Analysis Overview
SHA256
17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894
Threat Level: Known bad
The file 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894 was found to be: Known bad.
Malicious Activity Summary
Buer
Buer Loader
Enumerates connected drives
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-09-16 16:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-09-16 16:43
Reported
2020-09-16 16:45
Platform
win7
Max time kernel
132s
Max time network
137s
Command Line
Signatures
Buer
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1460 set thread context of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
"C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KUCeBegeqW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp"
C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
"{path}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\f6b190b6b4b042caa860}"
Network
Files
memory/1460-0-0x00000000738C0000-0x0000000073FAE000-memory.dmp
memory/1460-1-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/1460-3-0x0000000000210000-0x0000000000213000-memory.dmp
memory/1460-4-0x0000000005140000-0x0000000005197000-memory.dmp
memory/1460-5-0x00000000004D0000-0x0000000000505000-memory.dmp
memory/1932-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp
| MD5 | 68779782e7715ffd0e4a08282565623d |
| SHA1 | 1f5577b4153635066ed57a6f0c8e5fbe2cd60c95 |
| SHA256 | 5e44df19209cafbb129c5bebf50c020893377b61163231a8622e71fdcb39558d |
| SHA512 | 8da7aa5777f3994f208052f3b6e36db4b6fb5987538753684dcf2b7c1e65b3578944ac5842f7c229e19b1f07902b48058b8ac0521d5ac7ec20aed36310c95192 |
memory/2024-9-0x0000000040000000-0x000000004000C000-memory.dmp
memory/2024-10-0x0000000040002E38-mapping.dmp
memory/2024-11-0x0000000040000000-0x000000004000C000-memory.dmp
memory/1180-12-0x0000000000000000-mapping.dmp
memory/1180-13-0x0000000072D50000-0x000000007343E000-memory.dmp
memory/1180-14-0x0000000001E00000-0x0000000001E01000-memory.dmp
memory/1180-15-0x00000000047C0000-0x00000000047C1000-memory.dmp
memory/1180-16-0x0000000004660000-0x0000000004661000-memory.dmp
memory/1180-17-0x0000000005240000-0x0000000005241000-memory.dmp
memory/1180-20-0x0000000005660000-0x0000000005661000-memory.dmp
memory/1180-25-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/1180-26-0x0000000006130000-0x0000000006131000-memory.dmp
memory/1180-33-0x0000000006240000-0x0000000006241000-memory.dmp
memory/1180-34-0x0000000005610000-0x0000000005611000-memory.dmp
memory/1180-48-0x00000000062C0000-0x00000000062C1000-memory.dmp
memory/1180-49-0x00000000062D0000-0x00000000062D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-09-16 16:43
Reported
2020-09-16 16:45
Platform
win10v200722
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Buer
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3816 set thread context of 3372 | N/A | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
"C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KUCeBegeqW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11D3.tmp"
C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
"{path}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\8368fc09951cc8b0734c}"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | kackdelar.top | udp |
| N/A | 8.8.8.8:53 | kackdelar.top | udp |
| N/A | 8.8.8.8:53 | kackdelar.top | udp |
Files
memory/3816-0-0x00000000738E0000-0x0000000073FCE000-memory.dmp
memory/3816-1-0x0000000000C90000-0x0000000000C91000-memory.dmp
memory/3816-3-0x0000000005980000-0x0000000005981000-memory.dmp
memory/3816-4-0x0000000005560000-0x0000000005561000-memory.dmp
memory/3816-5-0x0000000005520000-0x0000000005521000-memory.dmp
memory/3816-6-0x0000000005730000-0x0000000005731000-memory.dmp
memory/3816-7-0x0000000005910000-0x0000000005913000-memory.dmp
memory/3816-8-0x0000000007950000-0x0000000007951000-memory.dmp
memory/3816-9-0x0000000007DD0000-0x0000000007E27000-memory.dmp
memory/3816-10-0x0000000007ED0000-0x0000000007ED1000-memory.dmp
memory/3816-11-0x0000000004FE0000-0x0000000005015000-memory.dmp
memory/3980-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp11D3.tmp
| MD5 | b967d2f0d30d20b716e492d304a42f51 |
| SHA1 | aaed515e1232a4e44bf5904d39099d3d66227298 |
| SHA256 | 9d7b9388ba59449e00e45c5304ecc752f521d5b564683d1660135c23519c4412 |
| SHA512 | 3dc3aa7f07952f6d988c7d93118b44b761904ffda11024ff8df1b349d2ec5b9a615253f3534b96c38edd2080d89c44add22e478bd8367358ec40bf4a515a0d22 |
memory/3372-14-0x0000000040000000-0x000000004000C000-memory.dmp
memory/3372-15-0x0000000040002E38-mapping.dmp
memory/3372-16-0x0000000040000000-0x000000004000C000-memory.dmp
memory/408-17-0x0000000000000000-mapping.dmp
memory/408-18-0x0000000073960000-0x000000007404E000-memory.dmp
memory/408-19-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/408-20-0x0000000006E60000-0x0000000006E61000-memory.dmp
memory/408-21-0x0000000006C90000-0x0000000006C91000-memory.dmp
memory/408-23-0x0000000007490000-0x0000000007491000-memory.dmp
memory/408-24-0x00000000076E0000-0x00000000076E1000-memory.dmp
memory/408-25-0x0000000006E20000-0x0000000006E21000-memory.dmp
memory/408-26-0x0000000007D60000-0x0000000007D61000-memory.dmp
memory/408-27-0x0000000007DB0000-0x0000000007DB1000-memory.dmp
memory/408-29-0x0000000008CF0000-0x0000000008D23000-memory.dmp
memory/408-36-0x0000000008CD0000-0x0000000008CD1000-memory.dmp
memory/408-37-0x0000000008E40000-0x0000000008E41000-memory.dmp
memory/408-38-0x0000000009010000-0x0000000009011000-memory.dmp
memory/408-39-0x0000000008FB0000-0x0000000008FB1000-memory.dmp
memory/408-41-0x0000000008FA0000-0x0000000008FA1000-memory.dmp