anchordns | 6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d

General

Target

6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
Size

162KB
MD5

dd1d2518d48b0c9b15dc426816f627b5
SHA1

e26d5ed1aa0c38a64f0f9c2f85fc144b320c0147
SHA256

6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d
SHA512

dea2c64e3b245d00afc1bfa0b8f2e8baa9559e11b1af81dc25eb8d9a6e17460be9357aa3ba0a3f2d2a618b550a45a9ec23a1fe3edf0a123dc0bb95901d1b4840

Score

10^/10

anchordns backdoor

Malware Config

Signatures

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 2 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

backdoor

resource	yara_rule
behavioral1/files/0x0008000000012220-56.dat	family_anchor_dns
behavioral1/files/0x0008000000012220-57.dat	family_anchor_dns

Executes dropped EXE 1 IoCs

pid	Process
1100	hwjzpsey.exe

Deletes itself 1 IoCs

pid	Process
768	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hwjzpsey.exe:$FILE	hwjzpsey.exe
File created	C:\Windows\SysWOW64\hwjzpsey.exe	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
File opened for modification	C:\Windows\SysWOW64\hwjzpsey.exe	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
File opened for modification	C:\Windows\SysWOW64\hwjzpsey.exe:$TASK	hwjzpsey.exe
File opened for modification	C:\Windows\SysWOW64\hwjzpsey.exe:$GUID	hwjzpsey.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
580	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1100	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	27
PID 1900 wrote to memory of 1100	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	27
PID 1900 wrote to memory of 1100	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	27
PID 1900 wrote to memory of 1100	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	27
PID 1900 wrote to memory of 768	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	28
PID 1900 wrote to memory of 768	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	28
PID 1900 wrote to memory of 768	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	28
PID 1900 wrote to memory of 768	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	28
PID 1900 wrote to memory of 1340	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	29
PID 1900 wrote to memory of 1340	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	29
PID 1900 wrote to memory of 1340	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	29
PID 1900 wrote to memory of 1340	1900	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	29
PID 768 wrote to memory of 580	768	cmd.exe	32
PID 768 wrote to memory of 580	768	cmd.exe	32
PID 768 wrote to memory of 580	768	cmd.exe	32
PID 768 wrote to memory of 580	768	cmd.exe	32
PID 1340 wrote to memory of 1520	1340	cmd.exe	33
PID 1340 wrote to memory of 1520	1340	cmd.exe	33
PID 1340 wrote to memory of 1520	1340	cmd.exe	33
PID 1340 wrote to memory of 1520	1340	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
"C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\hwjzpsey.exe
  C:\Windows\SysWOW64\hwjzpsey.exe -i
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 3 && del C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-63-0x00000000024B0000-0x00000000030FA000-memory.dmp

Filesize
12.3MB

Download
memory/1900-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing