anchordns | 6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d

General

Target

6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
Size

162KB
MD5

dd1d2518d48b0c9b15dc426816f627b5
SHA1

e26d5ed1aa0c38a64f0f9c2f85fc144b320c0147
SHA256

6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d
SHA512

dea2c64e3b245d00afc1bfa0b8f2e8baa9559e11b1af81dc25eb8d9a6e17460be9357aa3ba0a3f2d2a618b550a45a9ec23a1fe3edf0a123dc0bb95901d1b4840

Score

10^/10

anchordns backdoor

Malware Config

Signatures

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 2 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

backdoor

resource	yara_rule
behavioral2/files/0x000600000001ab30-118.dat	family_anchor_dns
behavioral2/files/0x000600000001ab30-119.dat	family_anchor_dns

Executes dropped EXE 1 IoCs

pid	Process
1216	gzfmegws.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gzfmegws.exe:$FILE	gzfmegws.exe
File created	C:\Windows\SysWOW64\gzfmegws.exe	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
File opened for modification	C:\Windows\SysWOW64\gzfmegws.exe	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
File opened for modification	C:\Windows\SysWOW64\gzfmegws.exe:$TASK	gzfmegws.exe
File opened for modification	C:\Windows\SysWOW64\gzfmegws.exe:$GUID	gzfmegws.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3044	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1216	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	71
PID 3472 wrote to memory of 1216	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	71
PID 3472 wrote to memory of 1216	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	71
PID 3472 wrote to memory of 780	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	72
PID 3472 wrote to memory of 780	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	72
PID 3472 wrote to memory of 780	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	72
PID 3472 wrote to memory of 1940	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	73
PID 3472 wrote to memory of 1940	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	73
PID 3472 wrote to memory of 1940	3472	6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe	73
PID 780 wrote to memory of 3044	780	cmd.exe	76
PID 780 wrote to memory of 3044	780	cmd.exe	76
PID 780 wrote to memory of 3044	780	cmd.exe	76
PID 1940 wrote to memory of 1712	1940	cmd.exe	77
PID 1940 wrote to memory of 1712	1940	cmd.exe	77
PID 1940 wrote to memory of 1712	1940	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
"C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\gzfmegws.exe
  C:\Windows\SysWOW64\gzfmegws.exe -i
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 3 && del C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\6c7847d103de865f906c2e1b7372f2e11ceebec890a68ee6532cebeab852618d.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-122-0x0000000006A80000-0x0000000006A81000-memory.dmp

Filesize
4KB

Download
memory/1712-123-0x0000000006A40000-0x0000000006A76000-memory.dmp

Filesize
216KB

Download
memory/1712-124-0x0000000006A82000-0x0000000006A83000-memory.dmp

Filesize
4KB

Download
memory/1712-125-0x00000000070C0000-0x00000000076E8000-memory.dmp

Filesize
6.2MB

Download
memory/1712-126-0x00000000077F0000-0x0000000007812000-memory.dmp

Filesize
136KB

Download
memory/1712-127-0x00000000079D0000-0x0000000007A36000-memory.dmp

Filesize
408KB

Download
memory/1712-128-0x0000000007A40000-0x0000000007AA6000-memory.dmp

Filesize
408KB

Download
memory/1712-129-0x0000000007AB0000-0x0000000007E00000-memory.dmp

Filesize
3.3MB

Download
memory/1712-130-0x0000000007070000-0x000000000708C000-memory.dmp

Filesize
112KB

Download
memory/1712-131-0x0000000007FE0000-0x000000000802B000-memory.dmp

Filesize
300KB

Download
memory/1712-132-0x0000000008240000-0x00000000082B6000-memory.dmp

Filesize
472KB

Download
memory/1712-139-0x0000000009990000-0x000000000A008000-memory.dmp

Filesize
6.5MB

Download
memory/1712-140-0x0000000009020000-0x000000000903A000-memory.dmp

Filesize
104KB

Download
memory/1712-145-0x0000000009360000-0x00000000093F4000-memory.dmp

Filesize
592KB

Download
memory/1712-146-0x00000000092F0000-0x0000000009312000-memory.dmp

Filesize
136KB

Download
memory/1712-147-0x000000000A010000-0x000000000A50E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing