Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Anarchy Loader.exe

windows10-2004-x64

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 21:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Anarchy Loader.exe

  • Size

    54.7MB

  • MD5

    5016491d1b400d431bf64bdfaa2402f2

  • SHA1

    87c7f677cdbebefdedc3d7d975c2bb4f7725412a

  • SHA256

    98b14faa7577d52999942de580275ecd78ef3f1e236ab52f646ceb562fce07ad

  • SHA512

    cad0fd505e07b81540408a71e311e2e23f305a7508859d411a7b1d8d1a90547c264da4cf25c39fb0a1f33070f51bfafb42265be64affe9c4f07e61c4411d98d6

  • SSDEEP

    1572864:r7s7RAkmum9Dio4y92UGp1DUMSoZ4XisCTK+OhiO0iQOCL:rI79hm9D54yAUs1DUBh3CTjOqiQO

Score
10/10
asyncratxwormzgratpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

209.25.141.181:31533

Attributes
  • Install_directory

    %Temp%

  • install_file

    INCCHECK.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 2 IoCs
  • Detect ZGRat V1 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anarchy Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Anarchy Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\AnarchyInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\AnarchyInstall.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3952
    • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\system32\cmd.exe
          cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Windows\system32\timeout.exe
            timeout /t 5
            5⤵
            • Delays execution with timeout.exe
            PID:3224
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AnarchyInstall.exe
    Filesize

    95KB

    MD5

    57fdae25873ed915da75aa33c9eb6d66

    SHA1

    5f835c20c97fc83b976fbea8345b01d96e5f1546

    SHA256

    c9074dc3e9e6e06260f4e40980ef2fbfd8b50cf449e20f250d277cadbd7909c0

    SHA512

    1191005e24a64b215ea866c8472411e13b22908ae98d42c758bb317bd6182cd671321d7c501db4d779e2234106d7cf8a118eea9f9dd698f578dc25b0098088f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
    Filesize

    1.7MB

    MD5

    56a504a34d2cfbfc7eaa2b68e34af8ad

    SHA1

    426b48b0f3b691e3bb29f465aed9b936f29fc8cc

    SHA256

    9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

    SHA512

    170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INCCHECK.lnk
    Filesize

    1KB

    MD5

    28afff47843548caeff46759cad72eda

    SHA1

    d908d91bc7733f132ca9d3df7748f77d8a7641a1

    SHA256

    57f07f7e3511d92eb9d763d10219ed5d9b3601457d01aaaf708b8f1baf8b96dc

    SHA512

    c5b6492bc6a304116f05ff12e9b0dd6a9accb35920f6dd76c1e2d70070572aaeb81da743a984548dc8e6615fa8ccbdc356a57c3ce9df8158b3aebc9814d23728

    Download Submit

  • memory/1388-38-0x0000000021DA0000-0x0000000021EEE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1388-41-0x00007FFEDA570000-0x00007FFEDB031000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1388-24-0x00007FFEDA570000-0x00007FFEDB031000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1388-25-0x0000000000CD0000-0x000000000436E000-memory.dmp

    Filesize

    54.6MB

    Download

  • memory/1388-39-0x0000000021EF0000-0x0000000021F04000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1388-30-0x0000000006430000-0x0000000006442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1388-31-0x0000000020620000-0x0000000020C08000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1388-32-0x0000000020C10000-0x0000000020FD0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2000-0-0x00007FFEDA573000-0x00007FFEDA575000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2000-1-0x00000000009E0000-0x00000000040A4000-memory.dmp

    Filesize

    54.8MB

    Download

  • memory/3952-37-0x00007FFEDA570000-0x00007FFEDB031000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-13-0x0000000000F30000-0x0000000000F4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3952-14-0x00007FFEDA570000-0x00007FFEDB031000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3952-57-0x00007FFEDA570000-0x00007FFEDB031000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4760-54-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-48-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-43-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-53-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-52-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-51-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-50-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-49-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-44-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4760-42-0x00000214AE400000-0x00000214AE401000-memory.dmp

    Filesize

    4KB

    Download