Overview
overview
10Static
static
7AnyDesk_x6...ot.xml
windows7-x64
1AnyDesk_x6...ot.xml
windows10-2004-x64
1AnyDesk_x6...ay.xml
windows7-x64
1AnyDesk_x6...ay.xml
windows10-2004-x64
1AnyDesk_x6...ls.xml
windows7-x64
1AnyDesk_x6...ls.xml
windows10-2004-x64
1AnyDesk_x6...sp.xml
windows7-x64
1AnyDesk_x6...sp.xml
windows10-2004-x64
1AnyDesk_x6...UI.xml
windows7-x64
1AnyDesk_x6...UI.xml
windows10-2004-x64
AnyDesk_x6...rs.xml
windows7-x64
1AnyDesk_x6...rs.xml
windows10-2004-x64
1AnyDesk_x6...el.xml
windows7-x64
1AnyDesk_x6...el.xml
windows10-2004-x64
1AnyDesk_x6...OM.xml
windows7-x64
1AnyDesk_x6...OM.xml
windows10-2004-x64
1AnyDesk_x6...FS.xml
windows7-x64
1AnyDesk_x6...FS.xml
windows10-2004-x64
1AnyDesk_x6...WM.xml
windows7-x64
1AnyDesk_x6...WM.xml
windows10-2004-x64
1AnyDesk_x6...32.exe
windows7-x64
10AnyDesk_x6...32.exe
windows10-2004-x64
Analysis
-
max time kernel
204s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 15:18
Behavioral task
behavioral1
Sample
AnyDesk_x64x32/About/ExternalBoot.xml
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
AnyDesk_x64x32/About/ExternalBoot.xml
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
AnyDesk_x64x32/About/en-US/ControlPanelDisplay.xml
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
AnyDesk_x64x32/About/en-US/ControlPanelDisplay.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
AnyDesk_x64x32/About/en-US/Cpls.xml
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
AnyDesk_x64x32/About/en-US/Cpls.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
AnyDesk_x64x32/About/en-US/CredSsp.xml
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
AnyDesk_x64x32/About/en-US/CredSsp.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
AnyDesk_x64x32/About/en-US/CredUI.xml
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
AnyDesk_x64x32/About/en-US/CredUI.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral11
Sample
AnyDesk_x64x32/About/en-US/CredentialProviders.xml
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
AnyDesk_x64x32/About/en-US/CredentialProviders.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
AnyDesk_x64x32/About/en-US/CtrlAltDel.xml
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
AnyDesk_x64x32/About/en-US/CtrlAltDel.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
AnyDesk_x64x32/About/en-US/DCOM.xml
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
AnyDesk_x64x32/About/en-US/DCOM.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
AnyDesk_x64x32/About/en-US/DFS.xml
Resource
win7-20221111-en
Behavioral task
behavioral18
Sample
AnyDesk_x64x32/About/en-US/DFS.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
AnyDesk_x64x32/About/en-US/DWM.xml
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
AnyDesk_x64x32/About/en-US/DWM.xml
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
AnyDesk_x64x32/AnyDesk_x64x32.exe
Resource
win7-20221111-en
Behavioral task
behavioral22
Sample
AnyDesk_x64x32/AnyDesk_x64x32.exe
Resource
win10v2004-20221111-en
General
-
Target
AnyDesk_x64x32/About/en-US/ControlPanelDisplay.xml
-
Size
20KB
-
MD5
61cb7046c23a14515c58521dad36ab6f
-
SHA1
62ec7a88975656944fd8ca72924a916336112465
-
SHA256
a4f9a17502e8aba9e82c5c324cbed40e109a565ca2e27b3d79389f1a595b3ccd
-
SHA512
13473deade6477440d9515c9fc6babecdb59fe9a806633b003b14e71ec6e762dd9e13a9bfd1dfed554d7ca6a664b3c1ef0ceb7c8278f22cc0e0eeb793e697c1f
-
SSDEEP
384:VfRyKGkSDgF+vXDtchtrWzsbHX92eLb2vB1E4RRN9:VfRXTCrvXDWrWziN2ZvB1fRX
Malware Config
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1601083111" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01eee5bfe07d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00539a5efe07d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31000574" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376936631" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea684a732ed2b24e87e111a7b7eece7100000000020000000000106600000001000020000000bccb4fbe1a31bad0e6672e085d650f87d228418d23d13e11957b3b1827af1660000000000e8000000002000020000000566f072512ea02a690cc51724defbf5756eac0fea66a3ed7020c24b038a496e120000000ac1d57cff18a16e597dda651998e4e22201735cc6f3a5b1bc5d0fb0ab4ffbbf14000000089c4da97c752a9ca7277649f83b0227c76eabf9705b210e357d154a1d2331e34ab6c7b37c9184f9ddecd9d9738d905a044b472c37a278ff1889f4304096f0ac3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31000574" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7567622C-73F1-11ED-B696-DEF0885D2AEB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1601083111" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea684a732ed2b24e87e111a7b7eece7100000000020000000000106600000001000020000000932fc64cd3c28cd5f2cd4bf0de97cbabc1261992dd2db4b3d6259039260510d5000000000e8000000002000020000000eb34a7ddfe9748500f6f299d9cd9068cfdbef43ac6d1ced6028c479b719be19220000000c7135f6ffb80ab08e119811cecdee50d1cd806f24bf4d102243aeb529999eae94000000076d0d6e686a099a85f8bdda61ce7a08cff8aec022f9103b509bc6826f693ab216c6807190c6d5896e0b8a9ea72add94fc35670b6b315712771e46dc80a377d4a iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2804 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2804 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2804 iexplore.exe 2804 iexplore.exe 4960 IEXPLORE.EXE 4960 IEXPLORE.EXE 4960 IEXPLORE.EXE 4960 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
MSOXMLED.EXEiexplore.exedescription pid process target process PID 4660 wrote to memory of 2804 4660 MSOXMLED.EXE iexplore.exe PID 4660 wrote to memory of 2804 4660 MSOXMLED.EXE iexplore.exe PID 2804 wrote to memory of 4960 2804 iexplore.exe IEXPLORE.EXE PID 2804 wrote to memory of 4960 2804 iexplore.exe IEXPLORE.EXE PID 2804 wrote to memory of 4960 2804 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AnyDesk_x64x32\About\en-US\ControlPanelDisplay.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\AnyDesk_x64x32\About\en-US\ControlPanelDisplay.xml2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2804 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4660-132-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-133-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-134-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-135-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-136-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-137-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-138-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-139-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/4660-140-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB