Overview

overview

10

Static

static

1

Anydesk6.6.msi

windows7-x64

10

Anydesk6.6.msi

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Anydesk6.6.zip

  • Size

    2.7MB

  • Sample

    240919-hq3wjawfkj

  • MD5

    6efec98c1bef69b0eb68dfd5204dcfa8

  • SHA1

    a082367025c847c25d455414f6e2ffc3f0be2656

  • SHA256

    25b7267bd776447563554f6e98e4bac1944a3f800c1658231df71293d0dfb07e

  • SHA512

    91fb8faba7a7f891dc47176ea14e1a2c1a4c8dc1928a8e6d19951b74857a2539632ab26ef87d55c18d26e2cb2e0e0e38b072b7ef915c483c52dedac73319e0f8

  • SSDEEP

    49152:xN6BODrsZcu5lixu/IiojgkHUCXshSR9hUZMEYk5+5uR1m8KU560TMHv:x/DrsZc+LatXb9hUOEYa+5uRIve68MHv

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      Anydesk6.6.msi

    • Size

      4.3MB

    • MD5

      ec6e20cf1e3298163f08b2166ba9fa33

    • SHA1

      2e829c7f7ab05279b2af14f61c8265e0ebbc32db

    • SHA256

      41241f3bc8472cba920e35528728ed3a1070aa6b48c50b34ad3f5dcf0dd4d9bb

    • SHA512

      88449b0e10e9f6762a173ea2bb4853c38bb3864a83a97024fa7138ca2e8657daf03c1aa5def0b629d775a0e7f45d9e9b11b27e626f1b9a10ec1a91f90fbf8aa3

    • SSDEEP

      98304:KgBB2Siit8OEzYhTn9XwCA4IkVMDA+loJ:Hiitm0hhwl9NloJ

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

    • UAC bypass

      evasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Modifies RDP port number used by Windows

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Ignore Process Interrupts

1
T1564.011

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Command and Control

Exfiltration

Impact

Tasks