Overview

overview

10

Static

static

AnyDeskAPP.msi

windows7-x64

9

AnyDeskAPP.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18-01-2023 23:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDeskAPP.msi

  • Size

    1.4MB

  • MD5

    4e4a4a4eb6a77d72af83b2bbd0698593

  • SHA1

    dbaeba54fcae50acc36565d0f61ad73df6df7d45

  • SHA256

    58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a

  • SHA512

    69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb

  • SSDEEP

    24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AnyDeskAPP.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2020
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1BE9FC6ED0E82700AA85DFD9BA46A456
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss452F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi450D.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr450E.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr450F.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\discrição\oriundo\Winindiferente.exe
          "C:\discrição\oriundo\Winindiferente.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:552
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:852
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "0000000000000064"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1732
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:580 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pss452F.ps1
    Filesize

    5KB

    MD5

    fc1bb6c87fd1f08b534e52546561c53c

    SHA1

    db402c5c1025cf8d3e79df7b868fd186243aa9d1

    SHA256

    a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b

    SHA512

    5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\scr450E.ps1
    Filesize

    17KB

    MD5

    7c5b73168b207a9c580eb62dd1588fef

    SHA1

    cdd8f39b7a12aa0b3c62a3c0c19572976d0444dc

    SHA256

    6d6b711685d829f27fcfe579853e43d993bf6e935085161d0dbee6abb43f60d5

    SHA512

    7ea9836bc57698341d18154e1b76ea6d1ee67b68504c2076b7125374c63298a9bf3580b4d2c2936ab19d0831940bb927171b6ad5a46fb87caf7f43b2b82696f9

    Download Submit

  • C:\Windows\Installer\MSI2167.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • C:\Windows\Installer\MSI23D8.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • C:\Windows\Installer\MSI2771.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • C:\Windows\Installer\MSI4485.tmp
    Filesize

    574KB

    MD5

    7b7d9e2c9b8236e7155f2f97254cb40e

    SHA1

    99621fc9d14511428d62d91c31865fb2c4625663

    SHA256

    df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

    SHA512

    fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

    Download Submit

  • C:\discrição\oriundo\Winindiferente.exe
    Filesize

    5.5MB

    MD5

    caa7805c7dc283359293bae074cb85ec

    SHA1

    f21c4880fbf40b8f03ed8954263106d814ac014d

    SHA256

    e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23

    SHA512

    206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1

    Download Submit

  • C:\discrição\oriundo\Winindiferente.exe
    Filesize

    5.5MB

    MD5

    caa7805c7dc283359293bae074cb85ec

    SHA1

    f21c4880fbf40b8f03ed8954263106d814ac014d

    SHA256

    e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23

    SHA512

    206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1

    Download Submit

  • C:\discrição\oriundo\vending
    Filesize

    89.4MB

    MD5

    3c6ef07082ae5cd1cdbb4c272f1da202

    SHA1

    4bbc70f293110dae93746e8a1fe7c5a47d1f33ec

    SHA256

    2bd1e88bcdd6377d1fa2a8f12b1ffec9c1a73e4aeea4a9eea31c359880a17b4c

    SHA512

    432d6c249b4b000c5cdf9600f8ca3f7771e55d41152abbc398b70a5b8cc5bd3d867a7febbd7b4d07186a519b04a7f552aa25712c099b16ebdb4575a751c73ee9

    Download Submit

  • \Windows\Installer\MSI2167.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • \Windows\Installer\MSI23D8.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • \Windows\Installer\MSI2771.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • \Windows\Installer\MSI4485.tmp
    Filesize

    574KB

    MD5

    7b7d9e2c9b8236e7155f2f97254cb40e

    SHA1

    99621fc9d14511428d62d91c31865fb2c4625663

    SHA256

    df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

    SHA512

    fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

    Download Submit

  • \discrição\oriundo\Winindiferente.exe
    Filesize

    5.5MB

    MD5

    caa7805c7dc283359293bae074cb85ec

    SHA1

    f21c4880fbf40b8f03ed8954263106d814ac014d

    SHA256

    e24fbdd85caccbf63428e12d5e0afb7529c6c22469ed7414e80d5a6b9c02ac23

    SHA512

    206a54b956f7bed6f63a2f08b9ec6b9bec32fb628356e2b6189edea814e403bee385ce46420ca5a4d41e33d6306376c7c605f3645c5c3b85a0f0980d4ba5e8f1

    Download Submit

  • memory/308-57-0x0000000076181000-0x0000000076183000-memory.dmp

    Filesize

    8KB

    Download

  • memory/308-56-0x0000000000000000-mapping.dmp

    Download

  • memory/552-77-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-82-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-73-0x0000000000000000-mapping.dmp

    Download

  • memory/552-76-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-98-0x0000000009DF0000-0x000000000F766000-memory.dmp

    Filesize

    89.5MB

    Download

  • memory/552-78-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-79-0x0000000077DE0000-0x0000000077F60000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/552-80-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-81-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-94-0x00000000015C0000-0x0000000001639000-memory.dmp

    Filesize

    484KB

    Download

  • memory/552-83-0x0000000000030000-0x0000000001190000-memory.dmp

    Filesize

    17.4MB

    Download

  • memory/552-97-0x00000000042F0000-0x0000000004321000-memory.dmp

    Filesize

    196KB

    Download

  • memory/552-85-0x00000000012F0000-0x00000000012FD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/552-86-0x000000000F770000-0x000000000F900000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/552-87-0x0000000077DE0000-0x0000000077F60000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/552-88-0x000000000F900000-0x000000000FAC3000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/552-96-0x000000000FF20000-0x0000000010050000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/552-91-0x0000000001380000-0x000000000139C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/552-93-0x0000000009DF0000-0x000000000F766000-memory.dmp

    Filesize

    89.5MB

    Download

  • memory/552-92-0x00000000038B0000-0x0000000003947000-memory.dmp

    Filesize

    604KB

    Download

  • memory/1220-70-0x0000000072CC0000-0x00000000741E8000-memory.dmp

    Filesize

    21.2MB

    Download

  • memory/1220-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1220-71-0x0000000072CC0000-0x00000000741E8000-memory.dmp

    Filesize

    21.2MB

    Download

  • memory/2020-54-0x000007FEFC621000-0x000007FEFC623000-memory.dmp

    Filesize

    8KB

    Download