anchordns | f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3

General

Target

f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe
Size

162KB
MD5

35229446728ec9bbeae1599c13e86d82
SHA1

c759203d19d86540b6c1efa6eec6aab9ed25470d
SHA256

f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3
SHA512

597b3a0e315752ac24bcd11ea2992bdc6c47c575f6385b209a56065da35a074340aceb56f01d29e7486e84bf3cb124d3f00adff399cebca3cbfa219ebb2b5feb

Score

10^/10

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 2 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

resource	yara_rule
behavioral2/files/0x000600000001ab36-118.dat	family_anchor_dns
behavioral2/files/0x000600000001ab36-119.dat	family_anchor_dns

Executes dropped EXE 1 IoCs

pid	Process
1448	jixqfimx.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jixqfimx.exe	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe
File opened for modification	C:\Windows\SysWOW64\jixqfimx.exe	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe
File opened for modification	C:\Windows\SysWOW64\jixqfimx.exe:$TASK	jixqfimx.exe
File opened for modification	C:\Windows\SysWOW64\jixqfimx.exe:$GUID	jixqfimx.exe
File opened for modification	C:\Windows\SysWOW64\jixqfimx.exe:$FILE	jixqfimx.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
892	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	796	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1448	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	68
PID 3064 wrote to memory of 1448	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	68
PID 3064 wrote to memory of 1448	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	68
PID 3064 wrote to memory of 1464	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	70
PID 3064 wrote to memory of 1464	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	70
PID 3064 wrote to memory of 1464	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	70
PID 3064 wrote to memory of 972	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	69
PID 3064 wrote to memory of 972	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	69
PID 3064 wrote to memory of 972	3064	f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3.exe	69
PID 972 wrote to memory of 796	972	cmd.exe	73
PID 972 wrote to memory of 796	972	cmd.exe	73
PID 972 wrote to memory of 796	972	cmd.exe	73
PID 1464 wrote to memory of 892	1464	cmd.exe	74
PID 1464 wrote to memory of 892	1464	cmd.exe	74
PID 1464 wrote to memory of 892	1464	cmd.exe	74

memory/796-122-0x0000000004150000-0x0000000004186000-memory.dmp

Filesize
216KB

Download
memory/796-123-0x0000000006D10000-0x0000000007338000-memory.dmp

Filesize
6.2MB

Download
memory/796-125-0x0000000004332000-0x0000000004333000-memory.dmp

Filesize
4KB

Download
memory/796-124-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/796-126-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/796-127-0x00000000074B0000-0x0000000007516000-memory.dmp

Filesize
408KB

Download
memory/796-128-0x0000000007520000-0x0000000007586000-memory.dmp

Filesize
408KB

Download
memory/796-129-0x0000000007590000-0x00000000078E0000-memory.dmp

Filesize
3.3MB

Download
memory/796-130-0x0000000006C50000-0x0000000006C6C000-memory.dmp

Filesize
112KB

Download
memory/796-131-0x0000000007D30000-0x0000000007D7B000-memory.dmp

Filesize
300KB

Download
memory/796-132-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/796-139-0x00000000093D0000-0x0000000009A48000-memory.dmp

Filesize
6.5MB

Download
memory/796-140-0x0000000008A80000-0x0000000008A9A000-memory.dmp

Filesize
104KB

Download
memory/796-145-0x0000000008E70000-0x0000000008F04000-memory.dmp

Filesize
592KB

Download
memory/796-146-0x0000000008A30000-0x0000000008A52000-memory.dmp

Filesize
136KB

Download
memory/796-147-0x0000000009F50000-0x000000000A44E000-memory.dmp

Filesize
5.0MB

Download