7f874e1018fb27609df79be210c6b4345246dd3559577afc56c561879da1dd4b

Analysis

max time kernel
110s
max time network
235s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk_x64x32/About/en-US/CredSsp.xml
Size

19KB
MD5

3f887766536ae5c7677e841c9a1e86f6
SHA1

c3bfb966d06df84a5bd9fcdd9c0caf23a4f85b28
SHA256

91a36f497d459ef96b4cedb88ee0884651d8b5c0eabce1c1f4fec6d49ff71a31
SHA512

7777ff19b4b1108a2688d02f25ac69e3f66d87f44a42ad60596b447188728b231e148e67390b39b7cbcf62e83121ecb55a84cb3d72a55827c0489fadaba5469c
SSDEEP

192:EYLfqDwf4tdJ11wpL9uiansm9cjoOkfmW/MQfB:9qtVPaxu5mUTOYJ

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376936651"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81396401-73F1-11ED-BD75-FAF5FAF3A79A} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d29e552960fb8d4b9915dab85eb828a400000000020000000000106600000001000020000000400c1379e1d240c80f0235c9a4b71664765aa268748f93c6e514e53dd665e452000000000e8000000002000020000000bdb187fb209c8a6b1e9570467d6ab5637dba0cc0d40eafd628138ee2df545da720000000a869ee6db1dd14288bf37d11c26095e0d416541561f8e977a93f2c6d4d2e354440000000323212206ffd9b7ac9c5e64d0db7392be810565786361bb208ce8d6c4897bb35f79678de3ca0e5adf511a7824d5b5d06ee706278c8ae4d41f9335aec4f8d4896	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d29e552960fb8d4b9915dab85eb828a4000000000200000000001066000000010000200000009ead425ff453e3feeea0c184ddb510c1e23f41d9054c838fdb162f7862cf6b1b000000000e80000000020000200000005a7beafb11364332161ba3d81b93def5c6a39f93c3fd61e0e59f79248cddf0a39000000035dcf7216fad56d51fe7661e6dd58b7e8fd97ed5431f591472d7ca6b5873471c36cd12e2606be62314333d61f0d27d66a546bb9a9ee48082a373e6b9100720720d495b1a3c24da89a50b9b84553e2f9fd972afb949f47c64593bc9a72574cc80cd6aa2a2f224e19cedd06d596c0632007924b98967626a3cfc1de245144f39a336670bb5b3d6b18ed373485623bf9d23400000007f58e15915be1549b5095447497e1250dc452b283c951ebeefe64d9965f063a697cc5b19e7b69aabae274e0f765361db316d19b31b66612350d65d67e80cde92	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ba0357fe07d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1624 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1624 IEXPLORE.EXE
1624 IEXPLORE.EXE
1888 IEXPLORE.EXE
1888 IEXPLORE.EXE
1888 IEXPLORE.EXE
1888 IEXPLORE.EXE

pid	process
1624	IEXPLORE.EXE

pid	process
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1976 wrote to memory of 892	1976	MSOXMLED.EXE	iexplore.exe
PID 1976 wrote to memory of 892	1976	MSOXMLED.EXE	iexplore.exe
PID 1976 wrote to memory of 892	1976	MSOXMLED.EXE	iexplore.exe
PID 1976 wrote to memory of 892	1976	MSOXMLED.EXE	iexplore.exe
PID 892 wrote to memory of 1624	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1624	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1624	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 1624	892	iexplore.exe	IEXPLORE.EXE
PID 1624 wrote to memory of 1888	1624	IEXPLORE.EXE	IEXPLORE.EXE
PID 1624 wrote to memory of 1888	1624	IEXPLORE.EXE	IEXPLORE.EXE
PID 1624 wrote to memory of 1888	1624	IEXPLORE.EXE	IEXPLORE.EXE
PID 1624 wrote to memory of 1888	1624	IEXPLORE.EXE	IEXPLORE.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\AnyDesk_x64x32\About\en-US\CredSsp.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
2⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V2GYWMWC.txt
Filesize
539B

MD5
b5aa1b04330b515219807e589642f63d

SHA1
627aceccc2739e12e0a9e827099b85b0f4153a53

SHA256
b94614bb9b26f764173461a9dbcd476a7ed8d1a041ba85c0e82c7b22ae1c4505

SHA512
4cff16f8189a7cabffd58fd5e9d0af344b168ef39db4b30e2e60707c933cf77169fe8bf9041ee275629b458e0c366c33b37132b84c50c5bbf7cf88824e680720

Download Submit
memory/1976-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download