anchordns | b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329

General

Target

b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
Size

162KB
MD5

ae48b4d1d0da879512b495ec1f80cf67
SHA1

b388243bf5899c99091ac2df13339f141659bbd4
SHA256

b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329
SHA512

463df35f9275cd96a65d6db32ab33d8664daa413e4d0ff8c2da670c804468c8b8181db3a140f5d156300701b0647e52c0d15042ff81cb72bbac8e32f4aa643d4

Score

10^/10

anchordns backdoor

Malware Config

Signatures

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 2 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

backdoor

resource	yara_rule
behavioral2/files/0x000600000001ab08-115.dat	family_anchor_dns
behavioral2/files/0x000600000001ab08-116.dat	family_anchor_dns

Executes dropped EXE 1 IoCs

pid	Process
3592	hotvetee.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hotvetee.exe	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
File opened for modification	C:\Windows\SysWOW64\hotvetee.exe	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
File opened for modification	C:\Windows\SysWOW64\hotvetee.exe:$TASK	hotvetee.exe
File opened for modification	C:\Windows\SysWOW64\hotvetee.exe:$GUID	hotvetee.exe
File opened for modification	C:\Windows\SysWOW64\hotvetee.exe:$FILE	hotvetee.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4036	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4028	powershell.exe
4028	powershell.exe
4028	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3592	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	69
PID 3440 wrote to memory of 3592	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	69
PID 3440 wrote to memory of 3592	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	69
PID 3440 wrote to memory of 4120	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	71
PID 3440 wrote to memory of 4120	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	71
PID 3440 wrote to memory of 4120	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	71
PID 3440 wrote to memory of 4132	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	70
PID 3440 wrote to memory of 4132	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	70
PID 3440 wrote to memory of 4132	3440	b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe	70
PID 4132 wrote to memory of 4028	4132	cmd.exe	74
PID 4132 wrote to memory of 4028	4132	cmd.exe	74
PID 4132 wrote to memory of 4028	4132	cmd.exe	74
PID 4120 wrote to memory of 4036	4120	cmd.exe	75
PID 4120 wrote to memory of 4036	4120	cmd.exe	75
PID 4120 wrote to memory of 4036	4120	cmd.exe	75

C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
"C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\SysWOW64\hotvetee.exe
  C:\Windows\SysWOW64\hotvetee.exe -i
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 3 && del C:\Users\Admin\AppData\Local\Temp\b02494ffc1dab60510e6caee3c54695e24408e5bfa6621adcd19301cfc18e329.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4028-119-0x0000000007220000-0x0000000007256000-memory.dmp

Filesize
216KB

Download
memory/4028-120-0x00000000079F0000-0x0000000008018000-memory.dmp

Filesize
6.2MB

Download
memory/4028-122-0x0000000007840000-0x0000000007862000-memory.dmp

Filesize
136KB

Download
memory/4028-121-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/4028-123-0x00000000073B2000-0x00000000073B3000-memory.dmp

Filesize
4KB

Download
memory/4028-124-0x0000000008020000-0x0000000008086000-memory.dmp

Filesize
408KB

Download
memory/4028-125-0x0000000008090000-0x00000000080F6000-memory.dmp

Filesize
408KB

Download
memory/4028-126-0x00000000082E0000-0x0000000008630000-memory.dmp

Filesize
3.3MB

Download
memory/4028-127-0x0000000007590000-0x00000000075AC000-memory.dmp

Filesize
112KB

Download
memory/4028-128-0x0000000008810000-0x000000000885B000-memory.dmp

Filesize
300KB

Download
memory/4028-129-0x0000000008A10000-0x0000000008A86000-memory.dmp

Filesize
472KB

Download
memory/4028-136-0x000000000A0C0000-0x000000000A738000-memory.dmp

Filesize
6.5MB

Download
memory/4028-137-0x0000000009810000-0x000000000982A000-memory.dmp

Filesize
104KB

Download
memory/4028-142-0x0000000009BC0000-0x0000000009C54000-memory.dmp

Filesize
592KB

Download
memory/4028-143-0x00000000097B0000-0x00000000097D2000-memory.dmp

Filesize
136KB

Download
memory/4028-144-0x000000000AC40000-0x000000000B13E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing