anchordns | 0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe
Size

666KB
MD5

754b79913fde2de487e9fc2826b65d57
SHA1

c8299aadf886da55cb47e5cbafe8c5a482b47fc8
SHA256

0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a
SHA512

4a2420e2e89757cab2376932ce548f9b31b845f8c99dfd1cdd9a3b53dabed9e3cb11ecf514edeaccd932f277f65397c126ecaf42831f016554d2001034a25a1d
SSDEEP

12288:b9x+Tm3J3SrhP6pRKBdxZXi0gjFBFq4wTdbU0Cp4RWeAK+1coRm:b9nJ3SrhC+BdxZXi0gjFLq4wTZU0Cp4N

Score

10^/10

anchordns backdoor

Malware Config

Signatures

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 1 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

backdoor

resource	yara_rule
behavioral1/files/0x000c000000013ace-4.dat	family_anchor_dns

Executes dropped EXE 1 IoCs

pid	Process
2792	0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe

Loads dropped DLL 1 IoCs

pid	Process
2568	taskeng.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe:$TASK	0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe:$FILE	0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe: data	0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2568	taskeng.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2792	2568	taskeng.exe	31
PID 2568 wrote to memory of 2792	2568	taskeng.exe	31
PID 2568 wrote to memory of 2792	2568	taskeng.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe
"C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe"
1⤵
- NTFS ADS
PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {D2404C0E-5496-44E2-89EF-D036361D31FE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe
  C:\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe -u
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a.exe

Filesize
666KB

MD5
754b79913fde2de487e9fc2826b65d57

SHA1
c8299aadf886da55cb47e5cbafe8c5a482b47fc8

SHA256
0816d66320d221de576c8a9e6af1b05c7656832939876dd99bb8b40029fe694a

SHA512
4a2420e2e89757cab2376932ce548f9b31b845f8c99dfd1cdd9a3b53dabed9e3cb11ecf514edeaccd932f277f65397c126ecaf42831f016554d2001034a25a1d

Download Submit