f2c0b14087985e4ab59152e15ec6c5933a996985196592c4671789bb6bd0634a

Analysis

max time kernel
65s
max time network
74s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

anymirror-en-setup.exe
Size

5.0MB
MD5

d5ce55cd4d5a1cfb024a925a57affac5
SHA1

ff77825f43279d43c5472900370e69ae76125bc4
SHA256

f2c0b14087985e4ab59152e15ec6c5933a996985196592c4671789bb6bd0634a
SHA512

fa6b6ee1683a35928c72b3c4c842c61c69a5a46614a9a8e2190c2a38282a7f4744978ae79ae641ecb9891fe082dda967f8d595989bfef94d129359bbbde42e5a
SSDEEP

98304:G+Ei+ZME4oSsNm2r/6p1o9Djk5Mo7zxcurCZTLV/opu0b2Ej83KflSpi/ang:G+Ei+ZMEL/6s5IqUPg9/oM0CEwafmG4g

Score

4^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anymirror-en-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	anymirror-en-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	anymirror-en-setup.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe
2072	anymirror-en-setup.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1868	2072	anymirror-en-setup.exe	31
PID 2072 wrote to memory of 1868	2072	anymirror-en-setup.exe	31
PID 2072 wrote to memory of 1868	2072	anymirror-en-setup.exe	31
PID 2072 wrote to memory of 1868	2072	anymirror-en-setup.exe	31
PID 2072 wrote to memory of 2144	2072	anymirror-en-setup.exe	34
PID 2072 wrote to memory of 2144	2072	anymirror-en-setup.exe	34
PID 2072 wrote to memory of 2144	2072	anymirror-en-setup.exe	34
PID 2072 wrote to memory of 2144	2072	anymirror-en-setup.exe	34

C:\Users\Admin\AppData\Local\Temp\anymirror-en-setup.exe
"C:\Users\Admin\AppData\Local\Temp\anymirror-en-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"am-Windows\",\"user_id\":\"7B95BD19\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Launch App\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-XNF39PYMC3&api_secret=ydv9G0S4SjeRpO8cAHfUew""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "curl -X POST -H "Content-Type: application/json" -d "{\"client_id\":\"am-Windows\",\"user_id\":\"7B95BD19\",\"events\":[{\"name\":\"Install_SW\",\"params\":{\"engagement_time_msec\":\"1\",\"ea\":\"Start Download\",\"el\":\"1\",\"install_productversion\":\"Official-com\",\"install_trackversion\":\"1.1.1.1\",\"soft_os_version\":\"Windows_64\"}}]}" "https://www.google-analytics.com/mp/collect?measurement_id=G-XNF39PYMC3&api_secret=ydv9G0S4SjeRpO8cAHfUew""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\CheckProVs.dll

Filesize
7KB

MD5
62e85098ce43cb3d5c422e49390b7071

SHA1
df6722f155ce2a1379eff53a9ad1611ddecbb3bf

SHA256
ee7e26894cbf89c93ae4df15bdb12cd9a21f5deacedfa99a01eefe8fa52daec2

SHA512
dfe7438c2b46f822e2a810bc355e5226043547608d19d1c70314e4325c06ad9ad63a797905e30d19f5d9a86ee1a6d9c28f525a298731e79dbf6f3d6441179a8e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\GoogleTracingLib.dll

Filesize
36KB

MD5
d8fca35ff95fe00a7174177181f8bd13

SHA1
fbafea4d2790dd2c0d022dfb08ded91de7f5265e

SHA256
ad873f1e51e6d033e5507235ec735957256ebeeb0d3f22aa0b57bb4bd0846e4c

SHA512
eb530b10f137cb0cdfdcd2c11fd9f50f774e0ce44e9d2da3e755f6a6df24fe6e7525c27b109e3e68e9d3e49a889937a22f4d9d78703b1055a83b8a58808a58ba

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\nsDui.dll

Filesize
2.4MB

MD5
02917b9f41149b048d3bddd8fcdbab80

SHA1
1eef6b7a4baf7176870393a60a9d55c047630cee

SHA256
8872453727bed5cfecd6850cd02c25d35d137267c1b20e6bf29f041c66461ab0

SHA512
6df8096bfb7a6658b747b9f2ce08365ecaa546fce091666e3194b95684399f334369569494786abc160c83201350c0361e452949d551dbde42778695f3f05308

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD5A8.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit