Loading ...

Play interactive tourEdit tour

Analysis Report anchorAsjuster_x64.exe

Overview

General Information

Sample Name:anchorAsjuster_x64.exe
Analysis ID:381815
MD5:9fbc3d560d075f33a15aa67ae74ac6ef
SHA1:a298c6f5f8902fb581a1b5b922f95b362747f9a7
SHA256:3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d
Infos:

Most interesting Screenshot:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

Startup

  • System is w10x64
  • anchorAsjuster_x64.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\anchorAsjuster_x64.exe' MD5: 9FBC3D560D075F33A15AA67AE74AC6EF)
    • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: anchorAsjuster_x64.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FBCE8 FindFirstFileExA,0_2_00007FF7FE6FBCE8
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6F36940_2_00007FF7FE6F3694
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6F9F6C0_2_00007FF7FE6F9F6C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6F410C0_2_00007FF7FE6F410C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FD8E80_2_00007FF7FE6FD8E8
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6EF8C00_2_00007FF7FE6EF8C0
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FED700_2_00007FF7FE6FED70
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6EFDDA0_2_00007FF7FE6EFDDA
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE70062C0_2_00007FF7FE70062C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6EEE9C0_2_00007FF7FE6EEE9C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E23780_2_00007FF7FE6E2378
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6ED4140_2_00007FF7FE6ED414
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E5BF00_2_00007FF7FE6E5BF0
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6F43F00_2_00007FF7FE6F43F0
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6EF4780_2_00007FF7FE6EF478
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FB1840_2_00007FF7FE6FB184
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE7011C00_2_00007FF7FE7011C0
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6ED1980_2_00007FF7FE6ED198
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FBADC0_2_00007FF7FE6FBADC
Source: classification engineClassification label: clean4.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\anchorAsjuster_x64.exe 'C:\Users\user\Desktop\anchorAsjuster_x64.exe'
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: anchorAsjuster_x64.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: anchorAsjuster_x64.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: anchorAsjuster_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: anchorAsjuster_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: anchorAsjuster_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: anchorAsjuster_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: anchorAsjuster_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: anchorAsjuster_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: anchorAsjuster_x64.exeStatic PE information: section name: .table
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E5BF0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF7FE6E5BF0
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeAPI coverage: 8.2 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FBCE8 FindFirstFileExA,0_2_00007FF7FE6FBCE8
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E6F90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FE6E6F90
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6F9DA4 GetProcessHeap,0_2_00007FF7FE6F9DA4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E6B1C SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00007FF7FE6E6B1C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E6F90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FE6E6F90
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6EA524 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7FE6EA524
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E7174 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7FE6E7174
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E712C SetUnhandledExceptionFilter,0_2_00007FF7FE6E712C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6FB5C0 cpuid 0_2_00007FF7FE6FB5C0
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: EnumSystemLocalesW,0_2_00007FF7FE6FF7A4
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF7FE6FF83C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: EnumSystemLocalesW,0_2_00007FF7FE6F589C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF7FE6FFDB4
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: GetLocaleInfoW,0_2_00007FF7FE6F5E28
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: EnumSystemLocalesW,0_2_00007FF7FE6FF6D4
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF7FE6FFBCC
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,0_2_00007FF7FE6FF3C8
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: GetLocaleInfoW,0_2_00007FF7FE6FFC7C
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: GetLocaleInfoW,0_2_00007FF7FE6FFA80
Source: C:\Users\user\Desktop\anchorAsjuster_x64.exeCode function: 0_2_00007FF7FE6E7410 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7FE6E7410

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationApplication Shimming1Process Injection1Process Injection1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1RootkitLSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 381815 Sample: anchorAsjuster_x64.exe Startdate: 05/04/2021 Architecture: WINDOWS Score: 4 5 anchorAsjuster_x64.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.