Analysis
-
max time kernel
1801s -
max time network
1568s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
29-10-2023 04:38
Static task
static1
Behavioral task
behavioral1
Sample
Anarchy Panel 4.7_adrikadi.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Anarchy Panel 4.7_adrikadi.exe
Resource
win10v2004-20231020-en
General
-
Target
Anarchy Panel 4.7_adrikadi.exe
-
Size
55.6MB
-
MD5
208e9da0a6fc07ef32b2602540a72e4b
-
SHA1
556981b25572073b834341c26bc7f37ff38bf0b9
-
SHA256
ac74f6db722a46ef37291aa464e142b81d8c7de8627f64918d333b738af694c6
-
SHA512
ad4ce38a8daae3faffb71842c9d3bc9c99d1b3a99f1fda849b02590faac6e8502a936cea258b48bbcefec0e5aad1b59d1fc67ac6f92fe08ffebbe70dce4fccaf
-
SSDEEP
1572864:2lO9lNd+eRHp2VataXzcSEXLPPv7QLSNLF:2E9lnBRHpXYzcSoLPPELSNLF
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 behavioral1/memory/2928-94-0x0000000000C10000-0x00000000042AE000-memory.dmp family_zgrat_v1 -
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat behavioral1/memory/2928-94-0x0000000000C10000-0x00000000042AE000-memory.dmp asyncrat -
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor behavioral1/memory/2928-94-0x0000000000C10000-0x00000000042AE000-memory.dmp net_reactor -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exeAnarchy Panel.exepid process 2744 svchost.exe 2588 svchost.exe 2928 Anarchy Panel.exe -
Loads dropped DLL 5 IoCs
Processes:
Anarchy Panel 4.7_adrikadi.exeAnarchy Panel.exepid process 2432 Anarchy Panel 4.7_adrikadi.exe 2432 Anarchy Panel 4.7_adrikadi.exe 2432 Anarchy Panel 4.7_adrikadi.exe 2432 Anarchy Panel 4.7_adrikadi.exe 2928 Anarchy Panel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
Anarchy Panel 4.7_adrikadi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main Anarchy Panel 4.7_adrikadi.exe -
Modifies registry class 29 IoCs
Processes:
Anarchy Panel.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Anarchy Panel.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Anarchy Panel.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" Anarchy Panel.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" Anarchy Panel.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Anarchy Panel.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_Classes\Local Settings Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Anarchy Panel.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} Anarchy Panel.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" Anarchy Panel.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Anarchy Panel.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "9" Anarchy Panel.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\TV_TopViewVersion = "0" Anarchy Panel.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Anarchy Panel.exepid process 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe 2928 Anarchy Panel.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Anarchy Panel.exepid process 2928 Anarchy Panel.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Anarchy Panel.exedescription pid process Token: SeDebugPrivilege 2928 Anarchy Panel.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Anarchy Panel.exepid process 2928 Anarchy Panel.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Anarchy Panel.exepid process 2928 Anarchy Panel.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Anarchy Panel 4.7_adrikadi.exeAnarchy Panel.exepid process 2432 Anarchy Panel 4.7_adrikadi.exe 2432 Anarchy Panel 4.7_adrikadi.exe 2928 Anarchy Panel.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Anarchy Panel 4.7_adrikadi.exedescription pid process target process PID 2432 wrote to memory of 2744 2432 Anarchy Panel 4.7_adrikadi.exe svchost.exe PID 2432 wrote to memory of 2744 2432 Anarchy Panel 4.7_adrikadi.exe svchost.exe PID 2432 wrote to memory of 2744 2432 Anarchy Panel 4.7_adrikadi.exe svchost.exe PID 2432 wrote to memory of 2744 2432 Anarchy Panel 4.7_adrikadi.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
PID:2744
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Executes dropped EXE
PID:2588
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2928
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
3KB
MD53d441f780367944d267e359e4786facd
SHA1d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5
SHA25649648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9
SHA5125f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3
-
Filesize
9KB
MD5f83c1904404d2b40622d28a5c05420f9
SHA187c629c25b2be94ff603fd4b5e1934541006cc44
SHA25658fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e
SHA512cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3