Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2022, 14:38
Static task
static1
Behavioral task
behavioral1
Sample
anydesk setup.msi
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
anydesk setup.msi
Resource
win10v2004-20220812-en
General
-
Target
anydesk setup.msi
-
Size
8.2MB
-
MD5
1491e78be7e5a4c5a0475c7c679d1628
-
SHA1
d591dfa1bc1fce94018be12b0c45627d053406ca
-
SHA256
49e0e5f0de62fb6647ac6a76a8e57a9b636c777f9304337bff11971a7c6966e3
-
SHA512
cd0e0f4082fe2cba3e6719776f0ba0663f3c969950edcff118b03fa30f38fde278f80063f207b8cc2f0c4607a2a976e826fdbec165ab3aadafa1a76a25e3c243
-
SSDEEP
196608:EsmqQDx19HKjYh8EFwIR8j9IR8fsNHKSEv7c:EsmqQdqdIR85IRxNqS8c
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1924 MSID48C.tmp 4028 MSID48C.tmp -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSID3EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID48C.tmp msiexec.exe File created C:\Windows\Installer\e56d268.msi msiexec.exe File opened for modification C:\Windows\Installer\e56d268.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4576 msiexec.exe 4576 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeShutdownPrivilege 4988 msiexec.exe Token: SeIncreaseQuotaPrivilege 4988 msiexec.exe Token: SeSecurityPrivilege 4576 msiexec.exe Token: SeCreateTokenPrivilege 4988 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4988 msiexec.exe Token: SeLockMemoryPrivilege 4988 msiexec.exe Token: SeIncreaseQuotaPrivilege 4988 msiexec.exe Token: SeMachineAccountPrivilege 4988 msiexec.exe Token: SeTcbPrivilege 4988 msiexec.exe Token: SeSecurityPrivilege 4988 msiexec.exe Token: SeTakeOwnershipPrivilege 4988 msiexec.exe Token: SeLoadDriverPrivilege 4988 msiexec.exe Token: SeSystemProfilePrivilege 4988 msiexec.exe Token: SeSystemtimePrivilege 4988 msiexec.exe Token: SeProfSingleProcessPrivilege 4988 msiexec.exe Token: SeIncBasePriorityPrivilege 4988 msiexec.exe Token: SeCreatePagefilePrivilege 4988 msiexec.exe Token: SeCreatePermanentPrivilege 4988 msiexec.exe Token: SeBackupPrivilege 4988 msiexec.exe Token: SeRestorePrivilege 4988 msiexec.exe Token: SeShutdownPrivilege 4988 msiexec.exe Token: SeDebugPrivilege 4988 msiexec.exe Token: SeAuditPrivilege 4988 msiexec.exe Token: SeSystemEnvironmentPrivilege 4988 msiexec.exe Token: SeChangeNotifyPrivilege 4988 msiexec.exe Token: SeRemoteShutdownPrivilege 4988 msiexec.exe Token: SeUndockPrivilege 4988 msiexec.exe Token: SeSyncAgentPrivilege 4988 msiexec.exe Token: SeEnableDelegationPrivilege 4988 msiexec.exe Token: SeManageVolumePrivilege 4988 msiexec.exe Token: SeImpersonatePrivilege 4988 msiexec.exe Token: SeCreateGlobalPrivilege 4988 msiexec.exe Token: SeBackupPrivilege 4356 vssvc.exe Token: SeRestorePrivilege 4356 vssvc.exe Token: SeAuditPrivilege 4356 vssvc.exe Token: SeBackupPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeRestorePrivilege 4576 msiexec.exe Token: SeTakeOwnershipPrivilege 4576 msiexec.exe Token: SeBackupPrivilege 4132 srtasks.exe Token: SeRestorePrivilege 4132 srtasks.exe Token: SeSecurityPrivilege 4132 srtasks.exe Token: SeTakeOwnershipPrivilege 4132 srtasks.exe Token: SeBackupPrivilege 4132 srtasks.exe Token: SeRestorePrivilege 4132 srtasks.exe Token: SeSecurityPrivilege 4132 srtasks.exe Token: SeTakeOwnershipPrivilege 4132 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4988 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4576 wrote to memory of 4132 4576 msiexec.exe 91 PID 4576 wrote to memory of 4132 4576 msiexec.exe 91 PID 4576 wrote to memory of 1924 4576 msiexec.exe 93 PID 4576 wrote to memory of 1924 4576 msiexec.exe 93 PID 4576 wrote to memory of 1924 4576 msiexec.exe 93 PID 1924 wrote to memory of 4028 1924 MSID48C.tmp 95 PID 1924 wrote to memory of 4028 1924 MSID48C.tmp 95 PID 1924 wrote to memory of 4028 1924 MSID48C.tmp 95
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\anydesk setup.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4988
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Windows\Installer\MSID48C.tmp"C:\Windows\Installer\MSID48C.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\is-022TP.tmp\MSID48C.tmp"C:\Users\Admin\AppData\Local\Temp\is-022TP.tmp\MSID48C.tmp" /SL5="$90044,7703614,831488,C:\Windows\Installer\MSID48C.tmp"3⤵
- Executes dropped EXE
PID:4028
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5f380cb51b5d8198c0f31f717949c4f00
SHA1088fd106ee395bb75a2ade6e51d21bd2faf63f51
SHA2562aae78bb1eff723a663d54be4973cad7a99ffece60d40524d9dbfac17694c455
SHA51272a8de30962014c78dca691cabc848705af53db452150bc3f7fdfe3a8e1db504b03bb6a6b5fe74d6a9719efd792ce69e839d936bd2918616598ea4b2295b3dd9
-
Filesize
8.1MB
MD5591e2cb28ab4c2c8729b7b8b21797779
SHA10708d8bade5e1c1e4198b440f988c1b1b722c1e6
SHA25687e0e6a8898d0d8043aec584b4a563943e539a5e7f3cadd78264dec1096f67f7
SHA51208e1ba57ae8364f16c6129a08ee6fcf7380aff036f8946601ab2311143227ef8a10a2057d8eff92e971ddd0006c3dbdeffbeb84bcf2d118228a9859e57186ae4
-
Filesize
8.1MB
MD5591e2cb28ab4c2c8729b7b8b21797779
SHA10708d8bade5e1c1e4198b440f988c1b1b722c1e6
SHA25687e0e6a8898d0d8043aec584b4a563943e539a5e7f3cadd78264dec1096f67f7
SHA51208e1ba57ae8364f16c6129a08ee6fcf7380aff036f8946601ab2311143227ef8a10a2057d8eff92e971ddd0006c3dbdeffbeb84bcf2d118228a9859e57186ae4
-
Filesize
23.0MB
MD5e9d0094e73a4e6592a1a63e69b977e3f
SHA1b238e3baf61851c9573fc57a3686f268275fa9a3
SHA2564c1eae97442c5a9419074a269534e743251306903c5fd987f1c071b6d17c05fa
SHA512aadde5b85b82648cafedb11bab164967423580a8acaf44f9e1507c521263fca6f68683a112877d809a7d0513d97ef4a04d7feafeb546755b7b50d7f950a9e0e8
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eea36801-4a45-4fe3-8c23-1535b5ccf54b}_OnDiskSnapshotProp
Filesize5KB
MD5b6291153a39c5656187561f775a6f10b
SHA1923310131b2756dffb9b5a084847fd659dccbbdd
SHA25640b16d15573f4c7d8757f59d7a526dca61ed79da350ef8641a79fea040876187
SHA512782d7bc3d338994aeb7c3261ab6131320fca96196d01d4da132d20722355a948dbef876773e980a76744128128f9f32f4e3ab57a1cb831b3f258f22adf415d0b