Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
18-01-2023 22:15
General
-
Target
AnyDeskAPP.msi
-
Size
1.4MB
-
MD5
4e4a4a4eb6a77d72af83b2bbd0698593
-
SHA1
dbaeba54fcae50acc36565d0f61ad73df6df7d45
-
SHA256
58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a
-
SHA512
69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb
-
SSDEEP
24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 14 IoCs
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AnyDeskAPP.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24C7966EFCD0CFD417DE1CDCF34725C22⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9C91.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9C6F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9C70.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9C71.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\prescindir\outrem\Wineminência.exe"C:\prescindir\outrem\Wineminência.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000598" "00000000000003C4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
Filesize
17KB
MD57c5b73168b207a9c580eb62dd1588fef
SHA1cdd8f39b7a12aa0b3c62a3c0c19572976d0444dc
SHA2566d6b711685d829f27fcfe579853e43d993bf6e935085161d0dbee6abb43f60d5
SHA5127ea9836bc57698341d18154e1b76ea6d1ee67b68504c2076b7125374c63298a9bf3580b4d2c2936ab19d0831940bb927171b6ad5a46fb87caf7f43b2b82696f9
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
Filesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
Filesize
5.5MB
MD5caa7805c7dc283359293bae074cb85ec
SHA1f21c4880fbf40b8f03ed8954263106d814ac014d
SHA256e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23
SHA512206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1
-
-
-
Filesize
8KB
-
Filesize
21.2MB
-
-
Filesize
8KB