Analysis

  • max time kernel
    1801s
  • max time network
    1568s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2023 04:38

General

  • Target

    Anarchy Panel 4.7_adrikadi.exe

  • Size

    55.6MB

  • MD5

    208e9da0a6fc07ef32b2602540a72e4b

  • SHA1

    556981b25572073b834341c26bc7f37ff38bf0b9

  • SHA256

    ac74f6db722a46ef37291aa464e142b81d8c7de8627f64918d333b738af694c6

  • SHA512

    ad4ce38a8daae3faffb71842c9d3bc9c99d1b3a99f1fda849b02590faac6e8502a936cea258b48bbcefec0e5aad1b59d1fc67ac6f92fe08ffebbe70dce4fccaf

  • SSDEEP

    1572864:2lO9lNd+eRHp2VataXzcSEXLPPv7QLSNLF:2E9lnBRHpXYzcSoLPPELSNLF

Score
10/10

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Async RAT payload 3 IoCs
  • .NET Reactor proctector 3 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe
    "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7_adrikadi.exe"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      PID:2744
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1972
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      1⤵
      • Executes dropped EXE
      PID:2588
    • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2928
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:2888

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

        Filesize

        54.6MB

        MD5

        94bac1a0cc0dbac256f0d3b4c90648c2

        SHA1

        4abcb8a31881e88322f6a37cbb24a14a80c6eef2

        SHA256

        50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

        SHA512

        30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

      • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe

        Filesize

        54.6MB

        MD5

        94bac1a0cc0dbac256f0d3b4c90648c2

        SHA1

        4abcb8a31881e88322f6a37cbb24a14a80c6eef2

        SHA256

        50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

        SHA512

        30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

      • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe.config

        Filesize

        3KB

        MD5

        3d441f780367944d267e359e4786facd

        SHA1

        d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

        SHA256

        49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

        SHA512

        5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • C:\Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • \Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

        Filesize

        1.7MB

        MD5

        56a504a34d2cfbfc7eaa2b68e34af8ad

        SHA1

        426b48b0f3b691e3bb29f465aed9b936f29fc8cc

        SHA256

        9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

        SHA512

        170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • \Users\Admin\AppData\Local\Temp\svchost.exe

        Filesize

        9KB

        MD5

        f83c1904404d2b40622d28a5c05420f9

        SHA1

        87c629c25b2be94ff603fd4b5e1934541006cc44

        SHA256

        58fa8679eb278c0fbe4b9348e61cd274234037af160878289a988260eaf6246e

        SHA512

        cb8dedaa9510e466a6babb984913130271baaccc68ccb432e6318e0791547eb6d54d3b61103b9ab39a530d15e6187a580062fe9e5c1442df5d976ee7850448a3

      • memory/2588-89-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

        Filesize

        9.9MB

      • memory/2744-87-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

        Filesize

        9.9MB

      • memory/2744-86-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

        Filesize

        9.9MB

      • memory/2744-84-0x0000000000A70000-0x0000000000A78000-memory.dmp

        Filesize

        32KB

      • memory/2928-106-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-114-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-96-0x00000000005A0000-0x00000000005A1000-memory.dmp

        Filesize

        4KB

      • memory/2928-94-0x0000000000C10000-0x00000000042AE000-memory.dmp

        Filesize

        54.6MB

      • memory/2928-101-0x000000001ED70000-0x000000001F358000-memory.dmp

        Filesize

        5.9MB

      • memory/2928-102-0x000000001F760000-0x000000001FB20000-memory.dmp

        Filesize

        3.8MB

      • memory/2928-104-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-103-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

        Filesize

        9.9MB

      • memory/2928-105-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-107-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-93-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

        Filesize

        9.9MB

      • memory/2928-108-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-109-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-110-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-111-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-112-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-113-0x00000000206F0000-0x0000000020942000-memory.dmp

        Filesize

        2.3MB

      • memory/2928-95-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-115-0x0000000023430000-0x000000002357E000-memory.dmp

        Filesize

        1.3MB

      • memory/2928-116-0x0000000020C40000-0x0000000020C54000-memory.dmp

        Filesize

        80KB

      • memory/2928-117-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-118-0x0000000023D90000-0x0000000024008000-memory.dmp

        Filesize

        2.5MB

      • memory/2928-126-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-129-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-130-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-131-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-132-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-133-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-134-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-135-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-136-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-137-0x00000000258F0000-0x0000000025A0E000-memory.dmp

        Filesize

        1.1MB

      • memory/2928-138-0x000000001E790000-0x000000001E810000-memory.dmp

        Filesize

        512KB

      • memory/2928-141-0x0000000027580000-0x0000000027581000-memory.dmp

        Filesize

        4KB

      • memory/2928-142-0x0000000028680000-0x0000000028690000-memory.dmp

        Filesize

        64KB

      • memory/2928-143-0x0000000027580000-0x0000000027581000-memory.dmp

        Filesize

        4KB