Analysis
-
max time kernel
132s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
16-09-2020 16:43
Static task
static1
Behavioral task
behavioral1
Sample
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
Resource
win7
General
-
Target
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
-
Size
384KB
-
MD5
a81d104e7bb627a4d3a0f0b823e17581
-
SHA1
ddc6f577463ff140e525cf7f4a4f083406acd1f4
-
SHA256
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894
-
SHA512
18bc43f92dd794655a26529634f3683d183c2b130b4ced99a276f389c0e3f3c6f03763c5681ec4c80744dda0699d63919d25333f56295729733a2b09b5283b32
Malware Config
Extracted
buer
https://kackdelar.top/
Signatures
-
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/2024-9-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral1/memory/2024-10-0x0000000040002E38-mapping.dmp buer behavioral1/memory/2024-11-0x0000000040000000-0x000000004000C000-memory.dmp buer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exedescription pid process target process PID 1460 set thread context of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exepowershell.exepid process 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 1180 powershell.exe 1180 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exepowershell.exedescription pid process Token: SeDebugPrivilege 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe Token: SeDebugPrivilege 1180 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exedescription pid process target process PID 1460 wrote to memory of 1932 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe schtasks.exe PID 1460 wrote to memory of 1932 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe schtasks.exe PID 1460 wrote to memory of 1932 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe schtasks.exe PID 1460 wrote to memory of 1932 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe schtasks.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 1460 wrote to memory of 2024 1460 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe PID 2024 wrote to memory of 1180 2024 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe powershell.exe PID 2024 wrote to memory of 1180 2024 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe powershell.exe PID 2024 wrote to memory of 1180 2024 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe powershell.exe PID 2024 wrote to memory of 1180 2024 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KUCeBegeqW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp"2⤵
- Creates scheduled task(s)
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\f6b190b6b4b042caa860}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
68779782e7715ffd0e4a08282565623d
SHA11f5577b4153635066ed57a6f0c8e5fbe2cd60c95
SHA2565e44df19209cafbb129c5bebf50c020893377b61163231a8622e71fdcb39558d
SHA5128da7aa5777f3994f208052f3b6e36db4b6fb5987538753684dcf2b7c1e65b3578944ac5842f7c229e19b1f07902b48058b8ac0521d5ac7ec20aed36310c95192