Analysis Overview
SHA256
9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
Threat Level: Known bad
The file newbuer.exe was found to be: Known bad.
Malicious Activity Summary
Buer
Modifies WinLogon for persistence
Buer Loader
Executes dropped EXE
Loads dropped DLL
Deletes itself
Enumerates connected drives
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-05-18 15:42
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-05-18 15:42
Reported
2020-05-18 15:45
Platform
win7v200430
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\"" | C:\ProgramData\RedTools\networker.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\P: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\T: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\U: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\W: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\V: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\Y: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\G: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\I: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\J: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\L: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\O: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\S: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\Z: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\B: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\H: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\K: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\Q: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\R: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\A: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\E: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\F: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\N: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\X: | C:\ProgramData\RedTools\networker.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 288 set thread context of 112 | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | C:\Users\Admin\AppData\Local\Temp\newbuer.exe |
| PID 1836 set thread context of 1788 | N/A | C:\ProgramData\RedTools\networker.exe | C:\ProgramData\RedTools\networker.exe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\newbuer.exe
"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
C:\Users\Admin\AppData\Local\Temp\newbuer.exe
"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
C:\ProgramData\RedTools\networker.exe
C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
C:\ProgramData\RedTools\networker.exe
C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\RedTools\networker.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | maldivosgrant.net | udp |
| N/A | 47.241.116.77:443 | maldivosgrant.net | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
| N/A | 47.241.116.77:443 | maldivosgrant.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsqA39F.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
memory/112-1-0x0000000040000000-0x000000004000C000-memory.dmp
memory/112-2-0x0000000040000000-0x000000004000C000-memory.dmp
\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
C:\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
C:\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
C:\Users\Admin\AppData\Local\Temp\730984234
| MD5 | ba027a8a3a774d78ecd4919809951bfa |
| SHA1 | 1a0509011eeff5b96705f7ee330105965e6a2912 |
| SHA256 | 5eee8f9e5ca969cf58b38df6125d3666a59000f9f5ff24635e9d8b59d4debd96 |
| SHA512 | 32baa56e4935eb53a87604fdeae15d09c4da61d8d61e1429c2f63201cd6cfe194711b6690bae6984d414c71dc5917371caa5c92dc6be147e1f4d45557d06b9f8 |
\Users\Admin\AppData\Local\Temp\nsbAB1E.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
C:\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-05-18 15:42
Reported
2020-05-18 15:44
Platform
win10v200430
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\"" | C:\ProgramData\RedTools\networker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\L: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\O: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\P: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\R: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\U: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\B: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\G: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\W: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\M: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\N: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\Q: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\T: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\Y: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\Z: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\A: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\I: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\J: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\V: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\X: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\F: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\H: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\E: | C:\ProgramData\RedTools\networker.exe | N/A |
| File opened (read-only) | \??\S: | C:\ProgramData\RedTools\networker.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 504 set thread context of 656 | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | C:\Users\Admin\AppData\Local\Temp\newbuer.exe |
| PID 2828 set thread context of 3832 | N/A | C:\ProgramData\RedTools\networker.exe | C:\ProgramData\RedTools\networker.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\secinit.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\newbuer.exe | N/A |
| N/A | N/A | C:\ProgramData\RedTools\networker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\newbuer.exe
"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
C:\Users\Admin\AppData\Local\Temp\newbuer.exe
"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
C:\ProgramData\RedTools\networker.exe
C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
C:\ProgramData\RedTools\networker.exe
C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\RedTools\networker.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 544
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | maldivosgrant.net | udp |
| N/A | 47.241.116.77:443 | maldivosgrant.net | tcp |
| N/A | 13.107.4.52:80 | www.msftconnecttest.com | tcp |
| N/A | 8.248.3.254:80 | ctldl.windowsupdate.com | tcp |
| N/A | 47.241.116.77:443 | maldivosgrant.net | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsw74ED.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
C:\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
C:\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
C:\Users\Admin\AppData\Local\Temp\730984234
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\nsq7C0D.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
C:\ProgramData\RedTools\networker.exe
| MD5 | 4df84f8de8a5526f119c26518b529757 |
| SHA1 | 42d281abeb10649bff097504f20e8fc2c8e85f5c |
| SHA256 | 9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c |
| SHA512 | 68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88 |
memory/304-6-0x00000000042A0000-0x00000000042A1000-memory.dmp
memory/304-7-0x0000000004C10000-0x0000000004C11000-memory.dmp