7f874e1018fb27609df79be210c6b4345246dd3559577afc56c561879da1dd4b

Analysis

max time kernel
219s
max time network
483s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk_x64x32/About/en-US/DFS.xml
Size

1KB
MD5

59649458234fa8ec0fa1ccf6d1a1f000
SHA1

fa84dc8c633ac66d93c2cc4ca82973690cc01b06
SHA256

7c621bdfa9aafbb72c6e3eaa6bd9dadb9b87b76ff3085c3ab85f94a4ba74148b
SHA512

3dac7345cdf6e474ec6550890d2581e97ceccbdf3d6da446d0b4051600b81e66725e20e3905fc8ed051e00ae74b7899ecec073c828e776fb664731218f88e528

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26629461-73F2-11ED-9FA0-5263E908E3CD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0dce303ff07d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376936941"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000048f45e0b68c33be1ee174f28751e56cfe8e17875baab5a9c6544c280d25ef2b8000000000e800000000200002000000002086ff88589f7c2a6c8794aca05cc225d8d3a05e19066fb5ef66602412057a620000000c875a0b8105e81f86ad9b70b4a1c8ec7da0bf8dbb678addbb560b2e5ae87c00d4000000019530a5859e68da20bdff76c719f79f1dfe1fc53a66b18ca159b9fcc346eea8cc8a683f06a3f69440e10d51183dd50da0147e9fea5d3b7abd8ef8a8c87cff257	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000051d2376730e2e916322c12304f6b6327f7ca756f8028ac7d10438945feba8272000000000e800000000200002000000083aaaa5dc087196af0580eefa7acb0e0cd5bdebcd19ee3d1822b9fc31bd2b8c8900000003ed8f71c41b23ae16316d5b919cae128907d35ea409ac7e8066ac31c9f525907d774eebe35e30a863e787dfe63fa351cfa1b44854a907ddfba08c382c5848dc1f9341155ea736b47a169a77a3e006e41b4b5474a6c6909b12c10558a9e3b7a546bdc5fc1d3997665c01f1c3c839d89a6f0870121c782777e08177cba361ae8facae37307bcbc694b84afe3cecd9b4c8e4000000099aaf16b38e1ca6105470df8d6af244bac2c8701ec338766cce5eb47e019c554cf00a2a64d88387d4238bc6d85e0114bb8d62b2165699fd6162add107a9c2738	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

816 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

816 IEXPLORE.EXE
816 IEXPLORE.EXE
1444 IEXPLORE.EXE
1444 IEXPLORE.EXE
1444 IEXPLORE.EXE
1444 IEXPLORE.EXE

pid	process
816	IEXPLORE.EXE

pid	process
816	IEXPLORE.EXE
816	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 556 wrote to memory of 1680	556	MSOXMLED.EXE	iexplore.exe
PID 556 wrote to memory of 1680	556	MSOXMLED.EXE	iexplore.exe
PID 556 wrote to memory of 1680	556	MSOXMLED.EXE	iexplore.exe
PID 556 wrote to memory of 1680	556	MSOXMLED.EXE	iexplore.exe
PID 1680 wrote to memory of 816	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 816	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 816	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 816	1680	iexplore.exe	IEXPLORE.EXE
PID 816 wrote to memory of 1444	816	IEXPLORE.EXE	IEXPLORE.EXE
PID 816 wrote to memory of 1444	816	IEXPLORE.EXE	IEXPLORE.EXE
PID 816 wrote to memory of 1444	816	IEXPLORE.EXE	IEXPLORE.EXE
PID 816 wrote to memory of 1444	816	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AnyDesk_x64x32\About\en-US\DFS.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TB3MKVH7.txt
Filesize
533B

MD5
53ec7728dd4daf5a65c6ff9ceabf8fe8

SHA1
64e0e5a7a4f4263b037192e4c197489292fb943c

SHA256
3be28f2a6869e115d2b461d763ed92583f6a822c80c984dbfbddc0b9491b0e45

SHA512
fd73f06b4fa47ffa022dc8dd2c498acdf7c037de9e26554f7f9b9fc9c7711054d84eecb60cfaa3d930fa1adc96436d3cbd7886a77957fac88c1164188a788094

Download Submit
memory/556-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download