Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20240508-en
General
-
Target
AnyDesk.exe
-
Size
5.6MB
-
MD5
c655d958dac296c3e6b0667e5f00dada
-
SHA1
678c76f62274a01a98ddd70082589c4a283c5a5a
-
SHA256
9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7
-
SHA512
98c4595eccf9fa67f99e16d36347739932fdbebe29bd95d65e397e60a34002d3724f9221fcf0514631f8cf05808c320cdf4c22eee28e77b06c01993b1079d7a0
-
SSDEEP
98304:9sNuDeuRqghwVZpsCzTB0saQZ2pT46vyQUiGNcX84I3UjpFU473BJ9kQEuyh2:Qu1ElzTB0saGhkGs84I3U1/JQh2
Malware Config
Extracted
xworm
allows-welfare.gl.at.ply.gg:49180
-
Install_directory
%AppData%
-
install_file
System32pdfc.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe family_xworm behavioral1/memory/2332-13-0x0000000001380000-0x0000000001398000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2092 powershell.exe 1104 powershell.exe 1088 powershell.exe 1768 powershell.exe -
Drops startup file 2 IoCs
Processes:
system32transmitter.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32pdfc.lnk system32transmitter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32pdfc.lnk system32transmitter.exe -
Executes dropped EXE 4 IoCs
Processes:
system32transmitter.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 2332 system32transmitter.exe 2660 AnyDesk.exe 2680 AnyDesk.exe 2556 AnyDesk.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeAnyDesk.exepid process 2808 cmd.exe 2808 cmd.exe 2660 AnyDesk.exe 2660 AnyDesk.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 9.9.9.9 Destination IP 9.9.9.9 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AnyDesk.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
AnyDesk.exepowershell.exepowershell.exepowershell.exepowershell.exesystem32transmitter.exepid process 2680 AnyDesk.exe 2092 powershell.exe 1104 powershell.exe 1088 powershell.exe 1768 powershell.exe 2332 system32transmitter.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
system32transmitter.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2332 system32transmitter.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 2332 system32transmitter.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AnyDesk.exepid process 2556 AnyDesk.exe 2556 AnyDesk.exe 2556 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
AnyDesk.exepid process 2556 AnyDesk.exe 2556 AnyDesk.exe 2556 AnyDesk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
system32transmitter.exepid process 2332 system32transmitter.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
AnyDesk.execmd.exeAnyDesk.exesystem32transmitter.exedescription pid process target process PID 3068 wrote to memory of 2808 3068 AnyDesk.exe cmd.exe PID 3068 wrote to memory of 2808 3068 AnyDesk.exe cmd.exe PID 3068 wrote to memory of 2808 3068 AnyDesk.exe cmd.exe PID 3068 wrote to memory of 2808 3068 AnyDesk.exe cmd.exe PID 2808 wrote to memory of 2332 2808 cmd.exe system32transmitter.exe PID 2808 wrote to memory of 2332 2808 cmd.exe system32transmitter.exe PID 2808 wrote to memory of 2332 2808 cmd.exe system32transmitter.exe PID 2808 wrote to memory of 2332 2808 cmd.exe system32transmitter.exe PID 2808 wrote to memory of 2660 2808 cmd.exe AnyDesk.exe PID 2808 wrote to memory of 2660 2808 cmd.exe AnyDesk.exe PID 2808 wrote to memory of 2660 2808 cmd.exe AnyDesk.exe PID 2808 wrote to memory of 2660 2808 cmd.exe AnyDesk.exe PID 2660 wrote to memory of 2680 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2680 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2680 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2680 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2556 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2556 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2556 2660 AnyDesk.exe AnyDesk.exe PID 2660 wrote to memory of 2556 2660 AnyDesk.exe AnyDesk.exe PID 2332 wrote to memory of 2092 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 2092 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 2092 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1104 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1104 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1104 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1088 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1088 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1088 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1768 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1768 2332 system32transmitter.exe powershell.exe PID 2332 wrote to memory of 1768 2332 system32transmitter.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "system32transmitter.exe" & start "" "AnyDesk.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe"system32transmitter.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32transmitter.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32pdfc.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32pdfc.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe"AnyDesk.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-service4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-control4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exeFilesize
5.1MB
MD5aee6801792d67607f228be8cec8291f9
SHA1bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA2561cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA51209d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exeFilesize
73KB
MD5864c37423bb1332bb4ae49b13da56cbc
SHA16a710197408e7e50e78b529e85499a364447fbd3
SHA256d61cc856e397eccad395768e0046e54a1b2b32b580c358195206dcf3cd08da3c
SHA5124dae0ee5c4dc08ca295e557a3aef27187a7b1db9bc9ec27445f83f06937c9c81ddd0974219df34d6556c0646685287997a97ec2702a3eaac433c985c7e976c34
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
10KB
MD5e2ea7eb88b54861303b3a8d4b89b9967
SHA111aeb6cad8c63c1af549bec94e13ea8d2e3fc342
SHA256edee60e72d0533d24a088c93c159b179447b1515a3856a529b17c039210e78bb
SHA5121d7558eae4380973b8fa3a68a87ce47d275ed0048434cfadcccde532a75bc8efcb50480c4f0578093598cafafa3ba33b394aee2faf18cca6814596d8a7210ced
-
C:\Users\Admin\AppData\Roaming\AnyDesk\service.confFilesize
2KB
MD574504adefc6f467055cff78020e03051
SHA1a94e859c45149ac94b55cb2c84ebe3046f3fc7b6
SHA256042d8189ae9078e346e068449cd9a249133941ef7d1e3e1ba9b67d73fb34d738
SHA5127cba97aea3b8b6a4150995e32b51a87cae4abfd6374df16dd2f272081220b8f5047d641b1aab4a7fb96ba65987d79ee40b86ddd0e7bdab8d3a0b5162fee07293
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD5221a15ff8465ed79efebd8d5b3434e07
SHA1dc584b6ba4e630baeaa66faebb369cfb3fc36871
SHA25625d33e1ec105fd327c3596fbfeb4976845cfaf77aa2a6190e59fc12452d3c84f
SHA512024bfecc4957abd4923a6a643a3085eb437e1c58b93eae9c339defebabf46e265df564a0eced88b5254e83b309362d7a54a34db88b73cac3680f603d19fd4f57
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD55b6c81bdfdb3b267a8a4e8958eb924b6
SHA1ab4090f6a2106325769212ea3322daeaff8d11d9
SHA256c181e931039c4cf719f2d6db5680b3fc8edca8e363625193723460e4173e9375
SHA512217ecd38e395d45eaf9eab93c44de375f654c853feef8ca3f373ca7cbad05aa33203bdbdc774eaad2b98f72770ad72a2faab9380832d0e921418c84ea4f6482d
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD56a44c3ce73c6e594014ecd1e8335efbe
SHA117eb46f58a8fe432bf4c0ba95f43be2ac443d74f
SHA2560f8ffea2ba0b3d5241df7dc87bafe16b3e32d3be994e5590fa05bd6c0b06b637
SHA512491b545216beec7173ec3c66a5544dd0d7c0fade0f45cef0cd8ee4eeabe94a84cca5d6cabbf8251ae46110c3cefe60bb5d8d4a38a75e22952208a70dfc8b31b3
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5b390e570e2bda96d2f1338d11bdcfce8
SHA1b195bd99e157cbcee6641dd75ad708f5a0040dab
SHA2563a7b9c47313b34b53c465c1905cfd2534e03b8284f5d0d6cc574e4ae07f04ceb
SHA512578613dbd71cf1122abd5796458497f7b8051ad80b7f725597b46ccce064673e02b2fd7bf4081385f3117b22babdffc31b33282a5dc35322ddb5e88c89ed04b4
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5bb78e62bb3387126abed26ab009677ad
SHA1a9ee6ece6a6b51da3dc0a63cad593f30435d0b23
SHA256a40c6a99a7508f83e64ca5f73c93c2b8178e5168749c3e7f8f1b343ff3c6efa0
SHA512d286c7c28efd33180fe98623ebbdb4f508e6b763b09eb98651df7f125ebbe341a503cc461705ae34506167af24a0c68175c5ccbfc196029351806b58d7834e9d
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5d184854a7ac406763acc14c60f92f7ce
SHA1a4fd8b6999ea2880921918bea248c0a429f2dfe1
SHA25653d428bf8169d5a60274ce83a488e6308635b2e0923afb20498358af06546854
SHA5125412f3d84b4f1d21824e90b93f5547c55394875462ea8fb1061126aaf05add9ede51c1b734bceb9a1857ffc5182b9cf564e776779c65f40c28f64b0e394a8eb7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UNLDWFZA7KGX1V9F194K.tempFilesize
7KB
MD5537e2da8fe26313b31fb9d917493d936
SHA1818a733c991dbd242aa141fec1c5b30e2364b567
SHA256155113f9b37819ce3f38cf0ee2a34dbbb1c00114090fe525b45929cb76315d12
SHA51278d166c1a179f68067d78d93b547da0a315750f6b153f23b5741d1668de981b98c28c4fa1fed640620ce14d6846a825435fa63d1d4f85ad23c7770a6328c1b66
-
memory/1104-132-0x0000000001E80000-0x0000000001E88000-memory.dmpFilesize
32KB
-
memory/1104-131-0x000000001B540000-0x000000001B822000-memory.dmpFilesize
2.9MB
-
memory/2092-125-0x0000000001E00000-0x0000000001E08000-memory.dmpFilesize
32KB
-
memory/2092-124-0x000000001B6C0000-0x000000001B9A2000-memory.dmpFilesize
2.9MB
-
memory/2332-13-0x0000000001380000-0x0000000001398000-memory.dmpFilesize
96KB
-
memory/2556-28-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2556-283-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2556-115-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2660-113-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2660-14-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2660-177-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-114-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-158-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-178-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-134-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-198-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-208-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-215-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-233-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-282-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-26-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB
-
memory/2680-289-0x0000000001100000-0x0000000002849000-memory.dmpFilesize
23.3MB