a7ba5f8d3e9e8affa35bac6ec34df381c6095976694d4460a8389d52c964f33c

Resubmissions

28-02-2024 13:15

240228-qg979acd7v 7

28-02-2024 11:41

240228-nttpxsag3v 7

28-02-2024 10:38

240228-mplyvahe97 7

Analysis

max time kernel
141s
max time network
197s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
28-02-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anylogic-ple-8.8.6.x86_64.exe
Size

954.8MB
MD5

bd62e8d27b2ef5be3d66a3cd2f98e238
SHA1

bd1d99cade68f9a0a231c9777e71f2854da7306d
SHA256

a7ba5f8d3e9e8affa35bac6ec34df381c6095976694d4460a8389d52c964f33c
SHA512

d39722af95a75999281382d7a5a257af4e023ead694d3abf4d798a9485ab5eb1f375574ee6960ddcf014342bdc58a3cb473af63ad863730b6e5440bad9a8365c
SSDEEP

25165824:9FYcX6RPsmdzSpOmE3pRJHAUSI1OuVivAbt:zlqREmdzS4mE3pvB31OCivAbt

Score

4^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2232	anylogic-ple-8.8.6.x86_64.exe
2232	anylogic-ple-8.8.6.x86_64.exe
2232	anylogic-ple-8.8.6.x86_64.exe
2232	anylogic-ple-8.8.6.x86_64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
60	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	60	tasklist.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 4008	2232	anylogic-ple-8.8.6.x86_64.exe	72
PID 2232 wrote to memory of 4008	2232	anylogic-ple-8.8.6.x86_64.exe	72
PID 2232 wrote to memory of 4008	2232	anylogic-ple-8.8.6.x86_64.exe	72
PID 4008 wrote to memory of 2940	4008	cmd.exe	74
PID 4008 wrote to memory of 2940	4008	cmd.exe	74
PID 4008 wrote to memory of 2940	4008	cmd.exe	74
PID 2232 wrote to memory of 1832	2232	anylogic-ple-8.8.6.x86_64.exe	75
PID 2232 wrote to memory of 1832	2232	anylogic-ple-8.8.6.x86_64.exe	75
PID 2232 wrote to memory of 1832	2232	anylogic-ple-8.8.6.x86_64.exe	75
PID 1832 wrote to memory of 60	1832	cmd.exe	77
PID 1832 wrote to memory of 60	1832	cmd.exe	77
PID 1832 wrote to memory of 60	1832	cmd.exe	77
PID 1832 wrote to memory of 5100	1832	cmd.exe	78
PID 1832 wrote to memory of 5100	1832	cmd.exe	78
PID 1832 wrote to memory of 5100	1832	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\anylogic-ple-8.8.6.x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\anylogic-ple-8.8.6.x86_64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c findstr osgi.nl "C:\Users\Admin\.AnyLogicPLE\Config8.8\config.ini"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\findstr.exe
    findstr osgi.nl "C:\Users\Admin\.AnyLogicPLE\Config8.8\config.ini"
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c tasklist | findstr -i AnyLogic.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:60
- - C:\Windows\SysWOW64\findstr.exe
    findstr -i AnyLogic.exe
    3⤵
    PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyD8A9.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD8A9.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsyD8A9.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit