Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

AnyDesk.exe

windows10-2004-x64

3

Resubmissions

09/09/2024, 21:19 UTC

240909-z6ktbssfnb 3

05/09/2024, 18:47 UTC

240905-xfehhsxhlc 10

Analysis

  • max time kernel
    42s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/09/2024, 21:19 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk.exe

  • Size

    5.1MB

  • MD5

    e6f473bd5340405656209e620f43068f

  • SHA1

    c144446dc23c86c7c9b26ce87c3176866372f6d1

  • SHA256

    bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b

  • SHA512

    2e9065caeadcef0edd1e8e8fe3139e0fc5a9dd46011dbc0a4666745ed817cfaf6f859c9f1b5c1e5e957476cb16b42dcf14508594e44f2a059706865c19866a4c

  • SSDEEP

    98304:H/9YNbhcFtvWK+XJURR51NX6hzzVwDmIoEWXF5fX+LWHF7uCf:HCNbhcF1WKW6whfOjGvAWHR

Score
3/10
discovery

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3124
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4608

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    boot.net.anydesk.com
    AnyDesk.exe
    Remote address:
    8.8.8.8:53
    Request
    boot.net.anydesk.com
    IN A
    Response
    boot.net.anydesk.com
    IN A
    92.223.88.232
  • flag-us
    DNS
    relay-98c428ee.net.anydesk.com
    AnyDesk.exe
    Remote address:
    8.8.8.8:53
    Request
    relay-98c428ee.net.anydesk.com
    IN A
    Response
    relay-98c428ee.net.anydesk.com
    IN A
    195.181.165.154
  • flag-us
    DNS
    232.88.223.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.88.223.92.in-addr.arpa
    IN PTR
    Response
    232.88.223.92.in-addr.arpa
    IN PTR
    relay-ac5c9eb2netanydeskcom
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.165.181.195.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.165.181.195.in-addr.arpa
    IN PTR
    Response
    154.165.181.195.in-addr.arpa
    IN PTR
    relay-98c428eenetanydeskcom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • 92.223.88.232:443
    boot.net.anydesk.com
    tls
    AnyDesk.exe
    1.8kB
     2.0kB
     8
    8
  • 195.181.165.154:443
    relay-98c428ee.net.anydesk.com
    tls
    AnyDesk.exe
    14.0kB
     413.5kB
     221
    333
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    boot.net.anydesk.com
    dns
    AnyDesk.exe
    66 B
     82 B
     1
    1

    DNS Request

    boot.net.anydesk.com

    DNS Response

    92.223.88.232

  • 8.8.8.8:53
    relay-98c428ee.net.anydesk.com
    dns
    AnyDesk.exe
    76 B
     92 B
     1
    1

    DNS Request

    relay-98c428ee.net.anydesk.com

    DNS Response

    195.181.165.154

  • 8.8.8.8:53
    232.88.223.92.in-addr.arpa
    dns
    72 B
     116 B
     1
    1

    DNS Request

    232.88.223.92.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    154.165.181.195.in-addr.arpa
    dns
    74 B
     118 B
     1
    1

    DNS Request

    154.165.181.195.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gcapi.dll
    Filesize

    385KB

    MD5

    1ce7d5a1566c8c449d0f6772a8c27900

    SHA1

    60854185f6338e1bfc7497fd41aa44c5c00d8f85

    SHA256

    73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

    SHA512

    7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
    Filesize

    9KB

    MD5

    8d998fb60fe59cb45ecf6795260195f7

    SHA1

    7546d53ab97d5538c80dcd5e4811b1f563f8a82f

    SHA256

    deba1548ba5a700717805f76da8eed3fe578d8cf766eac41c03b790ba7a242df

    SHA512

    b93c685817da02e24251b7b2085c38b162f70e318e46bd5236828e0da0d7b232f34655aac7bff221f8526ab008e4afe898114b92d2653f47d86c25cb7fa4e96a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
    Filesize

    2KB

    MD5

    96eba753730035e161f4da24171a89a6

    SHA1

    75e3f8221760c36d30f30d1710a4825614e8acdf

    SHA256

    7673c4f49c18c2e876a6199d4df87ca0d8af9115a008ef991ff903a8380d2d9c

    SHA512

    1db28ec76cbf4eecad637ceb682ee70444da8fc3711d588f1e3b7d122689c1249a7f64933fd5a9cf56188fbe65e70d6a8739c7e2ce1ccc4ba1bc907d8c8a86b2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
    Filesize

    745B

    MD5

    3090c0f82465819c8410bd1d41479fec

    SHA1

    8535d0c2d85c4a6b9bfe672e16304fdb53b3467f

    SHA256

    92139be0871068e5d9ed85f55eb460f3a18046b0b76e7d328b4d210c6cad1ace

    SHA512

    42ee9f8815f16d3e87960c9aaf88f98d5c54529c39a67950d7e3e5e8854fe9195eddc08b1316f9beee55dd45e35b19924b1c4e8aa8b0bff290b8ebc8015ddd72

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
    Filesize

    766B

    MD5

    62ecb7b57055e52a0138671a06080461

    SHA1

    1d04bb28d7c162f234dac4fb6e89592d0612b095

    SHA256

    1234f32618aa64f6a57aff784c304249adabb18f166775816530b1efbe0ca54c

    SHA512

    839aa030c12b1d0e487dd3b551281a9b3bd60ffd331ec378fcba936a4bd25edde11947ac7ba5d6cedd5baabb96b653634fc756c93f4bf9037e162e46b03fc5ed

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
    Filesize

    775B

    MD5

    6eb4ea7b0237712d8cfea15afbdfd561

    SHA1

    fc98a8244715659251a936b7849cd565cc891faf

    SHA256

    5ab8d6f81efa0bf9996f9c35b210aa18dac664730c63b2a4eb8ff2355053d370

    SHA512

    3cabee12804abfdb9817cdef97418119e07347c12c6d0fe7d5379418a2089e3300eec6903e99ee42750cbe1a1f7da6353a39e2dc0fa106f526ecf03df0a2240a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
    Filesize

    832B

    MD5

    8946fd67763399a9e9e1df3b59ca2d81

    SHA1

    9ef1d85a16d58c4a899427978735583b73e5aa32

    SHA256

    210b59f2d588c394ebb55d0f888a41175ba2358df5da1fe17a54e2feac822cf8

    SHA512

    e9c2a39aababb2c6441ca429f0f22b22ef21075c3a5bded9c8122bf3e6906bf378684a824a9e1297134fab22070134680b1be9368a4784b74fd476b3e69547cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
    Filesize

    468B

    MD5

    8c368b96e983a5d8ba99546d6c58bc00

    SHA1

    6098965473dc7ca065bf57c3bba42f9282d7a3e8

    SHA256

    872f885d801f8cc15a843f5083fa947238868ebbe2e65aebca92c891728dbc18

    SHA512

    c6a4fd027b658538160414dcc071cdd7f2b7580cd73991f6165eb5ea3d4637e60aaf46b22f119851e5d48d9260dd6c08613c085345360da486064540351eb9a7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
    Filesize

    468B

    MD5

    c5f2a62ba835ef9eb5a5a807212d18e8

    SHA1

    3d2085e35001dc5c0258e1e0e5555891ca6c1845

    SHA256

    d039cffa1c8d0ebe7964a32979d4bec557f0f8202d2670fa3e32c0648232e765

    SHA512

    925f4f779fc1599790a57f4c438c7a958bcf1b2ab0c9ce781609ec19b64da1ccd8e29c29a4d53cbc82ab73e7be37e7d65e3473310b5d952634d7449727db88af

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
    Filesize

    3KB

    MD5

    30113781f05449c664972a9c7745086f

    SHA1

    8fb65f68a65a28ff9b93255f6a32da3249ff365a

    SHA256

    987ff2727835ae2057d16d3786b0a1fb944b5f77d5c3631831bfa739329aeaed

    SHA512

    41efcf269f441beb5bf00589c078ce172e56a5dc78662ea1adc00ddd23c70a92247544555f96c8c0638c951dbf6d10c53aa76fdf2ffb75c693307e520aa33bab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
    Filesize

    3KB

    MD5

    c5d3ed4b7672cd64b1c9a1e36d888cde

    SHA1

    b2abd9bc04653e3a27361b4ea2399b03fff95b1c

    SHA256

    edb9aff30334248b3aab70d375a6d761362b5172f684d2d0c9a4092cd940fa79

    SHA512

    15885956702ab3ab8e18aa793ac3ae7af35ae18eaa74eba19bf8d5cb40bc5d7457c96bf8bee9aa1b3bee4b35fb2bbfb3f029af986972c89fa2f2195a98e86b39

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
    Filesize

    1KB

    MD5

    a0547ada0a02c9fb41e8fdb2a9e9c415

    SHA1

    a0ec26f5b5cafbc75f86d571ddf2252da1ce12de

    SHA256

    d08473a6269d7b4293d804bc4b72bd29db34dae2fe3c331d7a5b3daba79b1085

    SHA512

    31c59842547a758591ee1800decd6eb724f0342c165df41f85fc9f932d49c585ab235a90ec049f23fe0d84471ee102277ed5de114cdd68c8732c4283a4632617

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
    Filesize

    3KB

    MD5

    1df87ee8e6a9df77ff625b80b16be10e

    SHA1

    a001715f36952b57abc48a376d5f6e121fec89d2

    SHA256

    2a91d2fcb4c230c71a4b9938e866df5a64b028edd0f42a9e23e8cecdb4787fb5

    SHA512

    798ed14e73a7e04b4f12d48052ceedf2ee5518004af11b1eb94e8ecc3ad74c98eeb9e5be623169075a3073f5f49666ea9c2b61f81abfb0803646be05ef83c659

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
    Filesize

    1KB

    MD5

    c4e10b96cd6aa3076a684750ff663709

    SHA1

    cd054ee9d9a8e91065d00eec114546ef663643fa

    SHA256

    e3f366f8ff7195526a7b2c3b03b907d31a9e7b0839a002b8a12199e0811d996d

    SHA512

    0dca0c2d47970672ad7c2058c67632f4ce0a7c322d0a4b295b51e3c9e7c7663a46c0e1ce956264eef081ea9ee15e145cd5380e5363ac9c21ef8125742c829339

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
    Filesize

    1KB

    MD5

    60d713dc67659ac5004c1b26a659374e

    SHA1

    59db1e6e70e3f150b5522a10171d270033205e53

    SHA256

    9553433da9461645cde7ec4d60491be16363e6b79271b2a786673019db2c629a

    SHA512

    50ecf9acb0fdf94fdad16ac8370447642a186cd6ebae38f22700d4a2380d8e2fe155286a788dbf452833af06a2c0c0bcd390e5b92813bf3e2f9378a7045e762c

    Download Submit

  • memory/3124-10-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/3124-44-0x0000000005080000-0x000000000509B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3124-12-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/3124-41-0x0000000005080000-0x000000000509B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3124-45-0x0000000005080000-0x000000000509B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/3124-178-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/4608-13-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/4608-179-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/5104-2-0x0000000000384000-0x00000000015DA000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/5104-4-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/5104-0-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

  • memory/5104-176-0x0000000000384000-0x00000000015DA000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/5104-177-0x0000000000380000-0x0000000001AF4000-memory.dmp

    Filesize

    23.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.