Malware Analysis Report

2024-11-13 16:48

Sample ID 200507-cxq7xx4yp6
Target buer.exe
SHA256 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343

Threat Level: Known bad

The file buer.exe was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Buer

Modifies WinLogon for persistence

Buer Loader

Executes dropped EXE

Loads dropped DLL

Deletes itself

Suspicious use of SetThreadContext

Enumerates physical storage devices

NSIS installer

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-05-07 13:29

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-05-07 13:29

Reported

2020-05-07 13:31

Platform

win7v200430

Max time kernel

135s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\buer.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\"" C:\ProgramData\ErrorResponder\errorResponder.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ErrorResponder\errorResponder.exe N/A
N/A N/A C:\ProgramData\ErrorResponder\errorResponder.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\ErrorResponder\errorResponder.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1416 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe
PID 1796 set thread context of 1856 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\ProgramData\ErrorResponder\errorResponder.exe

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\buer.exe N/A
N/A N/A C:\ProgramData\ErrorResponder\errorResponder.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe
PID 1416 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe
PID 1416 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe
PID 1416 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe
PID 1416 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe
PID 1708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1796 wrote to memory of 1856 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1796 wrote to memory of 1856 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1796 wrote to memory of 1856 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1796 wrote to memory of 1856 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1796 wrote to memory of 1856 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\ProgramData\ErrorResponder\errorResponder.exe
PID 1856 wrote to memory of 1760 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\Windows\SysWOW64\secinit.exe
PID 1856 wrote to memory of 1760 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\Windows\SysWOW64\secinit.exe
PID 1856 wrote to memory of 1760 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\Windows\SysWOW64\secinit.exe
PID 1856 wrote to memory of 1760 N/A C:\ProgramData\ErrorResponder\errorResponder.exe C:\Windows\SysWOW64\secinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\buer.exe

"C:\Users\Admin\AppData\Local\Temp\buer.exe"

C:\Users\Admin\AppData\Local\Temp\buer.exe

"C:\Users\Admin\AppData\Local\Temp\buer.exe"

C:\ProgramData\ErrorResponder\errorResponder.exe

C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ

C:\ProgramData\ErrorResponder\errorResponder.exe

C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\ErrorResponder\errorResponder.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsgEE07.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

memory/1708-1-0x0000000040000000-0x000000004000B000-memory.dmp

memory/1708-2-0x0000000040000000-0x000000004000B000-memory.dmp

\ProgramData\ErrorResponder\errorResponder.exe

MD5 f884618092b55e3edc48096757aab143
SHA1 0c0ad1301fc561699dba22cc779decc0df5570a1
SHA256 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad

C:\ProgramData\ErrorResponder\errorResponder.exe

MD5 f884618092b55e3edc48096757aab143
SHA1 0c0ad1301fc561699dba22cc779decc0df5570a1
SHA256 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad

C:\ProgramData\ErrorResponder\errorResponder.exe

MD5 f884618092b55e3edc48096757aab143
SHA1 0c0ad1301fc561699dba22cc779decc0df5570a1
SHA256 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad

C:\Users\Admin\AppData\Local\Temp\146963395

MD5 87658830198393d3f18326c271d5f28a
SHA1 0bdcba1892842bb90535ae17348caf116456c67f
SHA256 b1a2da1bcc4f41685772dcddd75d54f496d4f9814c6b6c6860c73bcd8d6f85e9
SHA512 2cbb3f80a55273c5285fb67c1d341bc70b9fb12c84de8e9bdd3fb7a5314ffb397473e6a7dfa51d405c3714532e52a2e323c851707376819e97b1a592237c5f96

\Users\Admin\AppData\Local\Temp\nsw1C09.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\ProgramData\ErrorResponder\errorResponder.exe

MD5 f884618092b55e3edc48096757aab143
SHA1 0c0ad1301fc561699dba22cc779decc0df5570a1
SHA256 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad

Analysis: behavioral2

Detonation Overview

Submitted

2020-05-07 13:29

Reported

2020-05-07 13:31

Platform

win10v200430

Max time kernel

136s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\buer.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\buer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3848 set thread context of 1524 N/A C:\Users\Admin\AppData\Local\Temp\buer.exe C:\Users\Admin\AppData\Local\Temp\buer.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\buer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\buer.exe

"C:\Users\Admin\AppData\Local\Temp\buer.exe"

C:\Users\Admin\AppData\Local\Temp\buer.exe

"C:\Users\Admin\AppData\Local\Temp\buer.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsxE9EE.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0