7fad3e1162e2820c97692c05eabcefecff1cf08c24f0c3753b97174385424ae8

Resubmissions

18/08/2024, 16:42

240818-t73smswfqj 7

18/08/2024, 16:40

240818-t6md9stamg 7

Analysis

max time kernel
77s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anymars.exe
Size

6.3MB
MD5

bd088392f482ec1cd9724bfd453469b9
SHA1

bc2b9765c17e5b80bdf1d09354b2902c284e8fc1
SHA256

7fad3e1162e2820c97692c05eabcefecff1cf08c24f0c3753b97174385424ae8
SHA512

05ec11a806cc3cc6af0fbaa288a0d51b4a14fd470b1a0ac17f885420323f59b36f8167278e746b124a9ee196172dca720952fb08906b6d54dccc8acf7ed72f17
SSDEEP

196608:iwcgGFD2WIR9VCvcd++tlAtpJS+xa4X898fvvVBvIrQ:AgGFD2WIR9VCyjtlepJy6fnIU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	Anymars.tmp

Loads dropped DLL 3 IoCs

pid	Process
2732	Anymars.exe
2828	Anymars.tmp
2828	Anymars.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anymars.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anymars.tmp

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\BeamNG.drive\SupportedTypes	Anymars.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	Anymars.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive	Anymars.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes	Anymars.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes\.myp	Anymars.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1956	vlc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1956	vlc.exe
2872	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	taskmgr.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2828	Anymars.tmp
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
1956	vlc.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe
2872	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	vlc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30
PID 2732 wrote to memory of 2828	2732	Anymars.exe	30

C:\Users\Admin\AppData\Local\Temp\Anymars.exe
"C:\Users\Admin\AppData\Local\Temp\Anymars.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\is-P5CB0.tmp\Anymars.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P5CB0.tmp\Anymars.tmp" /SL5="$40154,5012273,1031168,C:\Users\Admin\AppData\Local\Temp\Anymars.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:2828

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartSync.wvx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-AM2U4.tmp\bass.dll

Filesize
126KB

MD5
f2a113b6ee24d9382953c9729ae357af

SHA1
749f4512a02287095a53db634783f7e399cd31b9

SHA256
0738dc614d751b3b08125c03a920fc243a3e5eea4f16d3374d8d94a6e2454477

SHA512
f9f366515b337c9df48ff1a21fb124091b2bec94c8a2d94de9c17c210b24931222a11d5b9914ea2fa40807ff7d4322d72d7779f34d07ce3ca2a44795718d047b

Download Submit
\Users\Admin\AppData\Local\Temp\is-AM2U4.tmp\unarc.dll

Filesize
333KB

MD5
56a2bcecbd3cddd6f4a35361bf4920d6

SHA1
992e63be423f0e61093ba183f49fc0cbec790488

SHA256
5fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab

SHA512
473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551

Download Submit
\Users\Admin\AppData\Local\Temp\is-P5CB0.tmp\Anymars.tmp

Filesize
3.2MB

MD5
5f5081151e5aff7096856939e5ac1f24

SHA1
bcd827ac74037a4955ed0e739f97ef1129913187

SHA256
ca39be3b5059229dddc16cc3b9cf1127479ef980e080557f5b8cad4b755e0a28

SHA512
d6ad307237e64ed0fdf5065a83fd2e45bd501d8d06ce0fe6e75eca4ce9166ca62bf6c6698c10093796a183cee87468c8e74a8e2b9547c8ef161f3d052c76c713

Download Submit
memory/1956-58-0x000007FEF5240000-0x000007FEF62F0000-memory.dmp

Filesize
16.7MB

Download
memory/1956-59-0x000007FEF3E60000-0x000007FEF3F6E000-memory.dmp

Filesize
1.1MB

Download
memory/1956-57-0x000007FEF6460000-0x000007FEF6716000-memory.dmp

Filesize
2.7MB

Download
memory/1956-55-0x000000013F1D0000-0x000000013F2C8000-memory.dmp

Filesize
992KB

Download
memory/1956-56-0x000007FEF7760000-0x000007FEF7794000-memory.dmp

Filesize
208KB

Download
memory/2732-42-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2732-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2732-0-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2732-20-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2828-16-0x0000000073F50000-0x0000000073F9B000-memory.dmp

Filesize
300KB

Download
memory/2828-33-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download
memory/2828-32-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2828-29-0x0000000000750000-0x0000000000890000-memory.dmp

Filesize
1.2MB

Download
memory/2828-30-0x0000000000750000-0x0000000000890000-memory.dmp

Filesize
1.2MB

Download
memory/2828-23-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2828-22-0x0000000061080000-0x0000000061119000-memory.dmp

Filesize
612KB

Download
memory/2828-21-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2828-8-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2872-60-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2872-61-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2872-62-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2872-63-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download