Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
Anvil Loader.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Anvil Loader.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Anvil Loader.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Anvil Loader.exe
Resource
win11-20240508-en
General
-
Target
Anvil Loader.exe
-
Size
6.3MB
-
MD5
bdc6760fc3a5e0f4ac757abd6ef48549
-
SHA1
5e43cc1e39b521d81ec3ba8c57470966f3c0954c
-
SHA256
f6d7e67f3838b83f4378321b39c60cdff513176e1e8deb73da0dec27f7ebaebe
-
SHA512
5c20d3302f9cab9ae5fb559b4ceebe143d9af1403acabde18f0d1b4760e0f1390601f710d7e3c66ce87c5d810a85c806f6dd87c58621097d78e7bd95ef805677
-
SSDEEP
98304:dfRvYwz5xbn6sR6TAnkmcfCIwNlqOgq0qRaEOg4Xhmz4c583XafejbYGDrA:ZxZnJR6TAXb7hgrqtJehmzzejki8
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5044 taskmgr.exe Token: SeSystemProfilePrivilege 5044 taskmgr.exe Token: SeCreateGlobalPrivilege 5044 taskmgr.exe Token: 33 5044 taskmgr.exe Token: SeIncBasePriorityPrivilege 5044 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe 5044 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anvil Loader.exe"C:\Users\Admin\AppData\Local\Temp\Anvil Loader.exe"1⤵PID:4816
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044