Overview
overview
3Static
static
3Anvil_Load...2).zip
windows10-1703-x64
1Anvil_Load...2).zip
windows10-2004-x64
1Anvil_Load...2).zip
windows11-21h2-x64
1v2.4/Anvil Loader.exe
windows10-1703-x64
1v2.4/Anvil Loader.exe
windows10-2004-x64
1v2.4/Anvil Loader.exe
windows11-21h2-x64
1v2.4/msdia140.dll
windows10-1703-x64
1v2.4/msdia140.dll
windows10-2004-x64
1v2.4/msdia140.dll
windows11-21h2-x64
1v2.4/symsrv.dll
windows10-1703-x64
1v2.4/symsrv.dll
windows10-2004-x64
1v2.4/symsrv.dll
windows11-21h2-x64
1Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12/06/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
Anvil_Loader_v2.4 (2).zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Anvil_Loader_v2.4 (2).zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Anvil_Loader_v2.4 (2).zip
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
v2.4/Anvil Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
v2.4/Anvil Loader.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
v2.4/Anvil Loader.exe
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
v2.4/msdia140.dll
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
v2.4/msdia140.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
v2.4/msdia140.dll
Resource
win11-20240508-en
Behavioral task
behavioral10
Sample
v2.4/symsrv.dll
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
v2.4/symsrv.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
v2.4/symsrv.dll
Resource
win11-20240611-en
General
-
Target
v2.4/msdia140.dll
-
Size
1.1MB
-
MD5
ddf227ccee5fce7d770f6ed94c39a4f0
-
SHA1
3cecbbcfef033516d2813b5f7258ca47c18c72f4
-
SHA256
91bae9e8e55a95c69dd9300a9db103ede5cb37a3659aee4f22d9418ea61d0062
-
SHA512
714045ac3b9faac7299c042e36a3a557bf940349f829ad8e21cff6a2c0c4743841b6c9077ba027bf48e3c3f4123193897c1208ff62543c73dde11817c2cba997
-
SSDEEP
24576:HOf1b18KTDRCecIqr8c6TvBBkhyIpoDgQHsRwv2QHK5EDrn7MjEaoZw+aJ4bSgTY:Wwp7RURa2/xQRkSeRgx5
Malware Config
Signatures
-
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win32 regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 168 wrote to memory of 4684 168 regsvr32.exe 74 PID 168 wrote to memory of 4684 168 regsvr32.exe 74 PID 168 wrote to memory of 4684 168 regsvr32.exe 74