27cc74d89f7c06b84a52e0d77251d7343dc2f4708c16ae4ffcef4e41ec656dfa | Triage

Analysis

max time kernel
120s
max time network
54s
platform
windows7_x64
resource
win7v20210410
submitted
21-07-2021 12:57

Sharing

Report Analysis Logs

General

Target

anchor.exe.dll
Size

299KB
MD5

5fabc724f1191428b447c86a23aa3092
SHA1

3857722c33cc2140225ac74884175f850c6ec295
SHA256

27cc74d89f7c06b84a52e0d77251d7343dc2f4708c16ae4ffcef4e41ec656dfa
SHA512

e4448d881bbd7112f899cc38ee7ef625b26f5ca349c9956b7f33c81a51a15f8aa917cdfd4704b7ec072acde7d4ef924897b993b7a022bdcba2fcdf34e0b6894c

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\rundll32.exe: $FILE	rundll32.exe
File opened for modification	C:\Windows\system32\rundll32.exe: $TASK	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1604	taskeng.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 672	1604	taskeng.exe	30
PID 1604 wrote to memory of 672	1604	taskeng.exe	30
PID 1604 wrote to memory of 672	1604	taskeng.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\anchor.exe.dll,#1
1⤵
- Drops file in System32 directory
PID:1908

C:\Windows\system32\taskeng.exe
taskeng.exe {9655E0E2-3E1E-4A49-A978-B420ACF516FD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe -u
  2⤵
  PID:672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads