General
-
Target
AnyDesk.exe
-
Size
3.0MB
-
Sample
250220-q3q2hawkds
-
MD5
c8eeac24eca23bd1df10b02d5430432d
-
SHA1
39194c57c0488eca2ca7600d03783f6df4957688
-
SHA256
d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
-
SHA512
e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
-
SSDEEP
49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR
Malware Config
Targets
-
-
Target
AnyDesk.exe
-
Size
3.0MB
-
MD5
c8eeac24eca23bd1df10b02d5430432d
-
SHA1
39194c57c0488eca2ca7600d03783f6df4957688
-
SHA256
d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
-
SHA512
e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
-
SSDEEP
49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR
Score8/10-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2
-
Network Share Discovery
Attempt to gather information on host network.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Ignore Process Interrupts
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Discovery
Browser Information Discovery
1Network Share Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1