Analysis
-
max time kernel
1762s -
max time network
1767s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 20:52
General
-
Target
Doc-Print.exe
-
Size
368KB
-
MD5
fcc9314bc996fa04721aa469e1d982df
-
SHA1
c306f42bd091c86328651e30c15ac49a7ebb02c4
-
SHA256
e4817740d78a5543811272a0b6de0a226594c84b2801926b53ced825f68bd529
-
SHA512
fac82d815108b111b3a63063e757c2d5ed367e3a94dbe3dc3af252f8c1968aead07df32405f3f16012b13b203f264d764666b49ac192daa98334a3c3be32c0f3
Malware Config
Extracted
buer
https://162.244.81.87/
http://162.244.81.87:8080/
Extracted
metasploit
windows/download_exec
http://31.14.40.55:80/YRDm
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.4.1263.203; Windows NT 6.1; WOW64; Trident/5.0)
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\201d0b90eb65c4e04a98\gennt.exeC:\ProgramData\201d0b90eb65c4e04a98\gennt.exe "C:\Users\Admin\AppData\Local\Temp\Doc-Print.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\201d0b90eb65c4e04a98\gennt.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\201d0b90eb65c4e04a98}"3⤵
-
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" "C:\ProgramData\201d0b90eb65c4e04a98\vemyonacsi.dll"3⤵
- Loads dropped DLL
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
68KB
-
Filesize
68KB