Analysis

  • max time kernel
    123s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    11-08-2020 15:48

General

  • Target

    Electronic_Tracking_INV_#9836582365728523752.exe

  • Size

    245KB

  • MD5

    64f86981c7450dfd2c3915f213fc6720

  • SHA1

    5410d0e8569f0936b32de3199e8a187d6227fc1f

  • SHA256

    a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704

  • SHA512

    02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

Score
10/10

Malware Config

Extracted

Family

buer

C2

https://specialhosting.ga/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Buer Loader 6 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe
    "C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
      "C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
        C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
          C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\SysWOW64\secinit.exe
            C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
            5⤵
              PID:2568
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 332
                6⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2420-8-0x00000000005D0000-0x00000000005DF000-memory.dmp

      Filesize

      60KB

    • memory/3704-4-0x0000000040000000-0x000000004000C000-memory.dmp

      Filesize

      48KB

    • memory/3704-1-0x0000000040000000-0x000000004000C000-memory.dmp

      Filesize

      48KB

    • memory/3820-15-0x0000000004790000-0x0000000004791000-memory.dmp

      Filesize

      4KB

    • memory/3820-21-0x0000000004F60000-0x0000000004F61000-memory.dmp

      Filesize

      4KB

    • memory/3908-0-0x0000000000F70000-0x0000000000F7F000-memory.dmp

      Filesize

      60KB