e3516d8f60d7fd165c388d2c5bc7dc3555c383084a2e92ce457d14d5c8e270049d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
adadd9b3a03f8cf29c1b32697389c746

SHA1
65c59fa57d2535251852c4ea8ce6182100c61f5f

SHA256
b67c66ea6491038e60d5c53a7af5dc7fd6ac5d75c90b60a1bd7bb3762d67493e

SHA512
a59569f6063b2e48886e0982c7d8ca0bb090f20aeab425ed7e48e5ee23b59de05d5306ca0959708a8c03dc14000b4868db73dc265b412e8e2a8193594f338eb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
4476818192caa9a431818cf3523c6665

SHA1
a61f5f71b94999cfc40606843f7405966b742b8b

SHA256
52e06a66af0f6239e336f8d9ce64fd3692d2e6fd8fcadcb0d16be4032a4145c0

SHA512
fdd24237374e26bb7189560e52ec94fc27ae8d94c3d83f2382147df9d1bc8d919aec5903f2c4c7f373db77d8c70a5a1aa7165bf3baea693ae229f3419f84f22e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/512-18-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/512-13-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/512-2-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/512-0-0x0000000000364000-0x0000000000C8E000-memory.dmp

Filesize
9.2MB

Download
memory/512-17-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/512-3-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/512-59-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/512-60-0x0000000000364000-0x0000000000C8E000-memory.dmp

Filesize
9.2MB

Download
memory/1964-19-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/1964-61-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/1964-70-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/1964-40-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/3008-41-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download
memory/3008-21-0x0000000000360000-0x0000000000F95000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing