Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/07/2024, 14:38
General
-
Target
anarchia.exe
-
Size
63KB
-
MD5
0b2ea56da9323d28eb13700901a3d821
-
SHA1
beac98a0e292050ce6fda1efdb550342861427dd
-
SHA256
9b0ceae770fefa240406c89e24ad6468397db6c3105ea4bd800e433fd608cbd3
-
SHA512
a26783b1ae66fa56a4162dc893ec5865e009e1cd94862edb2933099fd81e70883ef2aa4a6de5d876c73670df31abd899d3682a47fcc458b9995ea5d0e9b71ab8
-
SSDEEP
1536:xRRQOw8kwch5bUbWh9aiEABuEdpqKmY7:xA18k3bUbW6eGz
Malware Config
Extracted
asyncrat
Default
185.254.97.15:2024
-
delay
1
-
install
true
-
install_file
cwel.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00070000000233f9-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation anarchia.exe -
Executes dropped EXE 1 IoCs
pid Process 2512 cwel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 3952 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 1520 anarchia.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe 2512 cwel.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1520 anarchia.exe Token: SeDebugPrivilege 1520 anarchia.exe Token: SeDebugPrivilege 2512 cwel.exe Token: SeDebugPrivilege 2512 cwel.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1520 wrote to memory of 1740 1520 anarchia.exe 82 PID 1520 wrote to memory of 1740 1520 anarchia.exe 82 PID 1520 wrote to memory of 1956 1520 anarchia.exe 84 PID 1520 wrote to memory of 1956 1520 anarchia.exe 84 PID 1740 wrote to memory of 3176 1740 cmd.exe 86 PID 1740 wrote to memory of 3176 1740 cmd.exe 86 PID 1956 wrote to memory of 3952 1956 cmd.exe 87 PID 1956 wrote to memory of 3952 1956 cmd.exe 87 PID 1956 wrote to memory of 2512 1956 cmd.exe 88 PID 1956 wrote to memory of 2512 1956 cmd.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\anarchia.exe"C:\Users\Admin\AppData\Local\Temp\anarchia.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cwel" /tr '"C:\Users\Admin\AppData\Roaming\cwel.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "cwel" /tr '"C:\Users\Admin\AppData\Roaming\cwel.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EAC.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3952
-
-
C:\Users\Admin\AppData\Roaming\cwel.exe"C:\Users\Admin\AppData\Roaming\cwel.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD5cf86a6abb05c30050fe2084d653694d0
SHA1bc80a92eeee51f8945214d771330cd4b3018e22f
SHA256b1eb1e750dcb5a20f93b32aecc6c00aca089484d47be06be936a08dcd9209306
SHA5123731bb4b8490b25ab3359ece0683c7e6867bb99012ca27a8964b5a87765bfed6cdb59561c45f8c9eac249e6448e31817986c857a34c62f3f7520f9105ffd655f
-
Filesize
63KB
MD50b2ea56da9323d28eb13700901a3d821
SHA1beac98a0e292050ce6fda1efdb550342861427dd
SHA2569b0ceae770fefa240406c89e24ad6468397db6c3105ea4bd800e433fd608cbd3
SHA512a26783b1ae66fa56a4162dc893ec5865e009e1cd94862edb2933099fd81e70883ef2aa4a6de5d876c73670df31abd899d3682a47fcc458b9995ea5d0e9b71ab8