Resubmissions
09/10/2024, 12:51
241009-p31p9svcql 1009/10/2024, 01:43
241009-b5hetazemq 709/10/2024, 01:30
241009-bww7lstajb 608/10/2024, 22:36
241008-2h9hwstgrq 808/10/2024, 21:55
241008-1s9qza1akm 1008/10/2024, 19:59
241008-yqgajavamc 708/10/2024, 19:11
241008-xwd7pawdmk 1008/10/2024, 18:43
241008-xc4cgaxaqh 707/10/2024, 15:30
241007-sxe36azbpr 3General
-
Target
AnyDesk.exe
-
Size
4.8MB
-
Sample
241009-p31p9svcql
-
MD5
ecae8b9c820ce255108f6050c26c37a1
-
SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f
-
SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
-
SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
-
SSDEEP
49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
Malware Config
Targets
-
-
Target
AnyDesk.exe
-
Size
4.8MB
-
MD5
ecae8b9c820ce255108f6050c26c37a1
-
SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f
-
SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
-
SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4
-
SSDEEP
49152:meqV5ZTNR7GCogeeQO+f2roC8b9vIT2jDKW4q8TrdzRplNOBLE7Rm1ebw4Tf/Eex:cX1T7bL0KrCqKDV4Jnd1ZOQ7R3rr/f6K
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Reads local data of messenger clients
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Network Share Discovery
Attempt to gather information on host network.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
7Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
8Remote System Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1