Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 16:40
Static task
static1
Behavioral task
behavioral1
Sample
Anymars.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Anymars.exe
Resource
win11-20240802-en
General
-
Target
Anymars.exe
-
Size
6.3MB
-
MD5
bd088392f482ec1cd9724bfd453469b9
-
SHA1
bc2b9765c17e5b80bdf1d09354b2902c284e8fc1
-
SHA256
7fad3e1162e2820c97692c05eabcefecff1cf08c24f0c3753b97174385424ae8
-
SHA512
05ec11a806cc3cc6af0fbaa288a0d51b4a14fd470b1a0ac17f885420323f59b36f8167278e746b124a9ee196172dca720952fb08906b6d54dccc8acf7ed72f17
-
SSDEEP
196608:iwcgGFD2WIR9VCvcd++tlAtpJS+xa4X898fvvVBvIrQ:AgGFD2WIR9VCyjtlepJy6fnIU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4492 Anymars.tmp -
Loads dropped DLL 2 IoCs
pid Process 4492 Anymars.tmp 4492 Anymars.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4152 4492 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anymars.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anymars.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Applications\BeamNG.drive\SupportedTypes Anymars.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications Anymars.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive Anymars.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes Anymars.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes\.myp Anymars.tmp -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1972 POWERPNT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5064 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5064 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp 4492 Anymars.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1972 POWERPNT.EXE 1972 POWERPNT.EXE 1972 POWERPNT.EXE 1972 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2040 wrote to memory of 4492 2040 Anymars.exe 87 PID 2040 wrote to memory of 4492 2040 Anymars.exe 87 PID 2040 wrote to memory of 4492 2040 Anymars.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anymars.exe"C:\Users\Admin\AppData\Local\Temp\Anymars.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\is-FDEIM.tmp\Anymars.tmp"C:\Users\Admin\AppData\Local\Temp\is-FDEIM.tmp\Anymars.tmp" /SL5="$A0056,5012273,1031168,C:\Users\Admin\AppData\Local\Temp\Anymars.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 14563⤵
- Program crash
PID:4152
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\SkipResolve.odp" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4492 -ip 44921⤵PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5f2a113b6ee24d9382953c9729ae357af
SHA1749f4512a02287095a53db634783f7e399cd31b9
SHA2560738dc614d751b3b08125c03a920fc243a3e5eea4f16d3374d8d94a6e2454477
SHA512f9f366515b337c9df48ff1a21fb124091b2bec94c8a2d94de9c17c210b24931222a11d5b9914ea2fa40807ff7d4322d72d7779f34d07ce3ca2a44795718d047b
-
Filesize
333KB
MD556a2bcecbd3cddd6f4a35361bf4920d6
SHA1992e63be423f0e61093ba183f49fc0cbec790488
SHA2565fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab
SHA512473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551
-
Filesize
3.2MB
MD55f5081151e5aff7096856939e5ac1f24
SHA1bcd827ac74037a4955ed0e739f97ef1129913187
SHA256ca39be3b5059229dddc16cc3b9cf1127479ef980e080557f5b8cad4b755e0a28
SHA512d6ad307237e64ed0fdf5065a83fd2e45bd501d8d06ce0fe6e75eca4ce9166ca62bf6c6698c10093796a183cee87468c8e74a8e2b9547c8ef161f3d052c76c713