Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-de -
resource tags
arch:x64arch:x86image:win7-20240611-delocale:de-deos:windows7-x64systemwindows -
submitted
13-06-2024 17:47
Static task
static1
Behavioral task
behavioral1
Sample
AnyLoaderV3.5.exe
Resource
win7-20240611-de
Behavioral task
behavioral2
Sample
AnyLoaderV3.5.exe
Resource
win10v2004-20240508-de
General
-
Target
AnyLoaderV3.5.exe
-
Size
24.5MB
-
MD5
99856c427b54bb791c179f01c6cdea18
-
SHA1
fc3171c550e54c1d0f6910a608d1b9ed57d7509d
-
SHA256
9db19f13597439dbc546601d2e3824641b301f3d4a6b56fbeec902618c439850
-
SHA512
7a596bb93673cbe71febdffaea874c9c49fe6073233f839fd99409e74a9e45dddad8906e705b0993e7dd128be71881fdb2b2482e91587a14f4e00a1ee447fe40
-
SSDEEP
393216:G7SZr9mc8QllDOfkY6lrzmGhqNcVjKtZELNwUhiUbA58wlRZHl6w0XCWg:G7+WQlNOcbaNQjCELNlhO58wj6q
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
SearchProtocolHost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\SampleRes.dll,-116 = "Kalimba" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\gameux.dll,-10061 = "Spider Solitär" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\wdc.dll,-10030 = "Ressourcenmonitor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\gameux.dll,-10102 = "Internet-Backgammon" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%windir%\system32\msra.exe,-635 = "Laden Sie einen Freund oder einen Mitarbeiter des technischen Supports ein, eine Verbindung mit dem Computer herzustellen, oder bieten Sie einer anderen Person Hilfe an." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Program Files\Common Files\System\wab32res.dll,-4602 = "Kontaktdatei" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\gameux.dll,-10057 = "Minesweeper" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\gameux.dll,-10301 = "Genießen Sie das klassische Spiel Backgammon. Treten Sie online gegen andere Spieler an, und tragen Sie als erster Spieler alle Ihre Spielsteine vom Brett ab." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%windir%\system32\FXSRESM.dll,-115 = "Ermöglicht Ihnen, Faxe zu senden und zu empfangen oder Bilder und Dokumente zu scannen." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0c4df43babdda01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020931a60babdda01 SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@gameux.dll,-10055 = "FreeCell" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\C:\Windows\system32,@elscore.dll,-8 = "Malayalam in lateinische Transkription von Microsoft" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Erstellen Sie Notizen in Ihrer Handschrift. Die handgeschriebenen Notizen können gespeichert, durchsucht oder in Drucktext umgewandelt werden." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%systemroot%\system32\Msinfo32.exe,-130 = "Zeigt detaillierte Informationen über den Computer an." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Geben Sie Text mit einem Stift oder einer Bildschirmtastatur anstelle einer herkömmlichen Tastatur ein. Sie können den Schreibblock oder den Zeichenblock zum Konvertieren des handgeschriebenen Text in Drucktext verwenden oder Zeichen mit der Tastatur eingeben." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\SoundRecorder.exe,-100 = "Audiorecorder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\zipfldr.dll,-10195 = "ZIP-komprimierter Ordner" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place ist ein Lern- und Unterhaltungsspiel, das drei unterschiedliche Spiele umfasst, mit denen Farben, Formen und Mustererkennung erlernt werden können." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\rstrui.exe,-100 = "Systemwiederherstellung" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\dfrgui.exe,-103 = "Defragmentierung" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\NetProjW.dll,-501 = "Verbindung mit Netzwerkprojektor" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\sud.dll,-10 = "Wählen Sie die Programme aus, die Windows für Aktivitäten wie Browsen, Bearbeiten von Fotos, Senden von E-Mail oder Musikwiedergabe verwenden soll." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%systemroot%\system32\msconfig.exe,-1601 = "Erweiterte Problembehandlung und Systemkonfiguration ausführen" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%ProgramFiles%\DVD Maker\DVDMaker.exe,-63385 = "Brennt Bilder und Videos auf DVD." SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\LanguageList = 640065002d0044004500000064006500000065006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\xpsrchvw.exe,-106 = "XPS-Dokument" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\MdSched.exe,-4001 = "Windows-Speicherdiagnose" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\C:\Windows\system32,@elscore.dll,-5 = "Microsoft-Transkriptionsmodul" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%windir%\system32\migwiz\wet.dll,-601 = "Berichte zu den ausgeführten Übertragungen anzeigen" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\SampleRes.dll,-102 = "Wüste" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%systemroot%\system32\comres.dll,-3411 = "Verwalten von COM+-Anwendungen, COM- und DCOM-Systemkonfiguration und Distributed Transaction Coordinator." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\SoundRecorder.exe,-32790 = "Sounds aufnehmen und auf dem Computer speichern." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\miguiresource.dll,-201 = "Aufgabenplanung" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%SystemRoot%\system32\OobeFldr.dll,-33057 = "Machen Sie sich mit den Windows-Funktionen vertraut und fangen Sie an, sie zu verwenden." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%windir%\system32\mstsc.exe,-4001 = "Stellen Sie mit dem Computer eine Verbindung mit einem Computer an einem anderen Ort her und führen Sie Programme aus bzw. greifen Sie auf Dateien zu." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@C:\Windows\system32\gameux.dll,-10056 = "Hearts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\@%systemroot%\system32\XpsRchVw.exe,-103 = "XPS-Dokumente anzeigen, digital signieren und Berechtigungen dafür festlegen" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\C:\Windows\system32,@elscore.dll,-4 = "Transkription von Chinesisch (vereinfacht) in Chinesisch (traditionell) von Microsoft" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\67BDC06\C:\Windows\system32,@elscore.dll,-3 = "Transkription von Chinesisch (traditionell) in Chinesisch (vereinfacht) von Microsoft" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SearchIndexer.exedescription pid process Token: SeManageVolumePrivilege 480 SearchIndexer.exe Token: 33 480 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 480 SearchIndexer.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
SearchProtocolHost.exeSearchProtocolHost.exepid process 1656 SearchProtocolHost.exe 1656 SearchProtocolHost.exe 1656 SearchProtocolHost.exe 1656 SearchProtocolHost.exe 1656 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 1656 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe 944 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SearchIndexer.exedescription pid process target process PID 480 wrote to memory of 1656 480 SearchIndexer.exe SearchProtocolHost.exe PID 480 wrote to memory of 1656 480 SearchIndexer.exe SearchProtocolHost.exe PID 480 wrote to memory of 1656 480 SearchIndexer.exe SearchProtocolHost.exe PID 480 wrote to memory of 2680 480 SearchIndexer.exe SearchFilterHost.exe PID 480 wrote to memory of 2680 480 SearchIndexer.exe SearchFilterHost.exe PID 480 wrote to memory of 2680 480 SearchIndexer.exe SearchFilterHost.exe PID 480 wrote to memory of 944 480 SearchIndexer.exe SearchProtocolHost.exe PID 480 wrote to memory of 944 480 SearchIndexer.exe SearchProtocolHost.exe PID 480 wrote to memory of 944 480 SearchIndexer.exe SearchProtocolHost.exe PID 480 wrote to memory of 1172 480 SearchIndexer.exe SearchFilterHost.exe PID 480 wrote to memory of 1172 480 SearchIndexer.exe SearchFilterHost.exe PID 480 wrote to memory of 1172 480 SearchIndexer.exe SearchFilterHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyLoaderV3.5.exe"C:\Users\Admin\AppData\Local\Temp\AnyLoaderV3.5.exe"1⤵PID:1680
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2772
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-39690363-730359138-1046745555-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵
- Modifies data under HKEY_USERS
PID:2680 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:944 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:1172
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD56055cf892a89d7a80ac91f0125a0a6fa
SHA15af1dedba22b09023d03de76835bc4768bc83c6c
SHA256c7ce31c965c402bd66d9dc2e42f0bcc29779308c94a2d0885da493349d464b99
SHA512cc37c0078e792b93ac75d4dc4469dab3cfde4dfe9c64af8a4c0284b183f9ea9949baf11b3cef646e778af91ea9b7f4fe4d82a531098cac595ffbe335a841ed6c