Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16/02/2024, 05:05
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20231215-en
General
-
Target
AnyDesk.exe
-
Size
5.0MB
-
MD5
a21768190f3b9feae33aaef660cb7a83
-
SHA1
24780657328783ef50ae0964b23288e68841a421
-
SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
-
SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
-
SSDEEP
98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2716 AnyDesk.exe 1512 AnyDesk.exe 2908 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2908 AnyDesk.exe 2908 AnyDesk.exe 2908 AnyDesk.exe 2908 AnyDesk.exe 2908 AnyDesk.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2908 AnyDesk.exe 2908 AnyDesk.exe 2908 AnyDesk.exe 2908 AnyDesk.exe 2908 AnyDesk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2716 1512 AnyDesk.exe 28 PID 1512 wrote to memory of 2716 1512 AnyDesk.exe 28 PID 1512 wrote to memory of 2716 1512 AnyDesk.exe 28 PID 1512 wrote to memory of 2716 1512 AnyDesk.exe 28 PID 1512 wrote to memory of 2908 1512 AnyDesk.exe 29 PID 1512 wrote to memory of 2908 1512 AnyDesk.exe 29 PID 1512 wrote to memory of 2908 1512 AnyDesk.exe 29 PID 1512 wrote to memory of 2908 1512 AnyDesk.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
5KB
MD50e68e35a464b6ea38ca8ef9dcedeedd5
SHA140c8720fbb7a1f3388c89c21078e2721c4a5b742
SHA256185137928d41fa4c44c83723576fc9e53ff696708911096b03bc63fda86e040c
SHA51254a254c695fe713bca211753808643835c3f4112d93576348c6489d2e548c3b9625b4fb5030f22fae39cc010cbe2232c9ce3c4fba69f0e81b15cfb5c50f1e266
-
Filesize
9KB
MD539d923794e7a1eff6ab56375d0213e7f
SHA127ed3ce584d0cc516b8653b4c4f1e37bfca3b8d0
SHA256cebef172a18c61b471eee94326453a7a544cd57c6484d14058523f15c7c442e3
SHA512a2aaea5818b13dc2848450b276f94209d68c5e1626d58ea8274336839b7f9ca0e6c580a844974380984ae2ace8687063f18692b95ab4fdd2074d0b61cdb74b98
-
Filesize
2KB
MD5a00e3d67edf50a0be92e163b2efc2d01
SHA1d60d652bcacb751c0117ea602c4fd825f2fe7607
SHA256fde334cb12a5d15102c497fc2331734d19d6d87966452ae3111d7ed6c95ccf95
SHA512b7f1de33d47167e62b067d86de064f566a55e2407b4a6b42c4c6def4bbcd450d9575cdea702249aebd6ebb5cc8a9bbd92fc1094200ba59ca547388c5e02a67b6
-
Filesize
2KB
MD5b1868d701c23ade1402171d3ea13037c
SHA131af2409ba10109a633e0b7010b2c3f9b1e42a8e
SHA256a74c8da0cfae9c5fb15108b4a1be52f8c88457c4b0393eef309a70f919fce62f
SHA512e5eb4790200a721dfb80196ccf443286053e191b4f84ec25f757159098f41d22a23d796649d72156118516b3432baf282a843f97f7b51814a1ade848c052da83
-
Filesize
676B
MD54db2dff9863ec4e9c378293cff4147eb
SHA18e4324406d700905da4f630406ab6c6b0a89cad6
SHA25693aa129535a094b3fbdc32d3f08fb9127e63a957ea47c5dc50cd0a5a0a0709e3
SHA512c242161c3a34dbdd003556f1c77358a2d4cc260d76361b1dcce8f4ceb66c96fa226c0f72ef4e4c5339b59898fe32f402be3c46ed66869409415f6eb77e83c3b8
-
Filesize
745B
MD5b7d3a1f97811acaee8fc7fad408074fd
SHA1ec5a3865b329916d9f68e1ec44604617cb86870d
SHA256a68339c5833c115b5a0eadbd0129a416c0ced12e8e92a9d177265fbdfd81f840
SHA512c86ad8b173ae791a6b5b030ab8406ef8c12e6973300a337325405f2fe5967b78c659f91efcd7c948a5ecce02222121781894adbdb9dd36b680257ccd156b336f
-
Filesize
424B
MD575b6dced42920188712ed568c7f28497
SHA1ba4febaf0ea66468437368dcb166becff0152c4e
SHA2569383a2037d959bd6e1010bfdcc4047a39d867ba349ec8a9277e91b556fcf58aa
SHA512eae10bddd484a1c47edb449392884d8d3a2d0fd8de60a33f46c612d59ccda5c463c2f8816f7b567643d8ca05db74ff6cf651fc6a75b0ef934e9d2b54a1be205b
-
Filesize
1KB
MD52a24572d1786c64d9aee37e340998240
SHA1c254623bb225fe5df055e25aac4c4702aaf13f75
SHA2566c223161eedc5b4cc3ad61a6aac2020eddd1e5779170546869084a5f56493d3e
SHA51239a793a8a886c064e536e750395d0e870b11a4a66dbc483a6ea4bfa42a326638352b3d596e0606bad2beaa5764b64c6b4578204a067e426dabf2e8ddb0590dae
-
Filesize
1KB
MD5c203d6bc0c3a3274b60e535b0b08178a
SHA176815a752364d30fd509685a364d36eaa73b6a9e
SHA25649671b90df772ac69594f7e9e72b0d6c4d53ea7050b0ea31bc89ec9b22dfb399
SHA512f29f0032632c75fe7025c2ab3f6433eedb887bd431b815da130bddb6847fe4eaf944322db540c6c594742c2b363e192aa4235660f881dc9ca587cb32b42209d7
-
Filesize
7KB
MD50d7880d374239f6a6a9aba914258cbe0
SHA1fe6a83039bc77413dcf8da9adb1a094a980eae10
SHA256424757e264cd5ad16c4c9642eda7d5e99178e17b7a3ac64a0ad392e4533baa62
SHA512064e8023ac784077462077f8ab08d8b65937a2dc9d4b91165135443da8499037c642a884a647d1e280e07083a543b6c93655efe6dd923fe76037068859db5d75
-
Filesize
7KB
MD5e55a03b3cfd3bea246a76bc2243ff7a3
SHA12654f131f4cd6f4ee7d2fa38ac98fe98dc0d4b04
SHA2566803de40e3a2debd05571a4f9dc504eb7a5e4f3b70f074c9117b5ebe029687fd
SHA512d7e3800a97b6325d0fdd3aa2091eb6cac4ce6ef8e33b93e8ee8ca05683575fff02de40a671e9c03d7e7f36c02b9ce7c352fc4950517d492912004cb79e707bd7
-
Filesize
1KB
MD5a1c6e8d88eae26c5dfc70a95e22aabcf
SHA16e48b58bf72f4b1492bcc42104d4ce9c82209beb
SHA2562f3d0f4618d813952b04d393cae9b0750af001ee961404f1192c6505b8016ac9
SHA51272642b28b34af2fdb52cb9c7be19783ec07632a07c57ede51fabf89ac764a374def83c52771a8ab7866645a4f8bc8e5375fd473178d8a0df5528d9bf7576f41c
-
Filesize
1KB
MD5e6ee6418f9780f5cf2b0b07c3710bca6
SHA18dd448906daf9f2918a5cf37e50dfa2d9aabd4b7
SHA25681171edf72375fcae8ecf5de69e30d5ffec06d9265b0cb8f9b35352e000fb7f4
SHA512f2e7fd204ce49eb0bea442faea4438498bafe4605940a9c2cf55f98ba7a12a43d81103380c27767af9239a402c1b64703df1be89dfca238fe4c79880e01b08a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD5ac7c1aa0b1c68ee908ba22be96792830
SHA1e8b5f4ad8aa03195f12a36384b79ca105b26f81c
SHA256e0b469d8c924ad2bd28ab048db619cbdaf192dfb84df5cd18aafdb4b826bb9ff
SHA5129bc14a94ec468bbfb3744ee7766a6f045529fd850ce38c51ec570bd88ec743987a85a8d02f8214f0bbf19dc0ca9af289fdc3615853e8a75bdf12a3ee52b93ada
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf76dce7.TMP
Filesize3KB
MD5c629d8fcfecf7e8293abfeb3dad427f6
SHA169625bd1da5f41c75151e7cfb74e96272d4ed6cd
SHA256bbe72744f572a03de93abedcb3e50af2db746317c2cfa5f8549f6fd5ff347cad
SHA5126c9dd08de4eebe5c74283c87d86143a131e87f4206b0c3ecb99a12ae388c4c6fdbf24eae64c97764104661dfd805bc01d26fff6aed670cdd55115c05d4d0fbd5