Analysis
-
max time kernel
574s -
max time network
594s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07-08-2024 08:08
General
-
Target
Anarchy Panel Leaked/Anarchy Loader.exe
-
Size
54.7MB
-
MD5
5016491d1b400d431bf64bdfaa2402f2
-
SHA1
87c7f677cdbebefdedc3d7d975c2bb4f7725412a
-
SHA256
98b14faa7577d52999942de580275ecd78ef3f1e236ab52f646ceb562fce07ad
-
SHA512
cad0fd505e07b81540408a71e311e2e23f305a7508859d411a7b1d8d1a90547c264da4cf25c39fb0a1f33070f51bfafb42265be64affe9c4f07e61c4411d98d6
-
SSDEEP
1572864:r7s7RAkmum9Dio4y92UGp1DUMSoZ4XisCTK+OhiO0iQOCL:rI79hm9D54yAUs1DUBh3CTjOqiQO
Malware Config
Extracted
xworm
209.25.141.181:31533
-
Install_directory
%Temp%
-
install_file
INCCHECK.exe
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Loader.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Loader.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Panel.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD557fdae25873ed915da75aa33c9eb6d66
SHA15f835c20c97fc83b976fbea8345b01d96e5f1546
SHA256c9074dc3e9e6e06260f4e40980ef2fbfd8b50cf449e20f250d277cadbd7909c0
SHA5121191005e24a64b215ea866c8472411e13b22908ae98d42c758bb317bd6182cd671321d7c501db4d779e2234106d7cf8a118eea9f9dd698f578dc25b0098088f6
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
1.2MB
-
Filesize
120KB
-
Filesize
1.2MB
-
Filesize
54.8MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
5.9MB
-
Filesize
3.8MB
-
Filesize
54.6MB
-
Filesize
1.2MB