Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-07-2021 20:56
General
-
Target
f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe
-
Size
663KB
-
MD5
faa84badf9eee5c7ab7c727f7ffe2c4f
-
SHA1
7b7923d89bb8d564b8be409476652d8005e19fba
-
SHA256
f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348
-
SHA512
42a27e1dc0106c032f1c5b11085573b97c092114d807d354b93788688e2dcd21c30c3d915c5365248ba5b77d155246a1c98d11336d2f16b66d71e0e386b40b63
Score
10/10
Malware Config
Signatures
-
AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
-
Detected AnchorDNS Backdoor 2 IoCs
Sample triggered yara rules associated with the AnchorDNS malware family.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
NTFS ADS 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe"C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe"1⤵
- NTFS ADS
-
C:\Windows\system32\taskeng.exetaskeng.exe {02F6C416-B839-4B5E-BF36-FF3F59C9030E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exeC:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe -u2⤵
- Executes dropped EXE
- NTFS ADS
-