Analysis

  • max time kernel
    164s
  • max time network
    528s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 15:18

General

  • Target

    AnyDesk_x64x32/About/en-US/CredentialProviders.xml

  • Size

    5KB

  • MD5

    b735ff00bd6511f0525c74881042cfbf

  • SHA1

    f9540a99e5654ea5f6b7aaf49ce35f591cec2863

  • SHA256

    ff1b853b846ea63064ad460b42c44230de008297b6a2ddb8daa48991a5684c14

  • SHA512

    a585ae89c4b13a6a2de50d414069fe40d3db53395a4e79b5865b530acc6963b2c89647d2735b27229503b58bac47b4c43b38e6e2beb00b81ec6f1d76db441c06

  • SSDEEP

    96:LeD5pmAznn5XkKkcx1ftU6beY3rqFimzWSsdK/l+3yY8V:Ejznn5XkJcx1fdPrqFOXU/loyb

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
    "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AnyDesk_x64x32\About\en-US\CredentialProviders.xml"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\AnyDesk_x64x32\About\en-US\CredentialProviders.xml
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3200 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4296

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3252-132-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-133-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-134-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-135-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-136-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-137-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-138-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-139-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB

  • memory/3252-140-0x00007FFC36B70000-0x00007FFC36B80000-memory.dmp
    Filesize

    64KB