Loading ...

Play interactive tourEdit tour

Analysis Report anchorDNS_x64.exe

Overview

General Information

Sample Name:anchorDNS_x64.exe
Analysis ID:381811
MD5:7160ac4abb26f0ca4c1b6dfba44f8d36
SHA1:3820ff0d04a233745c79932b77eccfe743a81d34
SHA256:9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to inject threads in other processes
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • anchorDNS_x64.exe (PID: 6344 cmdline: 'C:\Users\user\Desktop\anchorDNS_x64.exe' MD5: 7160AC4ABB26F0CA4C1B6DFBA44F8D36)
    • cmd.exe (PID: 6368 cmdline: cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 6424 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
    • cmd.exe (PID: 6376 cmdline: cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6456 cmdline: PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe' MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: anchorDNS_x64.exeVirustotal: Detection: 10%Perma Link
Source: anchorDNS_x64.exeReversingLabs: Detection: 25%
Machine Learning detection for sampleShow sources
Source: anchorDNS_x64.exeJoe Sandbox ML: detected
Source: anchorDNS_x64.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdbt source: anchorDNS_x64.exe
Source: Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdb source: anchorDNS_x64.exe
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3D404 FindFirstFileExW,0_2_00007FF63EC3D404
Source: powershell.exe, 00000006.00000003.217179808.0000012B7D198000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.217765028.0000012B00001000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.230782159.0000012B7D140000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.218129835.0000012B00210000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.224611933.0000012B01C61000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.226355731.0000012B101A6000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2048A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,CreateDesktopA,Sleep,CloseDesktop,GetLastError,GetLastError,GetLastError,CloseHandle,0_2_00007FF63EC2048A
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0F1C70_2_00007FF63EC0F1C7
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC352C00_2_00007FF63EC352C0
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC042E40_2_00007FF63EC042E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2D00C0_2_00007FF63EC2D00C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0F80E0_2_00007FF63EC0F80E
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1D0040_2_00007FF63EC1D004
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0777A0_2_00007FF63EC0777A
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1AFAE0_2_00007FF63EC1AFAE
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC327540_2_00007FF63EC32754
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2FF600_2_00007FF63EC2FF60
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0176B0_2_00007FF63EC0176B
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1890E0_2_00007FF63EC1890E
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0C0FC0_2_00007FF63EC0C0FC
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC289260_2_00007FF63EC28926
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0E8EC0_2_00007FF63EC0E8EC
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC020D80_2_00007FF63EC020D8
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2908C0_2_00007FF63EC2908C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2E8940_2_00007FF63EC2E894
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC010940_2_00007FF63EC01094
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0C8B20_2_00007FF63EC0C8B2
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC236090_2_00007FF63EC23609
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0A5F60_2_00007FF63EC0A5F6
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3EE180_2_00007FF63EC3EE18
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC08E1C0_2_00007FF63EC08E1C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0C5BE0_2_00007FF63EC0C5BE
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC195A80_2_00007FF63EC195A8
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2F5B00_2_00007FF63EC2F5B0
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1CD360_2_00007FF63EC1CD36
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC035750_2_00007FF63EC03575
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC09F0A0_2_00007FF63EC09F0A
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC087160_2_00007FF63EC08716
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1BF220_2_00007FF63EC1BF22
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC066C40_2_00007FF63EC066C4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC216CE0_2_00007FF63EC216CE
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0AED20_2_00007FF63EC0AED2
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3B6E80_2_00007FF63EC3B6E8
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3CEEC0_2_00007FF63EC3CEEC
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC06EEC0_2_00007FF63EC06EEC
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0B68A0_2_00007FF63EC0B68A
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0BE8E0_2_00007FF63EC0BE8E
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC07E980_2_00007FF63EC07E98
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC42E480_2_00007FF63EC42E48
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0CE640_2_00007FF63EC0CE64
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC254140_2_00007FF63EC25414
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC103FD0_2_00007FF63EC103FD
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3D4040_2_00007FF63EC3D404
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC17C280_2_00007FF63EC17C28
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC22C2F0_2_00007FF63EC22C2F
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC06BCC0_2_00007FF63EC06BCC
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1C3C20_2_00007FF63EC1C3C2
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC073F40_2_00007FF63EC073F4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1EBAA0_2_00007FF63EC1EBAA
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1A3AE0_2_00007FF63EC1A3AE
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1FBB40_2_00007FF63EC1FBB4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0AB960_2_00007FF63EC0AB96
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3FB640_2_00007FF63EC3FB64
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC27CCD0_2_00007FF63EC27CCD
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC27CCC0_2_00007FF63EC27CCC
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC144C30_2_00007FF63EC144C3
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC174C40_2_00007FF63EC174C4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1B4E40_2_00007FF63EC1B4E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2048A0_2_00007FF63EC2048A
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC084760_2_00007FF63EC08476
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3BC9C0_2_00007FF63EC3BC9C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC09CA40_2_00007FF63EC09CA4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0B45A0_2_00007FF63EC0B45A
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0BC620_2_00007FF63EC0BC62
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC152090_2_00007FF63EC15209
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC039FB0_2_00007FF63EC039FB
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC071F60_2_00007FF63EC071F6
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC279D80_2_00007FF63EC279D8
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0E1920_2_00007FF63EC0E192
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC089920_2_00007FF63EC08992
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2217C0_2_00007FF63EC2217C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1F1480_2_00007FF63EC1F148
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1614C0_2_00007FF63EC1614C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0693C0_2_00007FF63EC0693C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0A16E0_2_00007FF63EC0A16E
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1DB2C0_2_00007FF63EC1DB2C
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC07B160_2_00007FF63EC07B16
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC1F31E0_2_00007FF63EC1F31E
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC012B60_2_00007FF63EC012B6
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0C2F20_2_00007FF63EC0C2F2
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC082480_2_00007FF63EC08248
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC282500_2_00007FF63EC28250
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2FA540_2_00007FF63EC2FA54
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC0BA3A0_2_00007FF63EC0BA3A
Source: anchorDNS_x64.exeStatic PE information: Number of sections : 11 > 10
Source: classification engineClassification label: mal56.evad.winEXE@11/4@0/0
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2048A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,CreateDesktopA,Sleep,CloseDesktop,GetLastError,GetLastError,GetLastError,CloseHandle,0_2_00007FF63EC2048A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210405Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0nn5oih2.opl.ps1Jump to behavior
Source: anchorDNS_x64.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: anchorDNS_x64.exeVirustotal: Detection: 10%
Source: anchorDNS_x64.exeReversingLabs: Detection: 25%
Source: unknownProcess created: C:\Users\user\Desktop\anchorDNS_x64.exe 'C:\Users\user\Desktop\anchorDNS_x64.exe'
Source: C:\Users\user\Desktop\anchorDNS_x64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exe
Source: C:\Users\user\Desktop\anchorDNS_x64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'
Source: C:\Users\user\Desktop\anchorDNS_x64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c timeout 3 && del C:\Users\user\Desktop\anchorDNS_x64.exeJump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: anchorDNS_x64.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: anchorDNS_x64.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: anchorDNS_x64.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdbt source: anchorDNS_x64.exe
Source: Binary string: Z:\D\GIT\anchorDns.llvm\Bin\x64\Release\anchorDNS_x64.pdb source: anchorDNS_x64.exe
Source: anchorDNS_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: anchorDNS_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: anchorDNS_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: anchorDNS_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: anchorDNS_x64.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: anchorDNS_x64.exeStatic PE information: section name: .00cfg
Source: anchorDNS_x64.exeStatic PE information: section name: .addr
Source: anchorDNS_x64.exeStatic PE information: section name: .rand
Source: anchorDNS_x64.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAEEE23767 push esp; retf 6_2_00007FFAEEE23768
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3590Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5441Jump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-19873
Source: C:\Users\user\Desktop\anchorDNS_x64.exeAPI coverage: 6.1 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep count: 3590 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep count: 5441 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6664Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC3D404 FindFirstFileExW,0_2_00007FF63EC3D404
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC359E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF63EC359E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC39600 GetProcessHeap,0_2_00007FF63EC39600
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2A698 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF63EC2A698
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC359E4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF63EC359E4
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2A284 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF63EC2A284
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC2A274 SetUnhandledExceptionFilter,0_2_00007FF63EC2A274

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC216CE VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,GetLastError,GetLastError,GetLastError,GetLastError,CloseHandle,0_2_00007FF63EC216CE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell 'Start-Sleep 3; Remove-Item C:\Users\user\Desktop\anchorDNS_x64.exe'Jump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC42C60 cpuid 0_2_00007FF63EC42C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\anchorDNS_x64.exeCode function: 0_2_00007FF63EC03912 GetLocalTime,SystemTimeToFileTime,0_2_00007FF63EC03912

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Create Account1Access Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection111Virtualization/Sandbox Evasion21LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery22Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381811 Sample: anchorDNS_x64.exe Startdate: 05/04/2021 Architecture: WINDOWS Score: 56 22 Multi AV Scanner detection for submitted file 2->22 24 Machine Learning detection for sample 2->24 7 anchorDNS_x64.exe 2->7         started        process3 signatures4 26 Contains functionality to inject threads in other processes 7->26 10 cmd.exe 1 7->10         started        12 cmd.exe 1 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 timeout.exe 1 10->16         started        18 powershell.exe 19 12->18         started        20 conhost.exe 12->20         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.