anchordns | b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329

General

Target

b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
Size

162KB
MD5

ae48b4d1d0da879512b495ec1f80cf67
SHA1

b388243bf5899c99091ac2df13339f141659bbd4
SHA256

b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329
SHA512

463df35f9275cd96a65d6db32ab33d8664daa413e4d0ff8c2da670c804468c8b8181db3a140f5d156300701b0647e52c0d15042ff81cb72bbac8e32f4aa643d4

Score

10^/10

anchordns backdoor

Malware Config

Signatures

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 2 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

backdoor

resource	yara_rule
behavioral1/files/0x000700000001321e-55.dat	family_anchor_dns
behavioral1/files/0x000700000001321e-56.dat	family_anchor_dns

Executes dropped EXE 1 IoCs

pid	Process
1656	pcnxbmef.exe

Deletes itself 1 IoCs

pid	Process
768	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pcnxbmef.exe	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
File opened for modification	C:\Windows\SysWOW64\pcnxbmef.exe:$TASK	pcnxbmef.exe
File opened for modification	C:\Windows\SysWOW64\pcnxbmef.exe:$GUID	pcnxbmef.exe
File opened for modification	C:\Windows\SysWOW64\pcnxbmef.exe:$FILE	pcnxbmef.exe
File created	C:\Windows\SysWOW64\pcnxbmef.exe	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
572	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1240	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1656	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	27
PID 1488 wrote to memory of 1656	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	27
PID 1488 wrote to memory of 1656	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	27
PID 1488 wrote to memory of 1656	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	27
PID 1488 wrote to memory of 768	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	28
PID 1488 wrote to memory of 768	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	28
PID 1488 wrote to memory of 768	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	28
PID 1488 wrote to memory of 768	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	28
PID 1488 wrote to memory of 520	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	29
PID 1488 wrote to memory of 520	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	29
PID 1488 wrote to memory of 520	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	29
PID 1488 wrote to memory of 520	1488	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	29
PID 768 wrote to memory of 572	768	cmd.exe	32
PID 768 wrote to memory of 572	768	cmd.exe	32
PID 768 wrote to memory of 572	768	cmd.exe	32
PID 768 wrote to memory of 572	768	cmd.exe	32
PID 520 wrote to memory of 1240	520	cmd.exe	33
PID 520 wrote to memory of 1240	520	cmd.exe	33
PID 520 wrote to memory of 1240	520	cmd.exe	33
PID 520 wrote to memory of 1240	520	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
"C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\pcnxbmef.exe
  C:\Windows\SysWOW64\pcnxbmef.exe -i
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 3 && del C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1240-60-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1240-61-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1240-62-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1488-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing