Analysis Overview
SHA256
c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f
Threat Level: Known bad
The file c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f was found to be: Known bad.
Malicious Activity Summary
Anubis banker
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Requests dangerous framework permissions
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-30 14:06
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-30 14:06
Reported
2022-12-02 12:26
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
179s
Command Line
Signatures
Anubis banker
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4020 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | C:\Users\Admin\AppData\Local\Temp\7z2.exe |
| PID 4020 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | C:\Users\Admin\AppData\Local\Temp\7z2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe
"C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe"
C:\Users\Admin\AppData\Local\Temp\7z2.exe
"C:\Users\Admin\AppData\Local\Temp\7z2.exe" x "C:\Users\Admin\AppData\Local\Temp\stubfile.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -y
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 67.24.27.254:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 20.189.173.7:443 | tcp | |
| N/A | 52.109.13.62:443 | tcp | |
| N/A | 13.107.4.50:80 | tcp | |
| N/A | 13.107.4.50:80 | tcp | |
| N/A | 13.107.4.50:80 | tcp | |
| N/A | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
Files
memory/4020-132-0x0000000000920000-0x00000000009B4000-memory.dmp
memory/4020-133-0x00000000052E0000-0x000000000537C000-memory.dmp
memory/4020-134-0x0000000005AF0000-0x0000000006094000-memory.dmp
memory/4020-135-0x0000000005450000-0x00000000054E2000-memory.dmp
memory/4020-136-0x0000000005410000-0x000000000541A000-memory.dmp
memory/4020-137-0x0000000005690000-0x00000000056E6000-memory.dmp
memory/5068-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7z2.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\stubfile.7z
| MD5 | cda2a5aac4fcb466f42e311fa1082a3d |
| SHA1 | cc9197bef10ed6b24161613bcfa41f1dd9b6e29d |
| SHA256 | 4f0945e90196e2fbeb939fb75b04969767e48f78c06920fd6962712fa3202faa |
| SHA512 | 9e4d8567a0569e7aed2058c6b972e972eabf38060005202bfb37799a18324da981e2176b9cdedb6272d3ab7db3dffd196984f93f9c711e664f164891e31e2a9f |
C:\Users\Admin\AppData\Local\Temp\stub.apk
| MD5 | 907e167bab28358e03413f4a32ff91f1 |
| SHA1 | b72068b03565bcb8ac2322a8d8def67c975f488f |
| SHA256 | 3c302715512ce87b98ffb0e7ecb8c8638d25c5b0462fd127bb1c638e99b37938 |
| SHA512 | 003120d75bc469ed2e196946ff7ec6d002e9916f5eb35f303738934f7632ff316e1c527688d742952c17f9db143d1d73803fd1727933e1f26d8fd9ec1dad1de6 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-30 14:06
Reported
2022-12-02 12:25
Platform
win7-20220812-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Anubis banker
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | N/A |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7z2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1520 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | C:\Users\Admin\AppData\Local\Temp\7z2.exe |
| PID 1520 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | C:\Users\Admin\AppData\Local\Temp\7z2.exe |
| PID 1520 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | C:\Users\Admin\AppData\Local\Temp\7z2.exe |
| PID 1520 wrote to memory of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe | C:\Users\Admin\AppData\Local\Temp\7z2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe
"C:\Users\Admin\AppData\Local\Temp\c31016c52dacd5a736cfbfd1e9fafbd29e0dec1154262aea2377b20074f86f8f.exe"
C:\Users\Admin\AppData\Local\Temp\7z2.exe
"C:\Users\Admin\AppData\Local\Temp\7z2.exe" x "C:\Users\Admin\AppData\Local\Temp\stubfile.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -y
Network
Files
memory/1520-54-0x0000000000F70000-0x0000000001004000-memory.dmp
memory/1520-55-0x0000000074D61000-0x0000000074D63000-memory.dmp
memory/1520-56-0x00000000050F0000-0x0000000005194000-memory.dmp
\Users\Admin\AppData\Local\Temp\7z2.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\7z2.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
memory/900-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\7z2.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\stubfile.7z
| MD5 | cda2a5aac4fcb466f42e311fa1082a3d |
| SHA1 | cc9197bef10ed6b24161613bcfa41f1dd9b6e29d |
| SHA256 | 4f0945e90196e2fbeb939fb75b04969767e48f78c06920fd6962712fa3202faa |
| SHA512 | 9e4d8567a0569e7aed2058c6b972e972eabf38060005202bfb37799a18324da981e2176b9cdedb6272d3ab7db3dffd196984f93f9c711e664f164891e31e2a9f |
C:\Users\Admin\AppData\Local\Temp\stub.apk
| MD5 | 907e167bab28358e03413f4a32ff91f1 |
| SHA1 | b72068b03565bcb8ac2322a8d8def67c975f488f |
| SHA256 | 3c302715512ce87b98ffb0e7ecb8c8638d25c5b0462fd127bb1c638e99b37938 |
| SHA512 | 003120d75bc469ed2e196946ff7ec6d002e9916f5eb35f303738934f7632ff316e1c527688d742952c17f9db143d1d73803fd1727933e1f26d8fd9ec1dad1de6 |
memory/1520-63-0x0000000004C05000-0x0000000004C16000-memory.dmp