Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
42s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win10v2004-20240802-en
General
-
Target
AnyDesk.exe
-
Size
5.1MB
-
MD5
e6f473bd5340405656209e620f43068f
-
SHA1
c144446dc23c86c7c9b26ce87c3176866372f6d1
-
SHA256
bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b
-
SHA512
2e9065caeadcef0edd1e8e8fe3139e0fc5a9dd46011dbc0a4666745ed817cfaf6f859c9f1b5c1e5e957476cb16b42dcf14508594e44f2a059706865c19866a4c
-
SSDEEP
98304:H/9YNbhcFtvWK+XJURR51NX6hzzVwDmIoEWXF5fX+LWHF7uCf:HCNbhcF1WKW6whfOjGvAWHR
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3124 AnyDesk.exe 3124 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4608 AnyDesk.exe 4608 AnyDesk.exe 4608 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4608 AnyDesk.exe 4608 AnyDesk.exe 4608 AnyDesk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5104 wrote to memory of 3124 5104 AnyDesk.exe 86 PID 5104 wrote to memory of 3124 5104 AnyDesk.exe 86 PID 5104 wrote to memory of 3124 5104 AnyDesk.exe 86 PID 5104 wrote to memory of 4608 5104 AnyDesk.exe 87 PID 5104 wrote to memory of 4608 5104 AnyDesk.exe 87 PID 5104 wrote to memory of 4608 5104 AnyDesk.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
9KB
MD58d998fb60fe59cb45ecf6795260195f7
SHA17546d53ab97d5538c80dcd5e4811b1f563f8a82f
SHA256deba1548ba5a700717805f76da8eed3fe578d8cf766eac41c03b790ba7a242df
SHA512b93c685817da02e24251b7b2085c38b162f70e318e46bd5236828e0da0d7b232f34655aac7bff221f8526ab008e4afe898114b92d2653f47d86c25cb7fa4e96a
-
Filesize
2KB
MD596eba753730035e161f4da24171a89a6
SHA175e3f8221760c36d30f30d1710a4825614e8acdf
SHA2567673c4f49c18c2e876a6199d4df87ca0d8af9115a008ef991ff903a8380d2d9c
SHA5121db28ec76cbf4eecad637ceb682ee70444da8fc3711d588f1e3b7d122689c1249a7f64933fd5a9cf56188fbe65e70d6a8739c7e2ce1ccc4ba1bc907d8c8a86b2
-
Filesize
745B
MD53090c0f82465819c8410bd1d41479fec
SHA18535d0c2d85c4a6b9bfe672e16304fdb53b3467f
SHA25692139be0871068e5d9ed85f55eb460f3a18046b0b76e7d328b4d210c6cad1ace
SHA51242ee9f8815f16d3e87960c9aaf88f98d5c54529c39a67950d7e3e5e8854fe9195eddc08b1316f9beee55dd45e35b19924b1c4e8aa8b0bff290b8ebc8015ddd72
-
Filesize
766B
MD562ecb7b57055e52a0138671a06080461
SHA11d04bb28d7c162f234dac4fb6e89592d0612b095
SHA2561234f32618aa64f6a57aff784c304249adabb18f166775816530b1efbe0ca54c
SHA512839aa030c12b1d0e487dd3b551281a9b3bd60ffd331ec378fcba936a4bd25edde11947ac7ba5d6cedd5baabb96b653634fc756c93f4bf9037e162e46b03fc5ed
-
Filesize
775B
MD56eb4ea7b0237712d8cfea15afbdfd561
SHA1fc98a8244715659251a936b7849cd565cc891faf
SHA2565ab8d6f81efa0bf9996f9c35b210aa18dac664730c63b2a4eb8ff2355053d370
SHA5123cabee12804abfdb9817cdef97418119e07347c12c6d0fe7d5379418a2089e3300eec6903e99ee42750cbe1a1f7da6353a39e2dc0fa106f526ecf03df0a2240a
-
Filesize
832B
MD58946fd67763399a9e9e1df3b59ca2d81
SHA19ef1d85a16d58c4a899427978735583b73e5aa32
SHA256210b59f2d588c394ebb55d0f888a41175ba2358df5da1fe17a54e2feac822cf8
SHA512e9c2a39aababb2c6441ca429f0f22b22ef21075c3a5bded9c8122bf3e6906bf378684a824a9e1297134fab22070134680b1be9368a4784b74fd476b3e69547cf
-
Filesize
468B
MD58c368b96e983a5d8ba99546d6c58bc00
SHA16098965473dc7ca065bf57c3bba42f9282d7a3e8
SHA256872f885d801f8cc15a843f5083fa947238868ebbe2e65aebca92c891728dbc18
SHA512c6a4fd027b658538160414dcc071cdd7f2b7580cd73991f6165eb5ea3d4637e60aaf46b22f119851e5d48d9260dd6c08613c085345360da486064540351eb9a7
-
Filesize
468B
MD5c5f2a62ba835ef9eb5a5a807212d18e8
SHA13d2085e35001dc5c0258e1e0e5555891ca6c1845
SHA256d039cffa1c8d0ebe7964a32979d4bec557f0f8202d2670fa3e32c0648232e765
SHA512925f4f779fc1599790a57f4c438c7a958bcf1b2ab0c9ce781609ec19b64da1ccd8e29c29a4d53cbc82ab73e7be37e7d65e3473310b5d952634d7449727db88af
-
Filesize
3KB
MD530113781f05449c664972a9c7745086f
SHA18fb65f68a65a28ff9b93255f6a32da3249ff365a
SHA256987ff2727835ae2057d16d3786b0a1fb944b5f77d5c3631831bfa739329aeaed
SHA51241efcf269f441beb5bf00589c078ce172e56a5dc78662ea1adc00ddd23c70a92247544555f96c8c0638c951dbf6d10c53aa76fdf2ffb75c693307e520aa33bab
-
Filesize
3KB
MD5c5d3ed4b7672cd64b1c9a1e36d888cde
SHA1b2abd9bc04653e3a27361b4ea2399b03fff95b1c
SHA256edb9aff30334248b3aab70d375a6d761362b5172f684d2d0c9a4092cd940fa79
SHA51215885956702ab3ab8e18aa793ac3ae7af35ae18eaa74eba19bf8d5cb40bc5d7457c96bf8bee9aa1b3bee4b35fb2bbfb3f029af986972c89fa2f2195a98e86b39
-
Filesize
1KB
MD5a0547ada0a02c9fb41e8fdb2a9e9c415
SHA1a0ec26f5b5cafbc75f86d571ddf2252da1ce12de
SHA256d08473a6269d7b4293d804bc4b72bd29db34dae2fe3c331d7a5b3daba79b1085
SHA51231c59842547a758591ee1800decd6eb724f0342c165df41f85fc9f932d49c585ab235a90ec049f23fe0d84471ee102277ed5de114cdd68c8732c4283a4632617
-
Filesize
3KB
MD51df87ee8e6a9df77ff625b80b16be10e
SHA1a001715f36952b57abc48a376d5f6e121fec89d2
SHA2562a91d2fcb4c230c71a4b9938e866df5a64b028edd0f42a9e23e8cecdb4787fb5
SHA512798ed14e73a7e04b4f12d48052ceedf2ee5518004af11b1eb94e8ecc3ad74c98eeb9e5be623169075a3073f5f49666ea9c2b61f81abfb0803646be05ef83c659
-
Filesize
1KB
MD5c4e10b96cd6aa3076a684750ff663709
SHA1cd054ee9d9a8e91065d00eec114546ef663643fa
SHA256e3f366f8ff7195526a7b2c3b03b907d31a9e7b0839a002b8a12199e0811d996d
SHA5120dca0c2d47970672ad7c2058c67632f4ce0a7c322d0a4b295b51e3c9e7c7663a46c0e1ce956264eef081ea9ee15e145cd5380e5363ac9c21ef8125742c829339
-
Filesize
1KB
MD560d713dc67659ac5004c1b26a659374e
SHA159db1e6e70e3f150b5522a10171d270033205e53
SHA2569553433da9461645cde7ec4d60491be16363e6b79271b2a786673019db2c629a
SHA51250ecf9acb0fdf94fdad16ac8370447642a186cd6ebae38f22700d4a2380d8e2fe155286a788dbf452833af06a2c0c0bcd390e5b92813bf3e2f9378a7045e762c