50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows/Temp/adf/anchor_x64.exe
Size

339KB
MD5

86fefa2e8be486a49782d4d04095015e
SHA1

f29d6b5c8777028eeef161729b153b4d6e8ba28a
SHA256

a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634
SHA512

272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c
SSDEEP

6144:eC1p/6YfIQrMRU+YqwQR/off22+IJdxKgpCzl2Ac:vb3oK+r/oX22Tb6zl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	anchor_x64.exe

Loads dropped DLL 1 IoCs

pid	Process
2800	taskeng.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.amazonaws.com

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $data	anchor_x64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $file	anchor_x64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data	anchor_x64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2800	taskeng.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1724	2800	taskeng.exe	31
PID 2800 wrote to memory of 1724	2800	taskeng.exe	31
PID 2800 wrote to memory of 1724	2800	taskeng.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe"
1⤵
- NTFS ADS
PID:2156

C:\Windows\system32\taskeng.exe
taskeng.exe {18F9B98C-3F1F-46B2-BD15-05A935E04000} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
  C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe -u
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe

Filesize
339KB

MD5
86fefa2e8be486a49782d4d04095015e

SHA1
f29d6b5c8777028eeef161729b153b4d6e8ba28a

SHA256
a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634

SHA512
272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c

Download Submit