Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
15-12-2022 19:08
General
-
Target
AnyDesk.exe
-
Size
319MB
-
MD5
09ab4f1d10bd4fc4943dcf8d6b775675
-
SHA1
342143ccfb30b0709e09041658929a8f550bb567
-
SHA256
26869073aeaf75d56a64b8ee73ae3ebe4d559e944f8d050296ed8d05507e892c
-
SHA512
6d28484e9b1ea256f9753a3b7e31aec8236318c7a4c892bf5c6eb9a26ce187dce39fb039776a58c2601aba6210d1bcd8fd9d3b6bd1336d246541eadec7848aed
-
SSDEEP
12288:Dp1W1lO/xCOQ6bIdHcZ86Zu01bB9dD0QZAlp8JjH4pMGD+hklt+/ChwE3n:DpSlyQdAIdHc11Bnwzlp3pMqtgI3n
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exePID:4292"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"Checks computer location settingsSuspicious use of SetThreadContextSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:560"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==Suspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exePID:4140C:\Users\Admin\AppData\Local\Temp\AnyDesk.exeChecks computer location settingsLoads dropped DLLChecks processor information in registrySuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exePID:3960"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" & exitSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exePID:2328timeout /t 6Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix
Collection
Data from Local System
3Command and Control
Credential Access
Credentials in Files
3Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/560-142-0x0000000007810000-0x0000000007E8A000-memory.dmpFilesize
6MB
-
memory/560-136-0x0000000000000000-mapping.dmp
-
memory/560-137-0x0000000002BF0000-0x0000000002C26000-memory.dmpFilesize
216KB
-
memory/560-138-0x0000000005360000-0x0000000005988000-memory.dmpFilesize
6MB
-
memory/560-139-0x0000000005AE0000-0x0000000005B46000-memory.dmpFilesize
408KB
-
memory/560-140-0x0000000005B50000-0x0000000005BB6000-memory.dmpFilesize
408KB
-
memory/560-141-0x00000000061C0000-0x00000000061DE000-memory.dmpFilesize
120KB
-
memory/560-143-0x00000000066D0000-0x00000000066EA000-memory.dmpFilesize
104KB
-
memory/2328-172-0x0000000000000000-mapping.dmp
-
memory/3960-170-0x0000000000000000-mapping.dmp
-
memory/4140-145-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4140-146-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4140-147-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4140-148-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4140-149-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/4140-144-0x0000000000000000-mapping.dmp
-
memory/4140-171-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4292-135-0x00000000059A0000-0x00000000059C2000-memory.dmpFilesize
136KB
-
memory/4292-134-0x00000000057D0000-0x0000000005862000-memory.dmpFilesize
584KB
-
memory/4292-133-0x0000000005CE0000-0x0000000006284000-memory.dmpFilesize
5MB
-
memory/4292-132-0x0000000000C60000-0x0000000000D22000-memory.dmpFilesize
776KB