50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows/Temp/adf/anchor_x64.exe
Size

339KB
MD5

86fefa2e8be486a49782d4d04095015e
SHA1

f29d6b5c8777028eeef161729b153b4d6e8ba28a
SHA256

a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634
SHA512

272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c
SSDEEP

6144:eC1p/6YfIQrMRU+YqwQR/off22+IJdxKgpCzl2Ac:vb3oK+r/oX22Tb6zl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

anchor_x64.exe

pid process

1724 anchor_x64.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

2800 taskeng.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.amazonaws.com

pid	process
1724	anchor_x64.exe

pid	process
2800	taskeng.exe

flow	ioc
2	checkip.amazonaws.com

NTFS ADS 3 IoCs

Processes:

anchor_x64.exeanchor_x64.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $data	anchor_x64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $file	anchor_x64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data	anchor_x64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskeng.exe

description pid process

Token: SeIncBasePriorityPrivilege 2800 taskeng.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2800	taskeng.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2800 wrote to memory of 1724	2800	taskeng.exe	anchor_x64.exe
PID 2800 wrote to memory of 1724	2800	taskeng.exe	anchor_x64.exe
PID 2800 wrote to memory of 1724	2800	taskeng.exe	anchor_x64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe"
1⤵
- NTFS ADS
PID:2156

C:\Windows\system32\taskeng.exe
taskeng.exe {18F9B98C-3F1F-46B2-BD15-05A935E04000} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe -u
2⤵
- Executes dropped EXE
- NTFS ADS
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe

Filesize
339KB

MD5
86fefa2e8be486a49782d4d04095015e

SHA1
f29d6b5c8777028eeef161729b153b4d6e8ba28a

SHA256
a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634

SHA512
272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c

Download Submit