Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
18-05-2020 15:42
Static task
static1
Behavioral task
behavioral1
Sample
newbuer.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
newbuer.exe
Resource
win10v200430
General
-
Target
newbuer.exe
-
Size
111KB
-
MD5
4df84f8de8a5526f119c26518b529757
-
SHA1
42d281abeb10649bff097504f20e8fc2c8e85f5c
-
SHA256
9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
-
SHA512
68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
networker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\"" networker.exe -
Executes dropped EXE 2 IoCs
Processes:
networker.exenetworker.exepid process 2828 networker.exe 3832 networker.exe -
Deletes itself 1 IoCs
Processes:
networker.exepid process 3832 networker.exe -
Loads dropped DLL 2 IoCs
Processes:
newbuer.exenetworker.exepid process 504 newbuer.exe 2828 networker.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
networker.exedescription ioc process File opened (read-only) \??\K: networker.exe File opened (read-only) \??\L: networker.exe File opened (read-only) \??\O: networker.exe File opened (read-only) \??\P: networker.exe File opened (read-only) \??\R: networker.exe File opened (read-only) \??\U: networker.exe File opened (read-only) \??\B: networker.exe File opened (read-only) \??\G: networker.exe File opened (read-only) \??\W: networker.exe File opened (read-only) \??\M: networker.exe File opened (read-only) \??\N: networker.exe File opened (read-only) \??\Q: networker.exe File opened (read-only) \??\T: networker.exe File opened (read-only) \??\Y: networker.exe File opened (read-only) \??\Z: networker.exe File opened (read-only) \??\A: networker.exe File opened (read-only) \??\I: networker.exe File opened (read-only) \??\J: networker.exe File opened (read-only) \??\V: networker.exe File opened (read-only) \??\X: networker.exe File opened (read-only) \??\F: networker.exe File opened (read-only) \??\H: networker.exe File opened (read-only) \??\E: networker.exe File opened (read-only) \??\S: networker.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
newbuer.exenetworker.exedescription pid process target process PID 504 set thread context of 656 504 newbuer.exe newbuer.exe PID 2828 set thread context of 3832 2828 networker.exe networker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 304 4088 WerFault.exe secinit.exe -
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\ProgramData\RedTools\networker.exe nsis_installer_1 C:\ProgramData\RedTools\networker.exe nsis_installer_2 C:\ProgramData\RedTools\networker.exe nsis_installer_1 C:\ProgramData\RedTools\networker.exe nsis_installer_2 C:\ProgramData\RedTools\networker.exe nsis_installer_1 C:\ProgramData\RedTools\networker.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
networker.exeWerFault.exepid process 3832 networker.exe 3832 networker.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe 304 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
newbuer.exenetworker.exepid process 504 newbuer.exe 2828 networker.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 304 WerFault.exe Token: SeBackupPrivilege 304 WerFault.exe Token: SeDebugPrivilege 304 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
newbuer.exenewbuer.exenetworker.exenetworker.exedescription pid process target process PID 504 wrote to memory of 656 504 newbuer.exe newbuer.exe PID 504 wrote to memory of 656 504 newbuer.exe newbuer.exe PID 504 wrote to memory of 656 504 newbuer.exe newbuer.exe PID 504 wrote to memory of 656 504 newbuer.exe newbuer.exe PID 656 wrote to memory of 2828 656 newbuer.exe networker.exe PID 656 wrote to memory of 2828 656 newbuer.exe networker.exe PID 656 wrote to memory of 2828 656 newbuer.exe networker.exe PID 2828 wrote to memory of 3832 2828 networker.exe networker.exe PID 2828 wrote to memory of 3832 2828 networker.exe networker.exe PID 2828 wrote to memory of 3832 2828 networker.exe networker.exe PID 2828 wrote to memory of 3832 2828 networker.exe networker.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe PID 3832 wrote to memory of 4088 3832 networker.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\newbuer.exe"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Users\Admin\AppData\Local\Temp\newbuer.exe"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\ProgramData\RedTools\networker.exeC:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\ProgramData\RedTools\networker.exeC:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\RedTools\networker.exe5⤵PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 5446⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4df84f8de8a5526f119c26518b529757
SHA142d281abeb10649bff097504f20e8fc2c8e85f5c
SHA2569e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA51268cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88
-
MD5
4df84f8de8a5526f119c26518b529757
SHA142d281abeb10649bff097504f20e8fc2c8e85f5c
SHA2569e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA51268cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88
-
MD5
4df84f8de8a5526f119c26518b529757
SHA142d281abeb10649bff097504f20e8fc2c8e85f5c
SHA2569e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
SHA51268cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
MD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0