General
-
Target
AnyDesk.exe
-
Size
5.3MB
-
Sample
231229-ktts5sgbh8
-
MD5
75eecc3a8b215c465f541643e9c4f484
-
SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11
-
SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
-
SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
-
SSDEEP
98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
AnyDesk.exe
Resource
win10v2004-20231215-en
Malware Config
Targets
-
-
Target
AnyDesk.exe
-
Size
5.3MB
-
MD5
75eecc3a8b215c465f541643e9c4f484
-
SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11
-
SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
-
SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
-
SSDEEP
98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification
-
Drops file in Drivers directory
-
Modifies Installed Components in the registry
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks for any installed AV software in registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Sets file execution options in registry
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Modifies WinLogon for persistence
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
10Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2