Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/02/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win11-20231215-en
General
-
Target
AnyDesk.exe
-
Size
5.0MB
-
MD5
a21768190f3b9feae33aaef660cb7a83
-
SHA1
24780657328783ef50ae0964b23288e68841a421
-
SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
-
SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
-
SSDEEP
98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2844 AnyDesk.exe 2844 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2120 AnyDesk.exe 2120 AnyDesk.exe 2120 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2120 AnyDesk.exe 2120 AnyDesk.exe 2120 AnyDesk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3108 wrote to memory of 2844 3108 AnyDesk.exe 77 PID 3108 wrote to memory of 2844 3108 AnyDesk.exe 77 PID 3108 wrote to memory of 2844 3108 AnyDesk.exe 77 PID 3108 wrote to memory of 2120 3108 AnyDesk.exe 76 PID 3108 wrote to memory of 2120 3108 AnyDesk.exe 76 PID 3108 wrote to memory of 2120 3108 AnyDesk.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
10KB
MD5effac5cea5b093309637d5f0f1d5d53e
SHA1bcbb34f063ebbde885ac24edb28978c1c644c620
SHA256b19b3b160236454f029fa71f16187de38033933fb9c257b7ba27132b232a6438
SHA51212d143a52a9abf1663ae99152032aff8268083fb1f7e2ed962e0cb9029c59d366e4419f431d67dcc219484550720e8e2b498ece546ca31284d7bec2a18e0cc71
-
Filesize
2KB
MD55309332b692f03dc74e178ccad34cc22
SHA1fe8b5103143a3be172242db4ab777ead9ab60ea7
SHA256f4a18f84f89716d45513601f384f6f964fe23a2c3722df808fba719ded8fcbb1
SHA512244175bcad30da0dfe3e2cb087446d5ed79875a5b5847c6da68bea64cb6c85e69c32f7e8688dcd9f536436361a7f41c805812598b99838369bd2a6923b9397de
-
Filesize
2KB
MD54e6af13cff8f41539262e83a75b5d11b
SHA1142bf452a7f06255a916e101c887f9063ee13059
SHA2568335c5814c93ae1280e94e3d9252c31975d0394cbcfbb24fa5efbda463a27ecf
SHA51275578aa3cf96fc7352f96570f6a07dc774c598d29f802add67154c73e779edef6f1029b67f3f5ead472c67b41835687e608b3e0fa8f2d8d3b56038e186db05e2
-
Filesize
681B
MD5350e5c8e0f220d0e978806b6e8835dac
SHA1cf77247c7c106f421993f9855ed776e3639d3e85
SHA256bd78e38c1de303fbe90629f70151b3a673c1dcd2c135a504ef177fbd7cc12f0a
SHA512295f192e25f34c9ce2443b2421a9cb05717baf03f324397fdb958094b920f24ec02d2f7c1d7ba45c5a4940ae0b4f052da0169237b48c579de29c7f329bb953ae
-
Filesize
802B
MD5b4791b9026cea0b7f5c9f98941b3a29f
SHA1c246720688833d989159af35ff8a7815e29bdaa8
SHA2566c578c9fcf94c6f4eb597fa79130cf6eff90bab60f04add6d72c0987fc45757a
SHA512e98f0cd038618e1b205339bc4d401c6884fccd6d477fda27b99216f391a510aaa7786bac77dc50a7e946c8b252070a5310eb194e0ec5d2213cb8b687716c5ebc
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD594128cd461bc0abb6800d4f0523e5ed3
SHA16dfb40ec9d5ce47831d19deba7697e3d3016a590
SHA256fc14a02c0127e6ab9bc106d324e7c9af23fd5c8b2d2f3dfe6fee59e92b2de171
SHA51277e1dd44e7c0491135971e2f7ee4df0ab8cc7b79ba5bcdae99b5537a245e8ce9c65bb4f82f5dfcf394421f053161289b71fe471c9f06f608a5e2c2c6413c50a9
-
Filesize
424B
MD509c948bb35de2d88e526c7fa3053aded
SHA1dbb0870cdd0538a8f4d9dbb454469881410fd81e
SHA2562c06ce8e6d38b71adf7065fc908f0965afd728610698dee48fd30c28c5920e93
SHA51220d225757814ca6da35be849f2f273886b54f240eec41c00844298bda20953cbb18ec4bb4cbf58fe3f52c16bea9b50a58151af46b3de5c4cb0dcd6ebb6bc8427
-
Filesize
2KB
MD5bf9dea02568d4b429ab97390e249def0
SHA1d6f1c728fe5ceaf618232e20c259603d7ab0cacb
SHA25608d4bba62d4651d231dc3becd91b647b655a0ff36e9587859c152af702d12a9d
SHA5120352d45910cda29a0342aff200ea10f1f8a8aeab91b09ec98a2db1cc00cfb6b273c213ade0043e763d18c42598ee7ea18e6f3ca456264d77aff9d8f7f78309ea
-
Filesize
3KB
MD59280e2dc846c9959914021155cfbe06b
SHA10909a7ba6d44c4a5a8463dfb7059624555c49c82
SHA2561858d39af5c0d4f5581237a6e5c7e999b909d28ce5e5d5e55d96a054a729b286
SHA5129fa60bb0b0ce8d631453d2539b605fbcc7bda8435d07a829a786830bad8e784a340e4485ef95c9aa79a499000ebd8ff10803d5dcc1fb694ef1ee03169de180b8
-
Filesize
1KB
MD55be6d47116c6e6686c05b74b98095699
SHA199747d6e03c881ef2411928ccc2c29c643f2c1b8
SHA25628add08d9460d00e6a28ea0eca1892fe1438264c6695776695ec687b8e136723
SHA512fcc5550afbc59f359ce066939a2fe79ffab6e9f293cf5a27853ed4d30f4697b795e322cf71784cd5205257576913ec7df0c7003bef73559670cb1513bb875140
-
Filesize
6KB
MD5d341adc8233dea6db5ecbc16142ef0b2
SHA18d5aea7e10704c1b66aa092e72dc385e9789d86e
SHA2564cd2e377360a9a698958744b8598d21ea1f2f4c5014709a482f06615e977320b
SHA51249211383efdf9aeb6b2ea42120ddbee070765902fc7d784b82379138426957fc51b3a75ff494e173d1520c3152ec71aaf4422d8afa35a6d9f1c6a5cc0d4a6a1e
-
Filesize
6KB
MD561f66be4bcc13016b5a2f129b8ce1cd4
SHA110140ea520e77b62f266fd4d232c8df50c3273a4
SHA256c48a9ec62f623c79ce6c60a9366f0886818aea0551303db1465e628315fc8ced
SHA5126caace25ac74a277ed1dbe9101a48b445283e593816743909617f9330c582fb6ac01e1c9f2c3146a05b7341b521cb1871381d439e41bf5bdf796a4ca861ee2f1
-
Filesize
1KB
MD555d0ed21d9e86d4d40be3f84cb3058d8
SHA117f4a9a3dd2e8303e9afad2aba17a330ecda55e6
SHA2568e8c1a60595040e7f90ae19dd2adb88bc5b85c9383d8252f553933c3d4fb8a95
SHA5120c9ee13725d79aad56d53c33f5c772d22a79c726bae010a3b3ac4d02efd8d81559e96c751c2bf9bd9a41c0f68708839ce776d6691aa82bb5b82ae6494f79a6c6
-
Filesize
1KB
MD5f6febd467a035640eeb7813a5db97ce4
SHA1f6b56487163d1d8d7f614e94c5c8d342c438acc0
SHA256a0e12f9f6fdd3429b0064528c5fa7be01d23395dccbcda96b4ea26a5c08f8464
SHA512dd30172b7c51fb8a8e9471361d769aae81a2f72919767de903d25a3a0b8b5d9da9154ebbf165f23894866bbfcee2b0e41becf81015940493f6d7b56dcab06e26
-
Filesize
1KB
MD508b47f1f4b11c4e22309bbb37720e62b
SHA1872a3598a68b24201dbd5bc169afc02eafc21f5c
SHA256ace1be19b67a79cb11f3c352c21f6d30c125e2c4fbdc82b8aca33fc72c52d7ee
SHA512b0d87edc16792ed10266df646e0cf34e59883627fa3bd46ca0871be8fa08b14349140f1cc0e61d4e4c8e79197f805462cd90b934b013a3a4d1ffd3219fafb7ec