Analysis

  • max time kernel
    138s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 15:40

General

  • Target

    DocumentPreview.exe

  • Size

    146KB

  • MD5

    db3c2530d727bac602e6c41cb3e60562

  • SHA1

    0d62d5a5fba84c1e826591f27892466a1cd59257

  • SHA256

    e212e5bc428a0bca4615205f07c10d4e57dc881a2f32a9b8aeec040169435aa1

  • SHA512

    03e25d32a262c88ec2cf9303b7835da93b321a1d2a092531c96df8d95065944250f63c075792ca72b6d2a12d60c492782ba516712fbca0bf3b0239477b6b06e8

Score
10/10

Malware Config

Extracted

Family

buer

C2

https://162.244.81.87/

http://162.244.81.87:8080/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Buer Loader 1 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe
    "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\ProgramData\ae99cb89d6941a0b3431\gennt.exe
      C:\ProgramData\ae99cb89d6941a0b3431\gennt.exe "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe" ensgJJ
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Deletes itself
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\secinit.exe
        C:\ProgramData\ae99cb89d6941a0b3431\gennt.exe
        3⤵
          PID:4000
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 352
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3912
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\ae99cb89d6941a0b3431}"
          3⤵
            PID:3740

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2904-0-0x00000000001D0000-0x00000000001DC000-memory.dmp

        Filesize

        48KB

      • memory/3912-12-0x0000000004C30000-0x0000000004C31000-memory.dmp

        Filesize

        4KB

      • memory/3912-6-0x00000000043C0000-0x00000000043C1000-memory.dmp

        Filesize

        4KB