Overview

overview

10

Static

static

17147bfbf7...94.exe

windows7_x64

10

17147bfbf7...94.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    16-09-2020 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe

  • Size

    384KB

  • MD5

    a81d104e7bb627a4d3a0f0b823e17581

  • SHA1

    ddc6f577463ff140e525cf7f4a4f083406acd1f4

  • SHA256

    17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894

  • SHA512

    18bc43f92dd794655a26529634f3683d183c2b130b4ced99a276f389c0e3f3c6f03763c5681ec4c80744dda0699d63919d25333f56295729733a2b09b5283b32

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

https://kackdelar.top/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
    "C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KUCeBegeqW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11D3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3980
    • C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
      "{path}"
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:3372
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\8368fc09951cc8b0734c}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/408-26-0x0000000007D60000-0x0000000007D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-25-0x0000000006E20000-0x0000000006E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-39-0x0000000008FB0000-0x0000000008FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-38-0x0000000009010000-0x0000000009011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-37-0x0000000008E40000-0x0000000008E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-36-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-29-0x0000000008CF0000-0x0000000008D23000-memory.dmp

    Filesize

    204KB

    Download

  • memory/408-27-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-18-0x0000000073960000-0x000000007404E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/408-24-0x00000000076E0000-0x00000000076E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-23-0x0000000007490000-0x0000000007491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-21-0x0000000006C90000-0x0000000006C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-20-0x0000000006E60000-0x0000000006E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-19-0x00000000010E0000-0x00000000010E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/408-41-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3372-14-0x0000000040000000-0x000000004000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3372-16-0x0000000040000000-0x000000004000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3816-9-0x0000000007DD0000-0x0000000007E27000-memory.dmp

    Filesize

    348KB

    Download

  • memory/3816-1-0x0000000000C90000-0x0000000000C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3816-3-0x0000000005980000-0x0000000005981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3816-0-0x00000000738E0000-0x0000000073FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3816-10-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3816-11-0x0000000004FE0000-0x0000000005015000-memory.dmp

    Filesize

    212KB

    Download

  • memory/3816-8-0x0000000007950000-0x0000000007951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3816-7-0x0000000005910000-0x0000000005913000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3816-6-0x0000000005730000-0x0000000005731000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3816-5-0x0000000005520000-0x0000000005521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3816-4-0x0000000005560000-0x0000000005561000-memory.dmp

    Filesize

    4KB

    Download