Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
77s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 16:42
Static task
static1
Behavioral task
behavioral1
Sample
Anymars.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Anymars.exe
Resource
win10v2004-20240802-en
General
-
Target
Anymars.exe
-
Size
6.3MB
-
MD5
bd088392f482ec1cd9724bfd453469b9
-
SHA1
bc2b9765c17e5b80bdf1d09354b2902c284e8fc1
-
SHA256
7fad3e1162e2820c97692c05eabcefecff1cf08c24f0c3753b97174385424ae8
-
SHA512
05ec11a806cc3cc6af0fbaa288a0d51b4a14fd470b1a0ac17f885420323f59b36f8167278e746b124a9ee196172dca720952fb08906b6d54dccc8acf7ed72f17
-
SSDEEP
196608:iwcgGFD2WIR9VCvcd++tlAtpJS+xa4X898fvvVBvIrQ:AgGFD2WIR9VCyjtlepJy6fnIU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2828 Anymars.tmp -
Loads dropped DLL 3 IoCs
pid Process 2732 Anymars.exe 2828 Anymars.tmp 2828 Anymars.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anymars.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anymars.tmp -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Applications\BeamNG.drive\SupportedTypes Anymars.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications Anymars.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive Anymars.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes Anymars.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\BeamNG.drive\SupportedTypes\.myp Anymars.tmp -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1956 vlc.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1956 vlc.exe 2872 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2872 taskmgr.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 2828 Anymars.tmp 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe -
Suspicious use of SendNotifyMessage 49 IoCs
pid Process 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 1956 vlc.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1956 vlc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2828 2732 Anymars.exe 30 PID 2732 wrote to memory of 2828 2732 Anymars.exe 30 PID 2732 wrote to memory of 2828 2732 Anymars.exe 30 PID 2732 wrote to memory of 2828 2732 Anymars.exe 30 PID 2732 wrote to memory of 2828 2732 Anymars.exe 30 PID 2732 wrote to memory of 2828 2732 Anymars.exe 30 PID 2732 wrote to memory of 2828 2732 Anymars.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anymars.exe"C:\Users\Admin\AppData\Local\Temp\Anymars.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\is-P5CB0.tmp\Anymars.tmp"C:\Users\Admin\AppData\Local\Temp\is-P5CB0.tmp\Anymars.tmp" /SL5="$40154,5012273,1031168,C:\Users\Admin\AppData\Local\Temp\Anymars.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2828
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartSync.wvx"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1956
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD5f2a113b6ee24d9382953c9729ae357af
SHA1749f4512a02287095a53db634783f7e399cd31b9
SHA2560738dc614d751b3b08125c03a920fc243a3e5eea4f16d3374d8d94a6e2454477
SHA512f9f366515b337c9df48ff1a21fb124091b2bec94c8a2d94de9c17c210b24931222a11d5b9914ea2fa40807ff7d4322d72d7779f34d07ce3ca2a44795718d047b
-
Filesize
333KB
MD556a2bcecbd3cddd6f4a35361bf4920d6
SHA1992e63be423f0e61093ba183f49fc0cbec790488
SHA2565fcfac18758a12e0e717a5189f379922a32b5ac12f26491e638d70b54ae1dcab
SHA512473cbdf760242db1f0f1d0c27046c0564998f2bf931ad03feb28af3c7bd253d00e6f0836dadf37f29e0db4171eb64e6a15ed4cb9a9d28b48fb0aab601573f551
-
Filesize
3.2MB
MD55f5081151e5aff7096856939e5ac1f24
SHA1bcd827ac74037a4955ed0e739f97ef1129913187
SHA256ca39be3b5059229dddc16cc3b9cf1127479ef980e080557f5b8cad4b755e0a28
SHA512d6ad307237e64ed0fdf5065a83fd2e45bd501d8d06ce0fe6e75eca4ce9166ca62bf6c6698c10093796a183cee87468c8e74a8e2b9547c8ef161f3d052c76c713