Analysis
-
max time kernel
48s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-03-2024 19:46
Static task
static1
General
-
Target
Anarchy Panel.7z
-
Size
19.7MB
-
MD5
3fc52bb07a3e9ad0dfb38bcc2f4eaa6b
-
SHA1
58eccac9919f229b3f8e930b21ae16209eadb508
-
SHA256
eb4c36a5f908c12ef563dba166ec9634c49764a80b57f6825fe05bc75e95429f
-
SHA512
5021a02fd59986433ee329ea74e2b2ffcf0a353b4143487fb9929958020203ecb18c3bd03725da7ce1e27c8d7fa352b6a9cc6a6a0885130df0062de6239a749b
-
SSDEEP
393216:s01W4Py7vt5jw0UENxTJ8JAT9uvGy2bo8bHgV0VPGEVZZbAdrcwFvZrnaO:s0sDt6HEDyJABQT2TbAV0MEb2+yNH
Malware Config
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/files/0x000100000002a7a0-44.dat disable_win_def behavioral1/files/0x000100000002a7a0-45.dat disable_win_def behavioral1/memory/4944-48-0x0000018905EC0000-0x0000018907486000-memory.dmp disable_win_def behavioral1/files/0x000100000002a7a0-65.dat disable_win_def -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Anarchy.exeAnarchy.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Anarchy.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Anarchy.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Anarchy.exeAnarchy.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Anarchy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Anarchy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Anarchy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Anarchy.exe -
Executes dropped EXE 2 IoCs
Processes:
Anarchy.exeAnarchy.exepid Process 4944 Anarchy.exe 3948 Anarchy.exe -
Loads dropped DLL 2 IoCs
Processes:
Anarchy.exeAnarchy.exepid Process 4944 Anarchy.exe 3948 Anarchy.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/files/0x000100000002a7a0-44.dat agile_net behavioral1/files/0x000100000002a7a0-45.dat agile_net behavioral1/memory/4944-48-0x0000018905EC0000-0x0000018907486000-memory.dmp agile_net behavioral1/files/0x000100000002a7a0-65.dat agile_net -
Processes:
resource yara_rule behavioral1/files/0x000100000002a7b3-55.dat themida behavioral1/files/0x000100000002a7b3-53.dat themida behavioral1/memory/4944-57-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp themida behavioral1/memory/4944-58-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp themida behavioral1/memory/4944-61-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp themida behavioral1/memory/4944-62-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp themida behavioral1/files/0x000100000002a7b3-69.dat themida behavioral1/files/0x000100000002a7b3-68.dat themida behavioral1/memory/3948-70-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp themida behavioral1/memory/3948-71-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp themida -
Processes:
Anarchy.exeAnarchy.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Anarchy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Anarchy.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Anarchy.exeAnarchy.exepid Process 4944 Anarchy.exe 3948 Anarchy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid Process 4236 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid Process Token: SeRestorePrivilege 4236 7zFM.exe Token: 35 4236 7zFM.exe Token: SeSecurityPrivilege 4236 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid Process 4236 7zFM.exe 4236 7zFM.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 4812 wrote to memory of 4236 4812 cmd.exe 78 PID 4812 wrote to memory of 4236 4812 cmd.exe 78
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.7z"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.7z"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4236
-
-
C:\Users\Admin\Desktop\Anarchy.exe"C:\Users\Admin\Desktop\Anarchy.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4944
-
C:\Users\Admin\Desktop\Anarchy.exe"C:\Users\Admin\Desktop\Anarchy.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD59e8df5745d7cf3187f3481d59d0d94b1
SHA13d1ed4810091d0b737a94d8a9b710a1abc47ec33
SHA2565996b5e78d56b9ff2271bf16d63b314c02593efc26a8df9910bbbd92e499f789
SHA5120bf87fa8847fbc737750bc13f458b0f31c182d1e621b89259127d115ffd4da17d49f12ac934c6fd36f6cff997e1fc3a5af2c037863c694b5985061406919f0c3
-
Filesize
607KB
MD5add3de4bbb2c9147585d6571080e528c
SHA129e094019578f72c88cffd8253207b895491ebea
SHA2563aa02963c86a32acdeb1d9a1fac1b527d0eb900f1859b511134a4628a0a00d4e
SHA5122d13322a16d2f742be92eaba63a686fa8d77301940c00005170edbbc319306ce82cf8a60a613615d4691afd5bd21b15df488fbf2c9792525b3841526c33ba19f
-
Filesize
2.8MB
MD5da44a78b11bef9d2541c30ad371273eb
SHA1bff3a1b107e9b3cd2d0eb05b3f94eb02e6873a2d
SHA256709f7e9345a236ebd3ac7388ab2c78646a9933e9a885dc32cc97abf5a1636673
SHA5128b58e5cb551017042457e2168ff5f0ca41933162ab08d51b420e6c5df6e8e83bb674f97e87e387c4d0db23b100037731365057105e65b5661e24636670ae5ef0
-
Filesize
2.3MB
MD5c106524f8971b480d29251f7ea5c5ef3
SHA1292e1936353e79ac6897f5cd62c127de8ec7afb2
SHA25632e9d2e6fb9b557e31f39c053e76db42344f21a090f1782bac8fcc32818fef78
SHA5123c93b9cfa0f5b69455e0d586e82f3bc1cd8d4a1ae69cbd360173d028107f731dadfe0529a17cd84426fb5569c976cde9f8952645909a82e88dc4fae9b1b8e45a
-
Filesize
2.7MB
MD527ce52d25c1d84a159d67c560cf427d0
SHA1970c73b33379d894c3b33f41c0222bdef2895153
SHA256ddb232a5d71349b61aef95bfc9e9867a0e96a00c59b7cd113279632827eb8548
SHA51299da1ae6066df1afc01f4122e9347e246d3820205df949cad08c8402397a06a4b40e0708e6abae70bd6065a80e1a62a26faaa9088245261da21a57d709d3f4ab
-
Filesize
2.4MB
MD5c1fc960f7c2865e4ecd889350da57d19
SHA1f7a9a0df708be382796f19798bfef4a0b3b62202
SHA25625dfbb4990a06252e70647a86e2ae89eb1a832bb55dc05f08c6c0e86d0e80be3
SHA5120cd0a219b48358f39013fd020096bd199e6a99ada5ca6d73b1ba344e7fc61ae3704710f7301411a627d483f8bf81f9bef66c5e265f47320bfdfbbd1c8ded6270
-
Filesize
10.4MB
MD59cd14f5045938ac68ffd3e0a5830b81b
SHA1d5fe0d8d5c3f06275e8c331886f5536c515c4701
SHA256aa46d9ab051dd19a4bbd71e1f5ed081e13ca68bb5fe9dd1e6a4771b5d28a85c6
SHA51291b8531ebfba7ebe307e016071530dee19f91dfb928b02c7b536bf27622a0ddf83926cd220589162233a4f9ce79a76133b0a1c46a52ae4c28f19479c630691c8
-
Filesize
530B
MD5c7a4606f8f222fc96e1e6b08c093794b
SHA12700b3727ab01d93e75e1e12f308dcaeb1d37dba
SHA25632d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
SHA5127516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b