be68c54bf25595d493a529c7f64ea38629b44f07c4551c208752b0b57060e2ae

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 22:07

Target

AnVir.exe
Size

5.8MB
MD5

3ce8da2131fc96c8c0cd6df7912b7e0b
SHA1

fbec5803a4f4a5bed388ff690188f7ff390da95f
SHA256

ed69abf519d588d32b4ce8563b42ffaaa9011f694d7c39c70de2271beb2ed90f
SHA512

1a07cb5f4bd6106428bfc2335d6bd67a7a6ad72a12fef840646cdc410544554f809e2113edde806193a5b5f2f39af363816d353dc541451cd8a964ceef09a3d3
SSDEEP

98304:/zTbq7FAtKFVkepYbRM2qAKziinEvYzkAhfZllc1Cnk5dYLyCfIX:7TUA8VXYtMxAKziXYzkAc

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}	AnVir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\ = "Processor.Helper"	AnVir.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\LocalServer32	AnVir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AnVir.exe"	AnVir.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\ProgID	AnVir.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\ProgID\ = "Processor.Helper.4"	AnVir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\data1 = "718367534"	AnVir.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a203B11e-Ef@5-1@52-0364-c151f`6`85dA}\data2 = "718367534"	AnVir.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeBackupPrivilege	5016	AnVir.exe
Token: SeDebugPrivilege	5016	AnVir.exe
Token: SeLoadDriverPrivilege	5016	AnVir.exe
Token: SeSecurityPrivilege	5016	AnVir.exe
Token: 33	5016	AnVir.exe
Token: SeIncBasePriorityPrivilege	5016	AnVir.exe
Token: 33	5016	AnVir.exe
Token: SeIncBasePriorityPrivilege	5016	AnVir.exe
Token: 33	5016	AnVir.exe
Token: SeIncBasePriorityPrivilege	5016	AnVir.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Suspicious use of SendNotifyMessage 64 IoCs

Suspicious use of SetWindowsHookEx 5 IoCs

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/5016-0-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/5016-6-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download