Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2024, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk (3).exe
Resource
win10v2004-20231215-en
General
-
Target
AnyDesk (3).exe
-
Size
5.0MB
-
MD5
a21768190f3b9feae33aaef660cb7a83
-
SHA1
24780657328783ef50ae0964b23288e68841a421
-
SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
-
SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
-
SSDEEP
98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Malware Config
Extracted
discordrat
-
discord_token
MTIwMjM5OTUyODUxNTI3Mjc5NA.GWxKW6.6V0MyiMWQ0H-DObM-VGZcmWfjrXgLUtepqJYtE
-
server_id
1202737484350619659
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 71 discord.com 67 discord.com 68 discord.com -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk (3).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk (3).exe -
Executes dropped EXE 1 IoCs
pid Process 3096 test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk (3).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk (3).exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4936 AnyDesk (3).exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4208 AnyDesk (3).exe 4208 AnyDesk (3).exe 4208 AnyDesk (3).exe 4208 AnyDesk (3).exe 4208 AnyDesk (3).exe 4208 AnyDesk (3).exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4208 AnyDesk (3).exe Token: 33 3056 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3056 AUDIODG.EXE Token: SeDebugPrivilege 3096 test.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4804 AnyDesk (3).exe 2168 builder.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe 4936 AnyDesk (3).exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4804 AnyDesk (3).exe 4804 AnyDesk (3).exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2500 wrote to memory of 4208 2500 AnyDesk (3).exe 81 PID 2500 wrote to memory of 4208 2500 AnyDesk (3).exe 81 PID 2500 wrote to memory of 4208 2500 AnyDesk (3).exe 81 PID 2500 wrote to memory of 4936 2500 AnyDesk (3).exe 82 PID 2500 wrote to memory of 4936 2500 AnyDesk (3).exe 82 PID 2500 wrote to memory of 4936 2500 AnyDesk (3).exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --backend3⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (3).exe" --local-control2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4936
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x5001⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2836
-
C:\Users\Admin\Desktop\release\builder.exe"C:\Users\Admin\Desktop\release\builder.exe"1⤵
- Suspicious use of FindShellTrayWindow
PID:2168
-
C:\Users\Admin\Desktop\release\test.exe"C:\Users\Admin\Desktop\release\test.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
6KB
MD5b717f1a812c415f9068e9ab201b0d713
SHA1cf6a46b2c25bb0573d5027480c9f32ec42d16462
SHA256a72f832e631bb55601ff5b34b8a0ee37eecf751556404ca4220ffa32062912b7
SHA5126bdee0a7a7d7a8ce68ee6533e0c51f6723a9bca431367c9cb290ed9e7935fe10ed917c662de7f760d6385083522e54974985e5cd775622792ec4a9665bed2539
-
Filesize
38KB
MD5cfdd00fbda24825814b319a9c040d1e0
SHA177e15dd6bafb4e16ccbc575defb99930babf2952
SHA256a088a86ed1ce7c98ef1ff1605542dd0ebec2bf67a58c72ab87864f11b17d51de
SHA512cf1ea21c9c4859a6cfbe24bddb5d495a22ff2daecd63c050b7caadab1ecf49035d923465e8b7e0087cb88bd5191b86dd7ff67c28b8bf916cd0b0857575ff011a
-
Filesize
2KB
MD51d3a9359cb58a2ad3f291717d609f1b4
SHA1a646ad5c2cb04dc0630679074588cb135208b38d
SHA25619e6342b173ab149333fbc40aae124c29b6406864fc54295d8b9a3730cd1f4bf
SHA512b06136e9ad907340d9008eff38746b133d305678c520e30b97951732ebda2b358ce3bbeb6a5e0090e6e73e2aaa1ceec1d4bbd29aa539524ce49c4dd911df8455
-
Filesize
2KB
MD5bfc4581188025d9647cc43b24b462770
SHA1ff9d8dc877a20dd5a78d2537b8d2c58116860ca8
SHA25680f4b027bc07867e1865cdad18d1fc2f45ebc8db88a9e00470bf9e8930e5a2d5
SHA512c7d971860cfe38be7557e6697a8cd87d8139cf78292d1fda3af50be0e1bec9574e70858d299d58f0844479241a5d72b9896cc8a06aa13f56b0950c56fc452934
-
Filesize
612B
MD5fc3e2361b5afe48de51fd2502616a85a
SHA1d2b89e7a0315449213ffab2872d75c581119c649
SHA256aeca880340f47901ccd1c2662033cf06fb503d947c45c90766c66b48ac5bf989
SHA512cdac9a76e3df407d7c4b6569a45bfa7b720324716a5d0a882ac4f3741094ded5de064c4dfbd7feb42ef67857496acd583d45165e515984dde3c9f0358ca1f963
-
Filesize
733B
MD573bfef5fb2faaa9ed564157e304e235e
SHA145bb8ec91b3cf5287fdad566ca044355587d6099
SHA256580c2e26f6d4fc3ee656443109c0588dc130ef82caddf3bbfdd1ccc72d35b238
SHA51281b0fc2a93d23ad3e0804036973e9138dd90ff9ebbe77dcb61f8b604a8fc6aeabe7baeefd17ccfee75ed5bfd22933f6314269c1a62c0c1681e421608871f399a
-
Filesize
802B
MD5c9f5e29cf61e7ff6b65b0ecb3ef885d6
SHA1c8c41789e494db13cbcd6fb5e12643ebe3b010dd
SHA256d5723f0506d63beb163aee0746acc12dc7d661c38604f7830cf578ef8e1538d8
SHA5120073b624093fbe44d46986f7a4750ae7223e8a07064e768eb864a8afc9d05c4a717f6b40fa5f9d77bf39a63c1c0da856afa08ad61af74eafb82e8d3d2ddf871f
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD59731be6a4c35ac093ec6c8dde4e5b62d
SHA11f9500578485a65fc9d6de8272e0a96ca2961780
SHA2565e09dcf0359984763ca928e57c49a49032a72c15bcf2c5667a884950b04a0b4b
SHA512bee7d5e120c9e799a941f5ceaa68551c588478e04e0918b7c12d1f589d9e1f6555268ced9f96cd0a514aaa193b81793e5c24e6b42d79bded8f73a9373012b84f
-
Filesize
2KB
MD5cff04b1f9be726e7cfc46264ca268619
SHA1e20a20c7e443451bf7e5cca50ae44f2b154fa5f0
SHA256b6544a724d4646943135b7637597bdb7a3bcaf21e7d07c939062fb9cf7c16ae5
SHA512d25ca4820ccf76fbb9a173f75e489f1c786cdee1db94a7d2ac47cc17f6fb5bf8a26c5aa87e651182abb125d2fc1c4156e7b6cf299a7452a3ae350ee024f71246
-
Filesize
3KB
MD5e0914e310570c7d4091f9a903bd64f93
SHA11972369f6e3ea30ad0d325dd60d1a18ec7a48012
SHA25643bf8961bf265229f9cfe46d606782535406ba3d6f4fc55b69d8ab1fd4f00d32
SHA5122041e52ca6929c63e58aba589c82ec6b766c550b6576769b262f94d8ff8198a48af9ddaffe5bc9505f7d06c994bfa3ad04c8f1b79e9b9ad9b0cedc9622faab07
-
Filesize
1KB
MD5aa1ba7ff0ae6e37532ac1dd6be56f81e
SHA14ecf0b321977d6a67dc73c47c5c6204b3e227744
SHA256df9e46df5863c2d90443f5b086293fa3cc272101605cb0849cf1036c24403ef7
SHA512efb4cb0fd9e052cc06c4130953a18f1749265de0f89b419891dd8040b910a19fd905e95158eaa3022d510fd5fccebe4537ad9dd8267e0247cea3f5f5c9d5ee6b
-
Filesize
3KB
MD5fe90b10df5b73fc8ac035206ace8a33c
SHA1157a6b8e4c146582c7f52288a1a0a200a5959511
SHA2565fd08c95e0026cd1acb8ed155bd1a48c38a9a7bd8a0a886019b31671aadb8307
SHA512ce808433eb0109e81898ad03674a13df0edd1c25e8cf410f88e72c0bdba1dbd2c7d6deaf5c7ce43d0dce064047b082fb94dd9d73efef85be9fdd3cb383559227
-
Filesize
6KB
MD5d2eee7085d62ed446b82371cccab1141
SHA1aa8b61f79657833cf0d985d9bb15b5a45de23cd9
SHA256ef198b1df277a0ec871bdcbbbfe974bee11cb5296c118068190d549a6be66ddc
SHA51226b1c2bdb970acd27da31a81aaa55ab518610d634b0f30025b866cf0d5c3f7f3edb5319d51234eff4bdfb3ca78b6b09c3b91c23c89a286395f7b7c830f4aeab9
-
Filesize
6KB
MD553e157f735a842d16f7647b651f3591c
SHA1668be626e94af8bd6786ab8862e54f4fc0217347
SHA2566d02a855c856b5160835c516847793a5fa024f5229ae7926837b4e0777261f26
SHA5125ef7443bbffabd41e814b0d3f9c8735a6c8dfaa04e86cd9c3b30731ea86e059521cac74bd81c42aa4cfc08670224637017ce3de80e3703bd99939b7667d9e23a
-
Filesize
7KB
MD54641af05224a3969a4b7099424c5d93a
SHA1bca79b79f823ef77ebd24e092aec8759dd7894f1
SHA25607d5e9be3161ef1d9ec526cb65089e3ac54589c7f31189b4d7955e9a4146785c
SHA51255f260fc92355415348b68cf9014f9bec349c91cd1d4aa60cb5a3100dd2fbb832db38f88fc9a7781fbfc7d18b4d7b33011eeef691c255494b31d380135160929
-
Filesize
1KB
MD5c0ac74f6fb302af5d698f46a3996c4d2
SHA163e5e6c9b902c821fdd7e81f0e268a5895209562
SHA2563e1d1afedaab479ffcccaffa9b776fc75ba0a0221ffcebca64e0efd54501717c
SHA512f08f3f44966428b9f4058626ec67f4f9d01a1977b7813ec9d17dfd4f25d631b5328227e5e91e5ae9862a0f7ef852a9d741a233212da7f99aea7eb962985d16e7
-
Filesize
1KB
MD5750a1465846ee52a1d1223459e8c254f
SHA1d2e82ffde46b1cb4dcbc585b910217200e6ed41a
SHA256b724fa554542c9729bd5797d0aff0fe2469cf4af3ac29f9df2e55efdaeb835a6
SHA5125f8cc0f720eb45623042b94b438e0bca01b135ce73454699f874c9e660cb93d999a12c18df1d7698b414a400e1d7c2922571c34ec75bf4b5148282fcdbab1342
-
Filesize
445KB
MD5bafc8ae6d614454262f51262c49c060c
SHA1eae43e542945435e0a06a8bd25071728ed4fbd87
SHA256715265f38ae0a15c28fefce19b1f7e5a64e6002ee45339f2dbe8460d9b5a4da0
SHA512e12375d3d0f4c869dd9328bbabad3a3e86004a62a17536f28f36bcabcd70304a4de644bd5eee278c8ff24d2040746e376c5a3769492ed7f8973c8c03a65dc708
-
Filesize
78KB
MD569654e44a4f435755ed6b64e5eb980ba
SHA1e2e20eb143699fb81683fe9ec9d09839c99bdeb4
SHA256a509124bcc5751e5f622b4450d44e2434881b20c3c5046f9fd859e5cc2af5474
SHA512b49b5dacfea9836602b134f63a3e24c86808771dbe2d6781f2061adb3677aa54d07ced5fe7aa7137b02460854d447459c9610a6a04a8f1de6ae4deb26b14baea