Overview
overview
3Static
static
3Anvil_Load...2).zip
windows10-1703-x64
1Anvil_Load...2).zip
windows10-2004-x64
1Anvil_Load...2).zip
windows11-21h2-x64
1v2.4/Anvil Loader.exe
windows10-1703-x64
1v2.4/Anvil Loader.exe
windows10-2004-x64
1v2.4/Anvil Loader.exe
windows11-21h2-x64
1v2.4/msdia140.dll
windows10-1703-x64
1v2.4/msdia140.dll
windows10-2004-x64
1v2.4/msdia140.dll
windows11-21h2-x64
1v2.4/symsrv.dll
windows10-1703-x64
1v2.4/symsrv.dll
windows10-2004-x64
1v2.4/symsrv.dll
windows11-21h2-x64
1Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
Anvil_Loader_v2.4 (2).zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Anvil_Loader_v2.4 (2).zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Anvil_Loader_v2.4 (2).zip
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
v2.4/Anvil Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
v2.4/Anvil Loader.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
v2.4/Anvil Loader.exe
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
v2.4/msdia140.dll
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
v2.4/msdia140.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
v2.4/msdia140.dll
Resource
win11-20240508-en
Behavioral task
behavioral10
Sample
v2.4/symsrv.dll
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
v2.4/symsrv.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
v2.4/symsrv.dll
Resource
win11-20240611-en
General
-
Target
v2.4/msdia140.dll
-
Size
1.1MB
-
MD5
ddf227ccee5fce7d770f6ed94c39a4f0
-
SHA1
3cecbbcfef033516d2813b5f7258ca47c18c72f4
-
SHA256
91bae9e8e55a95c69dd9300a9db103ede5cb37a3659aee4f22d9418ea61d0062
-
SHA512
714045ac3b9faac7299c042e36a3a557bf940349f829ad8e21cff6a2c0c4743841b6c9077ba027bf48e3c3f4123193897c1208ff62543c73dde11817c2cba997
-
SSDEEP
24576:HOf1b18KTDRCecIqr8c6TvBBkhyIpoDgQHsRwv2QHK5EDrn7MjEaoZw+aJ4bSgTY:Wwp7RURa2/xQRkSeRgx5
Malware Config
Signatures
-
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\WOW6432Node\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v2.4" regsvr32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3936 wrote to memory of 1632 3936 regsvr32.exe 82 PID 3936 wrote to memory of 1632 3936 regsvr32.exe 82 PID 3936 wrote to memory of 1632 3936 regsvr32.exe 82