7fad3e1162e2820c97692c05eabcefecff1cf08c24f0c3753b97174385424ae8

Resubmissions

18/08/2024, 16:42

240818-t73smswfqj 7

18/08/2024, 16:40

240818-t6md9stamg 7

Analysis

max time kernel
53s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anymars.exe
Size

6.3MB
MD5

bd088392f482ec1cd9724bfd453469b9
SHA1

bc2b9765c17e5b80bdf1d09354b2902c284e8fc1
SHA256

7fad3e1162e2820c97692c05eabcefecff1cf08c24f0c3753b97174385424ae8
SHA512

05ec11a806cc3cc6af0fbaa288a0d51b4a14fd470b1a0ac17f885420323f59b36f8167278e746b124a9ee196172dca720952fb08906b6d54dccc8acf7ed72f17
SSDEEP

196608:iwcgGFD2WIR9VCvcd++tlAtpJS+xa4X898fvvVBvIrQ:AgGFD2WIR9VCyjtlepJy6fnIU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4492	Anymars.tmp

Loads dropped DLL 2 IoCs

pid	Process
4492	Anymars.tmp
4492	Anymars.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4152	4492	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anymars.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anymars.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\BeamNG.drive\SupportedTypes	Anymars.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	Anymars.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive	Anymars.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes	Anymars.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes\.myp	Anymars.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1972	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5064	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp
4492	Anymars.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1972	POWERPNT.EXE
1972	POWERPNT.EXE
1972	POWERPNT.EXE
1972	POWERPNT.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4492	2040	Anymars.exe	87
PID 2040 wrote to memory of 4492	2040	Anymars.exe	87
PID 2040 wrote to memory of 4492	2040	Anymars.exe	87

C:\Users\Admin\AppData\Local\Temp\Anymars.exe
"C:\Users\Admin\AppData\Local\Temp\Anymars.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\is-FDEIM.tmp\Anymars.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FDEIM.tmp\Anymars.tmp" /SL5="$A0056,5012273,1031168,C:\Users\Admin\AppData\Local\Temp\Anymars.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1456
    3⤵
    - Program crash
    PID:4152

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\SkipResolve.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4492 -ip 4492
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-51E8T.tmp\bass.dll

Filesize
126KB

MD5
f2a113b6ee24d9382953c9729ae357af

SHA1
749f4512a02287095a53db634783f7e399cd31b9

SHA256
0738dc614d751b3b08125c03a920fc243a3e5eea4f16d3374d8d94a6e2454477

SHA512
f9f366515b337c9df48ff1a21fb124091b2bec94c8a2d94de9c17c210b24931222a11d5b9914ea2fa40807ff7d4322d72d7779f34d07ce3ca2a44795718d047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-51E8T.tmp\unarc.dll

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FDEIM.tmp\Anymars.tmp

Filesize
3.2MB

MD5
5f5081151e5aff7096856939e5ac1f24

SHA1
bcd827ac74037a4955ed0e739f97ef1129913187

SHA256
ca39be3b5059229dddc16cc3b9cf1127479ef980e080557f5b8cad4b755e0a28

SHA512
d6ad307237e64ed0fdf5065a83fd2e45bd501d8d06ce0fe6e75eca4ce9166ca62bf6c6698c10093796a183cee87468c8e74a8e2b9547c8ef161f3d052c76c713

Download Submit
memory/1972-59-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-58-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-98-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-95-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-97-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-96-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-94-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-83-0x00007FFBF500D000-0x00007FFBF500E000-memory.dmp

Filesize
4KB

Download
memory/1972-84-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-79-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-55-0x00007FFBB2DD0000-0x00007FFBB2DE0000-memory.dmp

Filesize
64KB

Download
memory/1972-45-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-60-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-52-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-40-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-43-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-44-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-46-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-47-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-42-0x00007FFBB4FF0000-0x00007FFBB5000000-memory.dmp

Filesize
64KB

Download
memory/1972-49-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-48-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-61-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-41-0x00007FFBF500D000-0x00007FFBF500E000-memory.dmp

Filesize
4KB

Download
memory/1972-57-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-51-0x00007FFBB2DD0000-0x00007FFBB2DE0000-memory.dmp

Filesize
64KB

Download
memory/1972-53-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-50-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-54-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/1972-56-0x00007FFBF4F70000-0x00007FFBF5165000-memory.dmp

Filesize
2.0MB

Download
memory/2040-20-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2040-87-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2040-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2040-0-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/4492-21-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/4492-38-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/4492-6-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/4492-28-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/4492-29-0x0000000000DA0000-0x0000000000EE0000-memory.dmp

Filesize
1.2MB

Download
memory/4492-30-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/4492-22-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download
memory/4492-19-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/4492-17-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/4492-14-0x0000000073E00000-0x0000000073E4B000-memory.dmp

Filesize
300KB

Download
memory/4492-33-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads