Malware Analysis Report

2024-11-30 19:21

Sample ID 240303-ygzqhsfa71
Target Anarchy Panel.7z
SHA256 eb4c36a5f908c12ef563dba166ec9634c49764a80b57f6825fe05bc75e95429f
Tags
agilenet evasion themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb4c36a5f908c12ef563dba166ec9634c49764a80b57f6825fe05bc75e95429f

Threat Level: Known bad

The file Anarchy Panel.7z was found to be: Known bad.

Malicious Activity Summary

agilenet evasion themida trojan

Contains code to disable Windows Defender

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-03 19:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-03 19:46

Reported

2024-03-03 19:47

Platform

win11-20240221-en

Max time kernel

48s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.7z"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Anarchy.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Desktop\Anarchy.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Anarchy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Anarchy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Desktop\Anarchy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Desktop\Anarchy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Anarchy.exe N/A
N/A N/A C:\Users\Admin\Desktop\Anarchy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Anarchy.exe N/A
N/A N/A C:\Users\Admin\Desktop\Anarchy.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\Anarchy.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\Anarchy.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Anarchy.exe N/A
N/A N/A C:\Users\Admin\Desktop\Anarchy.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4812 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.7z"

C:\Users\Admin\Desktop\Anarchy.exe

"C:\Users\Admin\Desktop\Anarchy.exe"

C:\Users\Admin\Desktop\Anarchy.exe

"C:\Users\Admin\Desktop\Anarchy.exe"

Network

N/A

Files

C:\Users\Admin\Desktop\Anarchy.exe

MD5 27ce52d25c1d84a159d67c560cf427d0
SHA1 970c73b33379d894c3b33f41c0222bdef2895153
SHA256 ddb232a5d71349b61aef95bfc9e9867a0e96a00c59b7cd113279632827eb8548
SHA512 99da1ae6066df1afc01f4122e9347e246d3820205df949cad08c8402397a06a4b40e0708e6abae70bd6065a80e1a62a26faaa9088245261da21a57d709d3f4ab

C:\Users\Admin\Desktop\Anarchy.exe

MD5 c1fc960f7c2865e4ecd889350da57d19
SHA1 f7a9a0df708be382796f19798bfef4a0b3b62202
SHA256 25dfbb4990a06252e70647a86e2ae89eb1a832bb55dc05f08c6c0e86d0e80be3
SHA512 0cd0a219b48358f39013fd020096bd199e6a99ada5ca6d73b1ba344e7fc61ae3704710f7301411a627d483f8bf81f9bef66c5e265f47320bfdfbbd1c8ded6270

C:\Users\Admin\Desktop\Anarchy.exe.config

MD5 c7a4606f8f222fc96e1e6b08c093794b
SHA1 2700b3727ab01d93e75e1e12f308dcaeb1d37dba
SHA256 32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
SHA512 7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

memory/4944-47-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

memory/4944-48-0x0000018905EC0000-0x0000018907486000-memory.dmp

memory/4944-49-0x0000018921C60000-0x0000018921C70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f43b5528-ae0b-4a5f-b092-3abdd9d556d3\AgileDotNetRT64.dll

MD5 add3de4bbb2c9147585d6571080e528c
SHA1 29e094019578f72c88cffd8253207b895491ebea
SHA256 3aa02963c86a32acdeb1d9a1fac1b527d0eb900f1859b511134a4628a0a00d4e
SHA512 2d13322a16d2f742be92eaba63a686fa8d77301940c00005170edbbc319306ce82cf8a60a613615d4691afd5bd21b15df488fbf2c9792525b3841526c33ba19f

C:\Users\Admin\AppData\Local\Temp\f43b5528-ae0b-4a5f-b092-3abdd9d556d3\AgileDotNetRT64.dll

MD5 9e8df5745d7cf3187f3481d59d0d94b1
SHA1 3d1ed4810091d0b737a94d8a9b710a1abc47ec33
SHA256 5996b5e78d56b9ff2271bf16d63b314c02593efc26a8df9910bbbd92e499f789
SHA512 0bf87fa8847fbc737750bc13f458b0f31c182d1e621b89259127d115ffd4da17d49f12ac934c6fd36f6cff997e1fc3a5af2c037863c694b5985061406919f0c3

memory/4944-57-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp

memory/4944-59-0x00007FFC01BA0000-0x00007FFC01DA9000-memory.dmp

memory/4944-58-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp

memory/4944-60-0x00007FFBEDD30000-0x00007FFBEDE7F000-memory.dmp

memory/4944-61-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp

memory/4944-62-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp

memory/4944-63-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

memory/4944-64-0x00007FFC01BA0000-0x00007FFC01DA9000-memory.dmp

C:\Users\Admin\Desktop\Anarchy.exe

MD5 9cd14f5045938ac68ffd3e0a5830b81b
SHA1 d5fe0d8d5c3f06275e8c331886f5536c515c4701
SHA256 aa46d9ab051dd19a4bbd71e1f5ed081e13ca68bb5fe9dd1e6a4771b5d28a85c6
SHA512 91b8531ebfba7ebe307e016071530dee19f91dfb928b02c7b536bf27622a0ddf83926cd220589162233a4f9ce79a76133b0a1c46a52ae4c28f19479c630691c8

memory/3948-66-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

memory/3948-67-0x000001B77EBA0000-0x000001B77EBB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f43b5528-ae0b-4a5f-b092-3abdd9d556d3\AgileDotNetRT64.dll

MD5 c106524f8971b480d29251f7ea5c5ef3
SHA1 292e1936353e79ac6897f5cd62c127de8ec7afb2
SHA256 32e9d2e6fb9b557e31f39c053e76db42344f21a090f1782bac8fcc32818fef78
SHA512 3c93b9cfa0f5b69455e0d586e82f3bc1cd8d4a1ae69cbd360173d028107f731dadfe0529a17cd84426fb5569c976cde9f8952645909a82e88dc4fae9b1b8e45a

C:\Users\Admin\AppData\Local\Temp\f43b5528-ae0b-4a5f-b092-3abdd9d556d3\AgileDotNetRT64.dll

MD5 da44a78b11bef9d2541c30ad371273eb
SHA1 bff3a1b107e9b3cd2d0eb05b3f94eb02e6873a2d
SHA256 709f7e9345a236ebd3ac7388ab2c78646a9933e9a885dc32cc97abf5a1636673
SHA512 8b58e5cb551017042457e2168ff5f0ca41933162ab08d51b420e6c5df6e8e83bb674f97e87e387c4d0db23b100037731365057105e65b5661e24636670ae5ef0

memory/3948-70-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp

memory/3948-71-0x00007FFBDD250000-0x00007FFBDDAAF000-memory.dmp

memory/3948-72-0x00007FFC01BA0000-0x00007FFC01DA9000-memory.dmp

memory/3948-73-0x00007FFBEDD30000-0x00007FFBEDE7F000-memory.dmp