Overview

overview

10

Static

static

10

Anarchy Pa...ed.rar

windows7-x64

3

Anarchy Pa...ed.rar

windows10-2004-x64

3

Anarchy Pa...er.exe

windows7-x64

10

Anarchy Pa...er.exe

windows10-2004-x64

10

Anarchy Pa...xe.xml

windows7-x64

3

Anarchy Pa...xe.xml

windows10-2004-x64

1

Anarchy Pa...oG.dll

windows7-x64

1

Anarchy Pa...oG.dll

windows10-2004-x64

1

Anarchy Pa...uJ.dll

windows7-x64

1

Anarchy Pa...uJ.dll

windows10-2004-x64

1

Anarchy Pa...qM.dll

windows7-x64

1

Anarchy Pa...qM.dll

windows10-2004-x64

1

Anarchy Pa...LC.dll

windows7-x64

1

Anarchy Pa...LC.dll

windows10-2004-x64

1

Anarchy Pa...wp.dll

windows7-x64

1

Anarchy Pa...wp.dll

windows10-2004-x64

1

Anarchy Pa...uZ.dll

windows7-x64

1

Anarchy Pa...uZ.dll

windows10-2004-x64

1

Anarchy Pa...nG.dll

windows7-x64

1

Anarchy Pa...nG.dll

windows10-2004-x64

1

Anarchy Pa...TS.dll

windows7-x64

1

Anarchy Pa...TS.dll

windows10-2004-x64

1

Anarchy Pa...xj.dll

windows7-x64

1

Anarchy Pa...xj.dll

windows10-2004-x64

1

Anarchy Pa...pi.dll

windows7-x64

1

Anarchy Pa...pi.dll

windows10-2004-x64

1

Anarchy Pa...s4.dll

windows7-x64

1

Anarchy Pa...s4.dll

windows10-2004-x64

1

Anarchy Pa...Ya.dll

windows7-x64

1

Anarchy Pa...Ya.dll

windows10-2004-x64

1

Anarchy Pa...Jn.dll

windows7-x64

1

Anarchy Pa...Jn.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    579s
  • max time network
    599s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anarchy Panel Leaked/Anarchy Loader.exe

  • Size

    54.7MB

  • MD5

    5016491d1b400d431bf64bdfaa2402f2

  • SHA1

    87c7f677cdbebefdedc3d7d975c2bb4f7725412a

  • SHA256

    98b14faa7577d52999942de580275ecd78ef3f1e236ab52f646ceb562fce07ad

  • SHA512

    cad0fd505e07b81540408a71e311e2e23f305a7508859d411a7b1d8d1a90547c264da4cf25c39fb0a1f33070f51bfafb42265be64affe9c4f07e61c4411d98d6

  • SSDEEP

    1572864:r7s7RAkmum9Dio4y92UGp1DUMSoZ4XisCTK+OhiO0iQOCL:rI79hm9D54yAUs1DUBh3CTjOqiQO

Score
10/10
asyncratxwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

209.25.141.181:31533

Attributes
  • Install_directory

    %Temp%

  • install_file

    INCCHECK.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Loader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Panel.exe
      "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Panel.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe
    Filesize

    95KB

    MD5

    57fdae25873ed915da75aa33c9eb6d66

    SHA1

    5f835c20c97fc83b976fbea8345b01d96e5f1546

    SHA256

    c9074dc3e9e6e06260f4e40980ef2fbfd8b50cf449e20f250d277cadbd7909c0

    SHA512

    1191005e24a64b215ea866c8472411e13b22908ae98d42c758bb317bd6182cd671321d7c501db4d779e2234106d7cf8a118eea9f9dd698f578dc25b0098088f6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
    Filesize

    1.7MB

    MD5

    56a504a34d2cfbfc7eaa2b68e34af8ad

    SHA1

    426b48b0f3b691e3bb29f465aed9b936f29fc8cc

    SHA256

    9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

    SHA512

    170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

    Download Submit

  • memory/2096-21-0x0000000000F90000-0x000000000462E000-memory.dmp

    Filesize

    54.6MB

    Download

  • memory/2096-26-0x000000001EF30000-0x000000001F518000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2096-27-0x000000001F760000-0x000000001FB20000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2160-7-0x0000000000970000-0x000000000098E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2160-8-0x000007FEF4D70000-0x000007FEF575C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2160-20-0x000007FEF4D70000-0x000007FEF575C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2160-28-0x000007FEF4D70000-0x000007FEF575C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3008-0-0x000007FEF4D73000-0x000007FEF4D74000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-1-0x0000000000130000-0x00000000037F4000-memory.dmp

    Filesize

    54.8MB

    Download