Analysis
-
max time kernel
103s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
16-09-2020 16:43
Static task
static1
Behavioral task
behavioral1
Sample
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe
-
Size
259KB
-
MD5
ac8348dd8319365d4857b1e20715c6da
-
SHA1
5c5b1008a7a96015f2588fd60ddc0b4739f74fb5
-
SHA256
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0
-
SHA512
eed7640b28d4b023cd4c252ed812820221aca61f969ca2e6d5f59aad5532fae07d17401272dd36a3c49641136fa8a95d1e1d801076deb8eac97222f506f0ac86
Malware Config
Extracted
Family
buer
C2
https://kackdelar.top/
Signatures
-
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral2/memory/3248-6-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/3248-7-0x0000000040002E00-mapping.dmp buer behavioral2/memory/3248-8-0x0000000040000000-0x000000004000C000-memory.dmp buer -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RegAsm.exedescription ioc Process File opened (read-only) \??\B: RegAsm.exe File opened (read-only) \??\F: RegAsm.exe File opened (read-only) \??\G: RegAsm.exe File opened (read-only) \??\K: RegAsm.exe File opened (read-only) \??\L: RegAsm.exe File opened (read-only) \??\U: RegAsm.exe File opened (read-only) \??\A: RegAsm.exe File opened (read-only) \??\H: RegAsm.exe File opened (read-only) \??\O: RegAsm.exe File opened (read-only) \??\S: RegAsm.exe File opened (read-only) \??\T: RegAsm.exe File opened (read-only) \??\V: RegAsm.exe File opened (read-only) \??\Y: RegAsm.exe File opened (read-only) \??\Z: RegAsm.exe File opened (read-only) \??\P: RegAsm.exe File opened (read-only) \??\R: RegAsm.exe File opened (read-only) \??\W: RegAsm.exe File opened (read-only) \??\E: RegAsm.exe File opened (read-only) \??\I: RegAsm.exe File opened (read-only) \??\J: RegAsm.exe File opened (read-only) \??\M: RegAsm.exe File opened (read-only) \??\N: RegAsm.exe File opened (read-only) \??\Q: RegAsm.exe File opened (read-only) \??\X: RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exedescription pid Process procid_target PID 3876 set thread context of 3248 3876 a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe 72 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeRegAsm.exepid Process 3748 powershell.exe 3748 powershell.exe 3748 powershell.exe 3248 RegAsm.exe 3248 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exepid Process 3876 a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 3748 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exeRegAsm.exedescription pid Process procid_target PID 3876 wrote to memory of 3248 3876 a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe 72 PID 3876 wrote to memory of 3248 3876 a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe 72 PID 3876 wrote to memory of 3248 3876 a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe 72 PID 3876 wrote to memory of 3248 3876 a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe 72 PID 3248 wrote to memory of 3748 3248 RegAsm.exe 76 PID 3248 wrote to memory of 3748 3248 RegAsm.exe 76 PID 3248 wrote to memory of 3748 3248 RegAsm.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe"C:\Users\Admin\AppData\Local\Temp\a6cf85f38f11e82be3fbabc2f7ee0d07f608f30ceb92654ec2168c4fcfad56e0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\563b80623112110d8474}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-