Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

5

Static

static

1

AnyDesk (1).exe

windows10-1703-x64

5

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/02/2024, 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk (1).exe

  • Size

    5.0MB

  • MD5

    a21768190f3b9feae33aaef660cb7a83

  • SHA1

    24780657328783ef50ae0964b23288e68841a421

  • SHA256

    55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

  • SHA512

    ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

  • SSDEEP

    98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:164
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --backend
        3⤵
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:1976
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:296
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3b4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4900
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2996
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3024
    • C:\Windows\System32\8os4du.exe
      "C:\Windows\System32\8os4du.exe" C:\Windows\System32\64l3l2m7kforq.exe
      1⤵
        PID:2624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gcapi.dll
        Filesize

        385KB

        MD5

        1ce7d5a1566c8c449d0f6772a8c27900

        SHA1

        60854185f6338e1bfc7497fd41aa44c5c00d8f85

        SHA256

        73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

        SHA512

        7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
        Filesize

        9KB

        MD5

        5ecc6c0d8b5ba387b67823e8cbe98148

        SHA1

        e2cd9b7598dc13ed5ffb1146947c8293fa87a12c

        SHA256

        ce781fbf2a3a7c8f0e0e5532df2bb6d4ac6bf8564121c62d2124dff315026c4a

        SHA512

        5756bdfc50ca93b06454c7effdd3f5d9540379be41d16d5cfdf69789e794a10bd2efaf1aa6bec986d32e7ad8422e03491aa1064c3f8d8baf0d4b391fe5c02cdd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
        Filesize

        38KB

        MD5

        7d4c98b078e087b47092c799852057b4

        SHA1

        f961ed32d308baed400a0f554ef88327d1a95a18

        SHA256

        fd66b3e2248aeaa311e50c214da567ea098a315dcf8706c74785e5db4e552917

        SHA512

        db50509e5a743fc51349f06444d7ca32ab85cde25e021003b26f5c2bc388190eedc8cc9705699f5d77b8c19fe924cfbab354391a57d581dc56ea6debc79f8049

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
        Filesize

        8KB

        MD5

        f2103a393d391c6d9dcc9df44b83306f

        SHA1

        bb71e6b9421ed6809e7a4e2dc7c78389c3302874

        SHA256

        311277cdf95e8deac3d2bad8271024feaa8544f7893d81bf3ed147e608a24a10

        SHA512

        9a8de11bc60b1b58388b8e2022592db4cd2670c66371e6b244aec021e0ebc20c71f2c7155455a829fd40e2b0a7bedbe31c28136c69c64f04d5fdbdd3dd89d1a2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
        Filesize

        2KB

        MD5

        1730a3d40b78599206608f9fdc8e97b8

        SHA1

        9d84ebc49bb8b7e633a58750b6899fb2e098d7cd

        SHA256

        409fca0809c866dc80d69a677b8e3459c93ff455e9cca6b283000cb71519db53

        SHA512

        5a0aff57131a4c509bc91c51228c4554837f8cc410c5b439eb2a3a3e156ce7ebdb585a78787fa39b95b47b0d2c6cff4d736fc735bcbbfe48baadcf5e78ff39ca

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
        Filesize

        2KB

        MD5

        5375790ab5b40d331385788b3006152e

        SHA1

        1b2aef2a87a9c7644f116fda53b6a1e058c0d9e2

        SHA256

        522b614b4e1b4635292cc139cdbcf40e6f3fe1825461b47055e0326fbac92700

        SHA512

        61b8c886d13390cbdbf14d33237b64212bfe883ad2d6cff12b4e3e29e18e570d2fd10bc4d1dbee365c4df3370af7265f407a6e2411a0aa5e7bb9de719fb6cdc2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
        Filesize

        612B

        MD5

        bf311eae454ccbf76e176e27104f6c14

        SHA1

        c367b0d46db5e57e7a978925c4a11acf406cc746

        SHA256

        50489d09fe57b6e8f0bbf14a061335cd70d85feb9eb3f6c5475d56620e7077f9

        SHA512

        48cfcd339b655fff38fd4147fa01ae625d3dc33078f7deb67e076128fb9013a58aaab1410a5072f2a85b0fe0178717b0bbde7690b7338fb68cbe4ca00a505194

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
        Filesize

        681B

        MD5

        9c013e4aa723c01fb00fe3270b38b3ee

        SHA1

        f554d8fe263469fb1ec604a35146c81178d8d153

        SHA256

        e9500361b769a34ccdf81b667bd9547e49dc2c11477eac64c8693e7970258f20

        SHA512

        867237698d5d12d02f64f4855bd722a926f407b1047fb88e393cb30ab62c2bf4ea5879f26f2f9b812417392e47411644db1a0522606c3dd5ae8797e2023df1ca

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
        Filesize

        802B

        MD5

        51323b05c1e63d85146255b99f97e9e5

        SHA1

        43ee6bac1726a49cda198630808015c0fb8f3430

        SHA256

        b2d44f3d30383bd51afc216e85ac90692be1c28e318a6a9449a9d774b3f94e59

        SHA512

        d53fca4c9fd81e959b40b3620b94cabccf72bb3e045d9bf14270a37e391165377fe545a5d22125d5efbef1bb94ea9f88ed9838baa7616d92c1ab2722bf8c1f7f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
        Filesize

        312B

        MD5

        0c04ad1083dc5c7c45e3ee2cd344ae38

        SHA1

        f1cf190f8ca93000e56d49732e9e827e2554c46f

        SHA256

        6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

        SHA512

        6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
        Filesize

        424B

        MD5

        69af9f9511f42b0741a385f6f217d30c

        SHA1

        49d218f65ed512cca35f269fd4f2dacf9cc76227

        SHA256

        a5f772235a9752342cc7c4ee6f9b5cd3c8cb3219d7ccabaf65c5797a54ef101c

        SHA512

        dd46dbb6a1e3b6ca682bca0a16eabb8541bca1d91b49dfb058fe706dfd46dce0f5dbde84067ab127f85088685545571fbccc02111ddffacdb71305a724deec4d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
        Filesize

        424B

        MD5

        7e26418f0f7221f6464352d18ddb1d9b

        SHA1

        dcf0cf02dac248a6dc16957ca11e08de61ad0806

        SHA256

        96141cedfdf3f9447edc58c6f05efc38adc0aa47921b3c051ad43557e2be6169

        SHA512

        f5aee0278767363a6f60a875eadd17a11d0bf95469275ec1fb5272811b801bae801242c1629c5bd61eee2e74704392af0f0c71daba0b04779ba364deacdc3f7d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        2KB

        MD5

        0c6b8053c91b8b3c525b657f26004e14

        SHA1

        ab7bed72dd49db2428901f9d8068a5cbc11b544c

        SHA256

        f5cc2bf8e0c06074f0dcd9ac381eeed77c143c03d9cd1020d6158f8d89bea059

        SHA512

        7ca8edab5708968302158540089abb9e4a01d395c416db4507a509d6817fcc6c41b39caba29001f10d816b4bb084b92a9f5580655616497cd3b5daf9cd37036b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        3KB

        MD5

        178ab53315fc44c845d59dcc5e8686da

        SHA1

        3dbc93a3ebe0c79e5caea030c4815425e152d268

        SHA256

        52c9039f38cbf3b9d324eb21e4c783315c1417f4d0c4cbadb93cf3ab3e68ce8e

        SHA512

        60e97188efe15ac83e01f520cbdd480ac04b8f8d8b8cb4a5240f0b98010ffa5005fbc8610785632c97727df9e0e45e3883bbb5463cf80f5286b681dd3af6ce7b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        1KB

        MD5

        a48f8a7fe33c5bcff6db0b0574acd6f4

        SHA1

        a9d58884439d79d68cb5111af5d05990f74b15ba

        SHA256

        466ecf02675d85e3546a2bb12e85511975d223395375a3258dc40eb100f668ad

        SHA512

        94cea1bfa4bdafaa11caa778196ba2438ec0dba58279cc180f31f85d04e6422cf21351d21df8b03cb74c8a77c39b8f95bad0c6abd1c1c79bb26861b6a5b7aae7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        6KB

        MD5

        97591a325c5404528350a783070adb5b

        SHA1

        f5c0bd5b466add337471c3d09620b32eb56baf45

        SHA256

        a8fe1b9af4ef9a882a6050b5b294d662b57a97a562f7c6761c19db70ffa27c0e

        SHA512

        8c7319cd65fc860e5435b8adef26d87adffdec7beef195a02d502d25e9137535517b64928943c20e2437e64f93fb93f38ce9fe4022325fdd62db2c8e871589e3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        6KB

        MD5

        6f6544737f46fd0a3ace796e45ce1f4d

        SHA1

        533cffc7f688baef76e90aad5262e0d92693a447

        SHA256

        1fe975802ccece44a280b08e83fcae84e6ddb594f61f618727a3608e8bf6d7eb

        SHA512

        1f8a975d9ec30b3cc949ff2a9b89f00fd13d8dc5d59080f860c8491086168e340f044def8c18406a25dfbc4b6669ab2c5c3b261eeeb0bfe795d9fbd3e97d74eb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        7KB

        MD5

        38856d78b74af282e7a2ad450a846c7d

        SHA1

        4662551ab548ace28e11d5e53f1b8d06ecbd9e7e

        SHA256

        0e04f1f5b5a8ae7e78d4fc7cc90eccad2f6ffa9efbe960db5dca37ea3f1203ce

        SHA512

        03b736f781459a08255b053d1a114547b80e35eef1f421d7762c6e99a1cd907d60bdafe9331a1c03b674164b273aa855b99d0655c8f8e44384cfd9d73939aa6c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
        Filesize

        1KB

        MD5

        d00c47358f7bdf2a3e264da66c464164

        SHA1

        ff3d41d4811c51fd8daa7b7087d5916345817c50

        SHA256

        cb02a80fab1745b6c0b1ba40fe6890f77458e63a34bc993a6f30f40ac362c260

        SHA512

        d3e202ab5dfc80c12eb340e184140c3fcdbd8b227fee5b2d48ff58943adabeb3f66c5d4fe0a05018ab0cf4fad7e890cc9db989d0325cbe511a3b35ba8cee3952

        Download Submit

      • memory/164-106-0x0000000007E40000-0x0000000007E41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/164-241-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/164-22-0x0000000005980000-0x0000000005981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/164-119-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/164-0-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/164-4-0x0000000002380000-0x0000000002381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/164-242-0x0000000007000000-0x0000000007001000-memory.dmp

        Filesize

        4KB

        Download

      • memory/164-1-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/164-23-0x0000000005990000-0x0000000005991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/296-19-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-341-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-337-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-244-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-331-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-305-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-345-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-291-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/296-33-0x0000000001C90000-0x0000000001C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-261-0x0000000005950000-0x0000000005951000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-276-0x0000000005A70000-0x0000000005A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-259-0x0000000005780000-0x0000000005781000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-262-0x0000000005960000-0x0000000005961000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-263-0x0000000005980000-0x0000000005981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-264-0x0000000005990000-0x0000000005991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-265-0x00000000059A0000-0x00000000059A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-267-0x00000000059E0000-0x00000000059E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-266-0x00000000059D0000-0x00000000059D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-268-0x00000000059F0000-0x00000000059F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-269-0x0000000005A00000-0x0000000005A01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-271-0x0000000005A20000-0x0000000005A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-272-0x0000000005A30000-0x0000000005A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-273-0x0000000005A40000-0x0000000005A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-270-0x0000000005A10000-0x0000000005A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-274-0x0000000005A50000-0x0000000005A51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-275-0x0000000005A60000-0x0000000005A61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-277-0x0000000005A80000-0x0000000005A81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-278-0x0000000005A90000-0x0000000005A91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-280-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-279-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-260-0x00000000057C0000-0x00000000057C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-281-0x00000000057A0000-0x00000000057A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-282-0x00000000059C0000-0x00000000059C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-254-0x00000000020D0000-0x00000000020D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-289-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/1976-335-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/1976-333-0x0000000001D80000-0x0000000001D81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-293-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-294-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/1976-248-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/1976-326-0x0000000001D10000-0x0000000001D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-328-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/1976-329-0x0000000001D30000-0x0000000001D31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1976-246-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/1976-332-0x0000000001D60000-0x0000000001D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3188-330-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/3188-251-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/3188-290-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/3188-336-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/3188-243-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/3188-340-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download

      • memory/3188-32-0x00000000038E0000-0x00000000038E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3188-12-0x0000000000110000-0x0000000001847000-memory.dmp

        Filesize

        23.2MB

        Download