General

  • Target

    Anarchy Panel 4.7.rar

  • Size

    5.4MB

  • Sample

    230620-abg2hsha27

  • MD5

    0339f9df349f374160d3ec255755ccd0

  • SHA1

    495d2b96407119f9fbf7d7acfe389b22aacf13dc

  • SHA256

    5a25c825e231e59b74d37cf66f9e048ba0785d209f37e55eb9e56dd8ed4939cf

  • SHA512

    34c77d765cf6c323adb3b8f3758af265051666ee218baa6cec54d5aa6b717e5717935d9acc95abe63ff988f6cd2483d7711882d108c5e4abb7eb1b3bfc4bc7fe

  • SSDEEP

    98304:MrTK0ZAmeGx8Fzgq4obMgPvVDF8CWT9ik09twYHglQCyyTwgo855TjvaIQZucnEb:M5A1GI4obTPvs99i8YBCnT75l/Kxnbmt

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://rentry.org/nipkv/raw

Targets

    • Target

      Anarchy Panel.exe

    • Size

      71KB

    • MD5

      921b80699829ba456a35ff4a4cc16861

    • SHA1

      f01420e7dd677d50763c8344d33549076734682a

    • SHA256

      a94809a32eb1cee1f9490410fe9592790fe00802c620b1b881fb0c8815b1efba

    • SHA512

      a8d2650a9f7290ddaff5c0b1a842cfd4f473f91f23fc8d7f07294c528eb98cca63a48a5f5552c4bf33465f59b9f74fbc3c9d783064e927e8974ca316893c2bf1

    • SSDEEP

      384:A67eCgMkHDsar3lL9O65uJor+1kKQmQhVXZzyM9MpPYAhk5:AFla6/wmhrV2pL

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks