Analysis
-
max time kernel
127s -
max time network
70s -
platform
windows7_x64 -
resource
win7 -
submitted
10-08-2020 11:39
Static task
static1
Behavioral task
behavioral1
Sample
ken.exe
Resource
win7
Behavioral task
behavioral2
Sample
ken.exe
Resource
win10
General
-
Target
ken.exe
-
Size
228KB
-
MD5
14e0e1a26f0e29171486cb2feb89fc3e
-
SHA1
cb3f2b4e3f5060088c6158f4b6c5b6d627f68a20
-
SHA256
c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5
-
SHA512
12ea8bb6bdcc809a2ba46a33cb69e4535af3a5ba9750179cf1a8f050ae1e3f0ea544000d504a2318c8d22e297eaa466f7977c593f3d00ec2c24276e66abd8430
Malware Config
Extracted
buer
https://rawcookies.ru/
https://westkingz.ru/
Signatures
-
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/1864-0-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/1864-1-0x0000000040003030-mapping.dmp buer behavioral1/memory/1864-2-0x0000000040000000-0x000000004000C000-memory.dmp buer -
Executes dropped EXE 1 IoCs
Processes:
gennt.exepid process 1536 gennt.exe -
Loads dropped DLL 2 IoCs
Processes:
ken.exepid process 1864 ken.exe 1864 ken.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ken.exedescription pid process target process PID 900 set thread context of 1864 900 ken.exe ken.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ken.exedescription pid process Token: SeDebugPrivilege 900 ken.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
ken.exeken.exedescription pid process target process PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 900 wrote to memory of 1864 900 ken.exe ken.exe PID 1864 wrote to memory of 1536 1864 ken.exe gennt.exe PID 1864 wrote to memory of 1536 1864 ken.exe gennt.exe PID 1864 wrote to memory of 1536 1864 ken.exe gennt.exe PID 1864 wrote to memory of 1536 1864 ken.exe gennt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ken.exe"C:\Users\Admin\AppData\Local\Temp\ken.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\ken.exeC:\Users\Admin\AppData\Local\Temp\ken.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\ProgramData\442665b0da518c45c03d\gennt.exeC:\ProgramData\442665b0da518c45c03d\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ken.exe" ensgJJ3⤵
- Executes dropped EXE
PID:1536
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14e0e1a26f0e29171486cb2feb89fc3e
SHA1cb3f2b4e3f5060088c6158f4b6c5b6d627f68a20
SHA256c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5
SHA51212ea8bb6bdcc809a2ba46a33cb69e4535af3a5ba9750179cf1a8f050ae1e3f0ea544000d504a2318c8d22e297eaa466f7977c593f3d00ec2c24276e66abd8430
-
MD5
14e0e1a26f0e29171486cb2feb89fc3e
SHA1cb3f2b4e3f5060088c6158f4b6c5b6d627f68a20
SHA256c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5
SHA51212ea8bb6bdcc809a2ba46a33cb69e4535af3a5ba9750179cf1a8f050ae1e3f0ea544000d504a2318c8d22e297eaa466f7977c593f3d00ec2c24276e66abd8430
-
MD5
14e0e1a26f0e29171486cb2feb89fc3e
SHA1cb3f2b4e3f5060088c6158f4b6c5b6d627f68a20
SHA256c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5
SHA51212ea8bb6bdcc809a2ba46a33cb69e4535af3a5ba9750179cf1a8f050ae1e3f0ea544000d504a2318c8d22e297eaa466f7977c593f3d00ec2c24276e66abd8430
-
MD5
14e0e1a26f0e29171486cb2feb89fc3e
SHA1cb3f2b4e3f5060088c6158f4b6c5b6d627f68a20
SHA256c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5
SHA51212ea8bb6bdcc809a2ba46a33cb69e4535af3a5ba9750179cf1a8f050ae1e3f0ea544000d504a2318c8d22e297eaa466f7977c593f3d00ec2c24276e66abd8430