Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows10-1703_x64 -
resource
win10-20230220-es -
resource tags
arch:x64arch:x86image:win10-20230220-eslocale:es-esos:windows10-1703-x64systemwindows -
submitted
06/04/2023, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win10-20230220-es
General
-
Target
AnyDesk.exe
-
Size
3.0MB
-
MD5
eb80f7bddb699784baa9fbf2941eaf4a
-
SHA1
df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
-
SHA256
b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
-
SHA512
3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
-
SSDEEP
98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4252 AnyDesk.exe 4252 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4256 AnyDesk.exe 4256 AnyDesk.exe 4256 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4256 AnyDesk.exe 4256 AnyDesk.exe 4256 AnyDesk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4244 wrote to memory of 4252 4244 AnyDesk.exe 66 PID 4244 wrote to memory of 4252 4244 AnyDesk.exe 66 PID 4244 wrote to memory of 4252 4244 AnyDesk.exe 66 PID 4244 wrote to memory of 4256 4244 AnyDesk.exe 67 PID 4244 wrote to memory of 4256 4244 AnyDesk.exe 67 PID 4244 wrote to memory of 4256 4244 AnyDesk.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4256
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD582770713d0bdfeb719a936ef4fcc680c
SHA11274739c01ff8e446d7392fb8f205b552948636d
SHA25618b15e6927e461e07b44803bc6400399b5d2ecc420c9bc59d4416094f9db2337
SHA5126e1ba7e95353da55eba47435a8c1316d7d1ff1d4023622b2a64d4f173c31e331379a49fa6235130b2bc34dfcf0e3c4ed86a9a2fbe24ee5fbde2e16900b29f9f7
-
Filesize
6KB
MD582770713d0bdfeb719a936ef4fcc680c
SHA11274739c01ff8e446d7392fb8f205b552948636d
SHA25618b15e6927e461e07b44803bc6400399b5d2ecc420c9bc59d4416094f9db2337
SHA5126e1ba7e95353da55eba47435a8c1316d7d1ff1d4023622b2a64d4f173c31e331379a49fa6235130b2bc34dfcf0e3c4ed86a9a2fbe24ee5fbde2e16900b29f9f7
-
Filesize
2KB
MD538807eb749b93e49551c668939e608d8
SHA12bcf5bd41ae235bb09d5065f2f4d58888f9738a7
SHA25614766941a650c2cfb20879c19123a940b028a343693fd2ea7c6d26759116cf5e
SHA51214df8853355eaacc96d95c52c8af14bda054504211fa2f3c2e0975c8fc7033bdf4aa668d898e5c9ac8b2eaa669fa429ab03105cbc133d716ba994892b7bf20e4
-
Filesize
105B
MD551b77982a31f12fa641f12e4f2b55e5c
SHA15f4388da15bd908c100134ce17fa1a44caf256be
SHA256f8ff8a07da047e80483ad17d4146cda96e60385f53e88eef53507986e8420823
SHA5122a356de186e9a22fa8933c98e949678af6c5ae2433606776b5d1f74cf9395a1799d9570438d499ce63122d85468ca9baa03ddde88db911f976075c32d837275d
-
Filesize
105B
MD551b77982a31f12fa641f12e4f2b55e5c
SHA15f4388da15bd908c100134ce17fa1a44caf256be
SHA256f8ff8a07da047e80483ad17d4146cda96e60385f53e88eef53507986e8420823
SHA5122a356de186e9a22fa8933c98e949678af6c5ae2433606776b5d1f74cf9395a1799d9570438d499ce63122d85468ca9baa03ddde88db911f976075c32d837275d
-
Filesize
113B
MD514cb8ea4f3b9194bb3fa5a70dd103ccb
SHA12f677ed204f76990a866c4bb4fdec37c41f1f126
SHA256bf068d3af9bfe984f1d2d2c973af3aa0cc23d44c5f2aae68952128b8af58a3c4
SHA512c0eae8b332c1ecb6777d19a46b9d2a0c18981e8a398d26a176f97f008f3acadfdb7f32176a38f4da8e23b0f47f4a57b88dc376539c641190a9bd34e40d721d16
-
Filesize
205B
MD547571354e57cc426b407d6de5196dcde
SHA19dd39b1e1df0a98ad560e7de0ffab884da24cef3
SHA25635b413e25fe6a26ca178fcc21a88cab0f1343dee8a57617d7dcecddb1d5fad45
SHA51282f9ea1656a252095f653c2fc2ac097f5e8230df47870a419a33b9d899f84576c27ada32f82482ae6c36dfa6ddd7da44b00eab622756369d0ca668a1d8be5aa3