Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
10/02/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk (1).exe
Resource
win10-20231215-en
General
-
Target
AnyDesk (1).exe
-
Size
5.0MB
-
MD5
a21768190f3b9feae33aaef660cb7a83
-
SHA1
24780657328783ef50ae0964b23288e68841a421
-
SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
-
SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
-
SSDEEP
98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Malware Config
Signatures
-
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk (1).exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk (1).exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk (1).exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 296 AnyDesk (1).exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3188 AnyDesk (1).exe 3188 AnyDesk (1).exe 3188 AnyDesk (1).exe 3188 AnyDesk (1).exe 3188 AnyDesk (1).exe 3188 AnyDesk (1).exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2996 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3188 AnyDesk (1).exe Token: 33 4900 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4900 AUDIODG.EXE Token: SeDebugPrivilege 2996 taskmgr.exe Token: SeSystemProfilePrivilege 2996 taskmgr.exe Token: SeCreateGlobalPrivilege 2996 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 296 AnyDesk (1).exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe 2996 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1976 AnyDesk (1).exe 1976 AnyDesk (1).exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 164 wrote to memory of 3188 164 AnyDesk (1).exe 71 PID 164 wrote to memory of 3188 164 AnyDesk (1).exe 71 PID 164 wrote to memory of 3188 164 AnyDesk (1).exe 71 PID 164 wrote to memory of 296 164 AnyDesk (1).exe 72 PID 164 wrote to memory of 296 164 AnyDesk (1).exe 72 PID 164 wrote to memory of 296 164 AnyDesk (1).exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:164 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --backend3⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:296
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2996
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3024
-
C:\Windows\System32\8os4du.exe"C:\Windows\System32\8os4du.exe" C:\Windows\System32\64l3l2m7kforq.exe1⤵PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
9KB
MD55ecc6c0d8b5ba387b67823e8cbe98148
SHA1e2cd9b7598dc13ed5ffb1146947c8293fa87a12c
SHA256ce781fbf2a3a7c8f0e0e5532df2bb6d4ac6bf8564121c62d2124dff315026c4a
SHA5125756bdfc50ca93b06454c7effdd3f5d9540379be41d16d5cfdf69789e794a10bd2efaf1aa6bec986d32e7ad8422e03491aa1064c3f8d8baf0d4b391fe5c02cdd
-
Filesize
38KB
MD57d4c98b078e087b47092c799852057b4
SHA1f961ed32d308baed400a0f554ef88327d1a95a18
SHA256fd66b3e2248aeaa311e50c214da567ea098a315dcf8706c74785e5db4e552917
SHA512db50509e5a743fc51349f06444d7ca32ab85cde25e021003b26f5c2bc388190eedc8cc9705699f5d77b8c19fe924cfbab354391a57d581dc56ea6debc79f8049
-
Filesize
8KB
MD5f2103a393d391c6d9dcc9df44b83306f
SHA1bb71e6b9421ed6809e7a4e2dc7c78389c3302874
SHA256311277cdf95e8deac3d2bad8271024feaa8544f7893d81bf3ed147e608a24a10
SHA5129a8de11bc60b1b58388b8e2022592db4cd2670c66371e6b244aec021e0ebc20c71f2c7155455a829fd40e2b0a7bedbe31c28136c69c64f04d5fdbdd3dd89d1a2
-
Filesize
2KB
MD51730a3d40b78599206608f9fdc8e97b8
SHA19d84ebc49bb8b7e633a58750b6899fb2e098d7cd
SHA256409fca0809c866dc80d69a677b8e3459c93ff455e9cca6b283000cb71519db53
SHA5125a0aff57131a4c509bc91c51228c4554837f8cc410c5b439eb2a3a3e156ce7ebdb585a78787fa39b95b47b0d2c6cff4d736fc735bcbbfe48baadcf5e78ff39ca
-
Filesize
2KB
MD55375790ab5b40d331385788b3006152e
SHA11b2aef2a87a9c7644f116fda53b6a1e058c0d9e2
SHA256522b614b4e1b4635292cc139cdbcf40e6f3fe1825461b47055e0326fbac92700
SHA51261b8c886d13390cbdbf14d33237b64212bfe883ad2d6cff12b4e3e29e18e570d2fd10bc4d1dbee365c4df3370af7265f407a6e2411a0aa5e7bb9de719fb6cdc2
-
Filesize
612B
MD5bf311eae454ccbf76e176e27104f6c14
SHA1c367b0d46db5e57e7a978925c4a11acf406cc746
SHA25650489d09fe57b6e8f0bbf14a061335cd70d85feb9eb3f6c5475d56620e7077f9
SHA51248cfcd339b655fff38fd4147fa01ae625d3dc33078f7deb67e076128fb9013a58aaab1410a5072f2a85b0fe0178717b0bbde7690b7338fb68cbe4ca00a505194
-
Filesize
681B
MD59c013e4aa723c01fb00fe3270b38b3ee
SHA1f554d8fe263469fb1ec604a35146c81178d8d153
SHA256e9500361b769a34ccdf81b667bd9547e49dc2c11477eac64c8693e7970258f20
SHA512867237698d5d12d02f64f4855bd722a926f407b1047fb88e393cb30ab62c2bf4ea5879f26f2f9b812417392e47411644db1a0522606c3dd5ae8797e2023df1ca
-
Filesize
802B
MD551323b05c1e63d85146255b99f97e9e5
SHA143ee6bac1726a49cda198630808015c0fb8f3430
SHA256b2d44f3d30383bd51afc216e85ac90692be1c28e318a6a9449a9d774b3f94e59
SHA512d53fca4c9fd81e959b40b3620b94cabccf72bb3e045d9bf14270a37e391165377fe545a5d22125d5efbef1bb94ea9f88ed9838baa7616d92c1ab2722bf8c1f7f
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD569af9f9511f42b0741a385f6f217d30c
SHA149d218f65ed512cca35f269fd4f2dacf9cc76227
SHA256a5f772235a9752342cc7c4ee6f9b5cd3c8cb3219d7ccabaf65c5797a54ef101c
SHA512dd46dbb6a1e3b6ca682bca0a16eabb8541bca1d91b49dfb058fe706dfd46dce0f5dbde84067ab127f85088685545571fbccc02111ddffacdb71305a724deec4d
-
Filesize
424B
MD57e26418f0f7221f6464352d18ddb1d9b
SHA1dcf0cf02dac248a6dc16957ca11e08de61ad0806
SHA25696141cedfdf3f9447edc58c6f05efc38adc0aa47921b3c051ad43557e2be6169
SHA512f5aee0278767363a6f60a875eadd17a11d0bf95469275ec1fb5272811b801bae801242c1629c5bd61eee2e74704392af0f0c71daba0b04779ba364deacdc3f7d
-
Filesize
2KB
MD50c6b8053c91b8b3c525b657f26004e14
SHA1ab7bed72dd49db2428901f9d8068a5cbc11b544c
SHA256f5cc2bf8e0c06074f0dcd9ac381eeed77c143c03d9cd1020d6158f8d89bea059
SHA5127ca8edab5708968302158540089abb9e4a01d395c416db4507a509d6817fcc6c41b39caba29001f10d816b4bb084b92a9f5580655616497cd3b5daf9cd37036b
-
Filesize
3KB
MD5178ab53315fc44c845d59dcc5e8686da
SHA13dbc93a3ebe0c79e5caea030c4815425e152d268
SHA25652c9039f38cbf3b9d324eb21e4c783315c1417f4d0c4cbadb93cf3ab3e68ce8e
SHA51260e97188efe15ac83e01f520cbdd480ac04b8f8d8b8cb4a5240f0b98010ffa5005fbc8610785632c97727df9e0e45e3883bbb5463cf80f5286b681dd3af6ce7b
-
Filesize
1KB
MD5a48f8a7fe33c5bcff6db0b0574acd6f4
SHA1a9d58884439d79d68cb5111af5d05990f74b15ba
SHA256466ecf02675d85e3546a2bb12e85511975d223395375a3258dc40eb100f668ad
SHA51294cea1bfa4bdafaa11caa778196ba2438ec0dba58279cc180f31f85d04e6422cf21351d21df8b03cb74c8a77c39b8f95bad0c6abd1c1c79bb26861b6a5b7aae7
-
Filesize
6KB
MD597591a325c5404528350a783070adb5b
SHA1f5c0bd5b466add337471c3d09620b32eb56baf45
SHA256a8fe1b9af4ef9a882a6050b5b294d662b57a97a562f7c6761c19db70ffa27c0e
SHA5128c7319cd65fc860e5435b8adef26d87adffdec7beef195a02d502d25e9137535517b64928943c20e2437e64f93fb93f38ce9fe4022325fdd62db2c8e871589e3
-
Filesize
6KB
MD56f6544737f46fd0a3ace796e45ce1f4d
SHA1533cffc7f688baef76e90aad5262e0d92693a447
SHA2561fe975802ccece44a280b08e83fcae84e6ddb594f61f618727a3608e8bf6d7eb
SHA5121f8a975d9ec30b3cc949ff2a9b89f00fd13d8dc5d59080f860c8491086168e340f044def8c18406a25dfbc4b6669ab2c5c3b261eeeb0bfe795d9fbd3e97d74eb
-
Filesize
7KB
MD538856d78b74af282e7a2ad450a846c7d
SHA14662551ab548ace28e11d5e53f1b8d06ecbd9e7e
SHA2560e04f1f5b5a8ae7e78d4fc7cc90eccad2f6ffa9efbe960db5dca37ea3f1203ce
SHA51203b736f781459a08255b053d1a114547b80e35eef1f421d7762c6e99a1cd907d60bdafe9331a1c03b674164b273aa855b99d0655c8f8e44384cfd9d73939aa6c
-
Filesize
1KB
MD5d00c47358f7bdf2a3e264da66c464164
SHA1ff3d41d4811c51fd8daa7b7087d5916345817c50
SHA256cb02a80fab1745b6c0b1ba40fe6890f77458e63a34bc993a6f30f40ac362c260
SHA512d3e202ab5dfc80c12eb340e184140c3fcdbd8b227fee5b2d48ff58943adabeb3f66c5d4fe0a05018ab0cf4fad7e890cc9db989d0325cbe511a3b35ba8cee3952