Analysis
-
max time kernel
416s -
max time network
420s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2023 03:17
Behavioral task
behavioral1
Sample
AnyDesk - Cracked/AnyDesk.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AnyDesk - Cracked/AnyDesk.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
AnyDesk - Cracked/anydesk.dll
Resource
win7-20230220-en
General
-
Target
AnyDesk - Cracked/anydesk.dll
-
Size
3.3MB
-
MD5
66fa7283415aca195aab3a58fdef86cb
-
SHA1
da517a5bc62b74e4349c6ac4ab045c71b1a1562e
-
SHA256
8a705987075d93bbd2a7fb0e6044947507926623f45e8d8092ca2e6f67f5ce7d
-
SHA512
7a386704075ccc1f49e4771816de8ca6a9f2da4bb4668cf4c9f0ef82672eda9302345b72b5244639d8ab2712293a1792d5a862509b174256d5cb458ad0d7115f
-
SSDEEP
98304:kz56hxk5wcilIEJ0ZOZGtzLdJiYw18hgJ1KQ0gohl:o6hq5elTwOZGRlTqP0gi
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Processes:
resource yara_rule behavioral3/memory/1616-54-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-55-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-56-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-59-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-58-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-60-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-62-0x0000000073400000-0x0000000073C17000-memory.dmp themida behavioral3/memory/1616-63-0x0000000073400000-0x0000000073C17000-memory.dmp themida -
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1616 1520 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\AnyDesk - Cracked\anydesk.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\AnyDesk - Cracked\anydesk.dll",#12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-54-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-55-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-57-0x00000000745F0000-0x0000000074E07000-memory.dmpFilesize
8.1MB
-
memory/1616-56-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-59-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-58-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-60-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-62-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB
-
memory/1616-63-0x0000000073400000-0x0000000073C17000-memory.dmpFilesize
8.1MB