Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:26

General

  • Target

    Anatralier.exe

  • Size

    9.0MB

  • MD5

    eb6bf9e51ad5c49bb859084d2bbd22c7

  • SHA1

    091f384f04848762ff9cb469dbf41acb2c55b358

  • SHA256

    8a2f44ffda39d2e0fbd7b37f985e7d9681e323ba4f3b814b99ffb8ca9c2f53cb

  • SHA512

    b8cc769ceedfe6ca05ccd55ed92d9c9ed382b08be173e9f00d58c324c698c5d7049065c4c4e21454eb87dcbe6c839bacc809b4059b31cdede35beeff434488a5

  • SSDEEP

    196608:nPfPfPfP3PfPfPfP3PfPfPfP3PfPfPfPJP/9LDTbHfPzj/3//vrLvrvrPPLdIPH:e

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 4 IoCs
  • Kills process with taskkill 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anatralier.exe
    "C:\Users\Admin\AppData\Local\Temp\Anatralier.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B882.tmp\B883.bat C:\Users\Admin\AppData\Local\Temp\Anatralier.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\system32\cscript.exe
        cscript prompt.vbs
        3⤵
          PID:4136
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\mbrwriter.exe
          mbrwriter.exe
          3⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          PID:1180
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.exe
          1.exe
          3⤵
          • Executes dropped EXE
          PID:3236
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\mlt.exe
          mlt.exe
          3⤵
          • Executes dropped EXE
          PID:4656
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\mousedraw.exe
          mousedraw.exe
          3⤵
          • Executes dropped EXE
          PID:3968
        • C:\Windows\system32\timeout.exe
          timeout 60
          3⤵
          • Delays execution with timeout.exe
          PID:4604
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im 1.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4880
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im mlt.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4176
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.exe
          ATohou.exe
          3⤵
          • Executes dropped EXE
          PID:4012
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\circle.exe
          circle.exe
          3⤵
          • Executes dropped EXE
          PID:3684
        • C:\Windows\system32\timeout.exe
          timeout 30
          3⤵
          • Delays execution with timeout.exe
          PID:4780
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im circle.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:596
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im ATohou.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4328
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.exe
          AWave.exe
          3⤵
          • Executes dropped EXE
          PID:4036
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\reds.exe
          reds.exe
          3⤵
          • Executes dropped EXE
          PID:2372
        • C:\Windows\system32\timeout.exe
          timeout 40
          3⤵
          • Delays execution with timeout.exe
          PID:4576
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im AWave.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1296
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im reds.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3316
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.exe
          bytebeat.exe
          3⤵
          • Executes dropped EXE
          PID:488
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\cubes.exe
          cubes.exe
          3⤵
          • Executes dropped EXE
          PID:4176
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\scl.exe
          scl.exe
          3⤵
          • Executes dropped EXE
          PID:4452
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\PatBlt3.exe
          PatBlt3.exe
          3⤵
          • Executes dropped EXE
          PID:560
        • C:\Users\Admin\AppData\Local\Temp\B882.tmp\txtout2.exe
          txtout2.exe
          3⤵
          • Executes dropped EXE
          PID:3492
        • C:\Windows\system32\timeout.exe
          timeout 60
          3⤵
          • Delays execution with timeout.exe
          PID:4860
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2ec 0x3a0
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:772

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.exe

        Filesize

        11KB

        MD5

        a14ba46ecdc37d9e73efd734b0ab4db9

        SHA1

        9e72f4b89d2643110b2e3efc80c14222a5e00014

        SHA256

        94aa578b5c5fe98f2f8e81705fff8addab6f2f4c2749778ef942b1cfab5b6aa8

        SHA512

        432bbda373fb97bef1a1a8a7292eb85f70cb7866741bf000d5775a6a9a261124ab24b3e053a6f4726a5b3e48d5c5de4f86deb24ea25265dd0945b9740156268b

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\1.wav

        Filesize

        937KB

        MD5

        8c5007acc14fc8fd7aa7dc659e30ebb5

        SHA1

        91025f286d71dd7821989c24f752369c360386ba

        SHA256

        bcfd13d3f19003f29e2ebf48a696972a427ba53c7d93f59340431d00e550c30e

        SHA512

        0cb8a6e4760410a4f739f32339a8ee85fc7e41099eba204d255bda5e9497ab584b1483115617c946dcbe7c8ba8c3d0763d81d29cbaf70812213f9ad17d974188

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.exe

        Filesize

        11KB

        MD5

        d7064aa7ee28f685757e7455d4e49c6a

        SHA1

        535d326ab1453bed0c050c8822aee9ef54c8b26e

        SHA256

        5028f3b3e63609038404bf6e3c2dbc360892312d85aa11e83489f381f09fb99b

        SHA512

        2a0747087ea14c664688d3453be8f40d396ca916143f0473eb1739fbe5cf1f19a451359d1e8713fe19b3bdda21eaea20a8294b23c0d99dd793818e85b83c28f8

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\ATohou.wav

        Filesize

        937KB

        MD5

        69b31b718e20cc6723c4a816c2aceeb0

        SHA1

        3a3213accba0d99792703b77da74ecd2a2b8510c

        SHA256

        9a517e95d9ad086fa73e5ab81bc26e6750e80c42ddb574ed51bedb97a9557c58

        SHA512

        4c918a7d24e20fe60026576aafb625431a36bc4b83dc4c00d30859b0b40ca561046453b0a9c89a92a36dd733ffe3a17214d44653c6c39ef2f5e908ac4227f9ae

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.exe

        Filesize

        11KB

        MD5

        9cbf1f1e4821fa5b8962423c9b2ecf24

        SHA1

        7f3fd62332d10cfdb0be3452a71cd6df2d7c0602

        SHA256

        afcb1f5e73785c0c5952394ca69986e9b9e86cc5fb0a4de4684903a03d9859a4

        SHA512

        bee905b459259801185c55e25f8e70fa563ea8ecaa0ad300aea0379500fe683d6bc370ae3d7a0d53898443faf150a1081f23146c8e32deb6961fe955aa0003c8

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\AWave.wav

        Filesize

        937KB

        MD5

        e62fbfae11374ec4a953725d0cee01be

        SHA1

        82e6be96bf64ee283ac3c6e8ca60acf4c8a47100

        SHA256

        5dd0971a53b93394df0eba4bf8f4aa845a73c1306fe4fc0c130891fc8380838f

        SHA512

        74be448a3ec8746bf157e8e7e964c62914b24a618f339698cb4ad67803470d89563079e628b1f6243f0200a6d051bcfdc089a1ee177be23eca04ce00fa8df8fd

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\B883.bat

        Filesize

        873B

        MD5

        9bbf761a8af3bc468e81625de8a66776

        SHA1

        af48afce2581501b5f8a1b949fe6f12145256653

        SHA256

        e0392f29af97bada38428aff5574776a44cb757c6ef8a7cfe9c93b86e8d61d5c

        SHA512

        cce724b5ede94b729767b449b29082399b8d041e5fb51b75164807ae0d249eac0fb17aaec43e0077493ee8b5c03b6d9f89f050e063c8b0009fa7beefdb329e66

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\PatBlt3.exe

        Filesize

        104KB

        MD5

        08e74e5f077f0337d0c0d15dde94f8be

        SHA1

        d5ba49b2ddfe50ea4b214e0f447cbed7fb949279

        SHA256

        b41d36f67e147133f8c3aa054b52275f68d7e2735a65eb3abcdcd08bede1100b

        SHA512

        f102a81b56c053a7c492a0459f9e7410346949074fc68e733ae9174651bb0265266560526782fe1e95cb2769f54fca3071f56839126d9fc8d7266828b9228fa1

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.exe

        Filesize

        102KB

        MD5

        6dba963d56ae1fcdfd6e840a52416801

        SHA1

        5ad332cce4c7556cc0aa72b9d5792f42e3873b3b

        SHA256

        eb3940fb1f2a0b16f5e58c7f4b707fb26b6ee08ebe7f5c43b9c02fcf02fe4506

        SHA512

        c0ab4d15323aad3f35f82f90e55798a235f8c41fb84308f76566bd758c9a649031c11610af13bea472cf787ed18d53e6e61962ee41ad97854e028bbb47fc4edc

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\bytebeat.wav

        Filesize

        2.5MB

        MD5

        29172c1ae05949d3b9e0f1ad6df73da4

        SHA1

        73dfddb924eb3d0cf3b224e3617b3b249882a6e4

        SHA256

        4d4900dcb852b2fe933abf00eba70f1c1ab3f0d9d479bb7ec781dafcc7c0796e

        SHA512

        cd51bcd0f9f711ce385934ecf9d483e2ba1e64295f1f1db70361911b0c518e4e197bdbabfc630fb4d18f7bd785058fe009ac326f927d8fb00afe06deeacde95f

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\circle.exe

        Filesize

        12KB

        MD5

        ed169e40a69cf73fd3ac59215b24063f

        SHA1

        32d49462e74e6c08b941d8cd530a5f3c0f3b5764

        SHA256

        b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

        SHA512

        f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\cubes.exe

        Filesize

        103KB

        MD5

        ed695dac2b14ccad335e75f5ddd44139

        SHA1

        35f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb

        SHA256

        2d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803

        SHA512

        a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\mbrwriter.exe

        Filesize

        104KB

        MD5

        e2b95fc712d453a57101f9867d384d2c

        SHA1

        993eb1acb51ad2ab2e280d3729a56817a3097085

        SHA256

        e505465cef9e734ef29dd9803c848960a55dc6c35fa4bf8c275336d2119ddc62

        SHA512

        25a4b6cc6d8908933ef13737aabe0bd56c1356b5f98bfe3e09c6b92fb358a1a65e35549e2d624574fda23fc91731091f0a80eeb9dc5ca2c1d96ba9a88fd5f109

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\mlt.exe

        Filesize

        109KB

        MD5

        bc183f5854488a0774969ec19b492153

        SHA1

        2e08a1bbf1b09d989f86b80ce5cdc4f22dc65ad5

        SHA256

        4b97506ae7118dea78e251492166888732815f5cdc90b9c56de2f9ee3862b20f

        SHA512

        25a0d999d5d620f48e8d4bc1cb59013ecb5d33250d72e23211e5348fb38573cb3ec82a8370547b59bde9c4d7e555ec7f1dd48c284eabf0f33b595e562f4d3780

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\mousedraw.exe

        Filesize

        104KB

        MD5

        f7db0edd465e545dcd947f4beef32779

        SHA1

        a02d2dcbe4ea1146b726a6191354340f8dd41f6a

        SHA256

        9bbce9c9e1b513084b8a206e935b2512a341fd81688e71735ef27511d0378d47

        SHA512

        6d40cf365a30277328f9103083e939ac8fedf860ffef6d0c5bd80d708e0f73d606f456d37aa1fa5e69964ac2e20c263fbaa755a9c28eff962395e3509a7a4e25

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\prompt.vbs

        Filesize

        153B

        MD5

        7d598596e9af07501ca9f98f5d32166e

        SHA1

        21c748745a9c2f98ee88cfeb9d3d0d77523a0aa0

        SHA256

        4f641829a7a076a5c5d77e4561779d62a3dded791fbf52e10bcbd0c3045ad402

        SHA512

        a63cceb82d70810feaf94c85123f8f861f59b918b9168d43efb6ef2ba8e82ed410718d540a2fa0d74aecfd40dda1c23e25563c52fe69b80407c31a661b81a561

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\reds.exe

        Filesize

        106KB

        MD5

        8ae9221dcd3eb86c479ad3a272e47c4b

        SHA1

        fd55b36bdebd91773a2a14636fef6738c5fe9d35

        SHA256

        4e46b8ffffd081aaeae5b5f21e8c1bc5c07eb6a16593c08b030c514cf55e8767

        SHA512

        1d482f7c13269cdd546eaad0b4af7bd6a0d524c0df93365440b823bc6a4eb49e84332c683318fcf200e3375b6536bcdddac0e14bd73fbdeb4874a69c8ea41c02

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\scl.exe

        Filesize

        14KB

        MD5

        af4005307577b1e437aa4ca33e00ec4b

        SHA1

        05eaefaa7d511a8b0d9c7a0819a4f20b5ea7d206

        SHA256

        159c66ebe8ef08ca2a7502e76344bc0b8c1f9e51d7bed2bad1af164d7aa8a6f4

        SHA512

        c27366274ac12e20c11350da2fb9e668b8592e31764c249aaa29df28e1115d215e7604327d2e81c83107e0f70eec7da1443814f3883dc004806e918d62e8dad4

      • C:\Users\Admin\AppData\Local\Temp\B882.tmp\txtout2.exe

        Filesize

        105KB

        MD5

        21d90b4350b6c69d01174240997806c3

        SHA1

        ca6cdfe5f7f0a15ca177eabf7596d64bc284215c

        SHA256

        ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757

        SHA512

        1e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7

      • memory/488-131-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/560-134-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/1180-56-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/2372-104-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/3236-61-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/3492-135-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/3684-88-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/3968-63-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/4012-87-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/4036-103-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

      • memory/4176-132-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB

      • memory/4452-133-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

      • memory/4656-62-0x0000000000400000-0x000000000041D000-memory.dmp

        Filesize

        116KB