e07b72c28d281eaed3069b8fc550eec5bb8e5a14e71b7e5291e54194115296c2

General

Target

6b5f79860c70c89a19be367a9844faa7.exe
Size

227KB
MD5

6b5f79860c70c89a19be367a9844faa7
SHA1

134f325f9857648dc69accbf5ce5fe50b64b9b0b
SHA256

e07b72c28d281eaed3069b8fc550eec5bb8e5a14e71b7e5291e54194115296c2
SHA512

f9ae3ca5374b191d87794f94aedcb4cce81bb53293d679530b742ee0ad611d478c823e9170eead935cf3b4dd8ddf0e19949c8d6a3e405ec910a772cd49819d39
SSDEEP

6144:JDMIbfTqE3/tQf7cQTmAgc3De9/wVKlinRNW8Xogm7NdMi:ZXmCM5mAgcTYHibXoV7NB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2192	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2400	anokroxm.exe

Loads dropped DLL 4 IoCs

pid	Process
2192	cmd.exe
2192	cmd.exe
2400	anokroxm.exe
2400	anokroxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1736	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2716	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	anokroxm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2400	anokroxm.exe
2400	anokroxm.exe
2400	anokroxm.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2400	anokroxm.exe
2400	anokroxm.exe
2400	anokroxm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2192	2536	6b5f79860c70c89a19be367a9844faa7.exe	23
PID 2536 wrote to memory of 2192	2536	6b5f79860c70c89a19be367a9844faa7.exe	23
PID 2536 wrote to memory of 2192	2536	6b5f79860c70c89a19be367a9844faa7.exe	23
PID 2536 wrote to memory of 2192	2536	6b5f79860c70c89a19be367a9844faa7.exe	23
PID 2192 wrote to memory of 1736	2192	cmd.exe	20
PID 2192 wrote to memory of 1736	2192	cmd.exe	20
PID 2192 wrote to memory of 1736	2192	cmd.exe	20
PID 2192 wrote to memory of 1736	2192	cmd.exe	20
PID 2192 wrote to memory of 2716	2192	cmd.exe	22
PID 2192 wrote to memory of 2716	2192	cmd.exe	22
PID 2192 wrote to memory of 2716	2192	cmd.exe	22
PID 2192 wrote to memory of 2716	2192	cmd.exe	22
PID 2192 wrote to memory of 2400	2192	cmd.exe	33
PID 2192 wrote to memory of 2400	2192	cmd.exe	33
PID 2192 wrote to memory of 2400	2192	cmd.exe	33
PID 2192 wrote to memory of 2400	2192	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6b5f79860c70c89a19be367a9844faa7.exe
"C:\Users\Admin\AppData\Local\Temp\6b5f79860c70c89a19be367a9844faa7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2536 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6b5f79860c70c89a19be367a9844faa7.exe" & start C:\Users\Admin\AppData\Local\anokroxm.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\anokroxm.exe
    C:\Users\Admin\AppData\Local\anokroxm.exe -f
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2536
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
1⤵
- Runs ping.exe
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\anokroxm.exe

Filesize
3KB

MD5
fcd92b06ffe93b6802b65e4c342ccd2c

SHA1
1ba4595268c28baa55827e549da404391196671e

SHA256
4350bfb9ca3878f8d58c21439e9b03ab83330228fef69dd4484ded6ca4cda4d7

SHA512
82dbb9bee3c2e917a5088d556034ae28e91d7d80c0e4994981c1d67c0e49dfef208309727084439967fd593b589817b2ca07e238e0ac9ea7a149c13a52c53626

Download Submit
\Users\Admin\AppData\Local\anokroxm.exe

Filesize
227KB

MD5
6b5f79860c70c89a19be367a9844faa7

SHA1
134f325f9857648dc69accbf5ce5fe50b64b9b0b

SHA256
e07b72c28d281eaed3069b8fc550eec5bb8e5a14e71b7e5291e54194115296c2

SHA512
f9ae3ca5374b191d87794f94aedcb4cce81bb53293d679530b742ee0ad611d478c823e9170eead935cf3b4dd8ddf0e19949c8d6a3e405ec910a772cd49819d39

Download Submit
memory/2400-19-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2400-17-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-27-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-11-0x0000000000380000-0x0000000000480000-memory.dmp

Filesize
1024KB

Download
memory/2400-26-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-12-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2400-16-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-25-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-18-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-24-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-20-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2400-21-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2400-23-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2536-5-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2536-2-0x0000000000460000-0x0000000000560000-memory.dmp

Filesize
1024KB

Download
memory/2536-1-0x0000000001000000-0x00000000010C7000-memory.dmp

Filesize
796KB

Download
memory/2536-3-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing