Analysis
-
max time kernel
88s -
max time network
110s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
23-09-2020 23:58
Static task
static1
General
-
Target
Preview.exe
-
Size
577KB
-
MD5
50d70228e09abf06f3e7f41b9e1295cb
-
SHA1
9e3adaba7dc1092c610c8da7b27b11afc11ddc3d
-
SHA256
bee606dfb763d8d5a648fed649cfb1b8d5a62ac3143a3583634cccc305f26422
-
SHA512
57a6a7bca8c43e506b8c80f2c31a467ec519a6375a5dfbfa619034d832ad1c340db8fae1483be1fbafdb9e460996a2f6b381fa3bb3f9ea151cf7f87b9bc8ce52
Malware Config
Extracted
Family
buer
C2
https://178.62.46.155/
Signatures
-
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/memory/3816-0-0x00000000001F0000-0x00000000001FF000-memory.dmp buer behavioral1/memory/3816-1-0x0000000040000000-0x000000004000C000-memory.dmp buer -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Preview.exe File opened (read-only) \??\M: Preview.exe File opened (read-only) \??\R: Preview.exe File opened (read-only) \??\S: Preview.exe File opened (read-only) \??\U: Preview.exe File opened (read-only) \??\W: Preview.exe File opened (read-only) \??\E: Preview.exe File opened (read-only) \??\K: Preview.exe File opened (read-only) \??\O: Preview.exe File opened (read-only) \??\T: Preview.exe File opened (read-only) \??\X: Preview.exe File opened (read-only) \??\G: Preview.exe File opened (read-only) \??\N: Preview.exe File opened (read-only) \??\P: Preview.exe File opened (read-only) \??\Q: Preview.exe File opened (read-only) \??\J: Preview.exe File opened (read-only) \??\B: Preview.exe File opened (read-only) \??\F: Preview.exe File opened (read-only) \??\H: Preview.exe File opened (read-only) \??\I: Preview.exe File opened (read-only) \??\V: Preview.exe File opened (read-only) \??\Y: Preview.exe File opened (read-only) \??\Z: Preview.exe File opened (read-only) \??\A: Preview.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3572 powershell.exe 3572 powershell.exe 3572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3572 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3816 wrote to memory of 3572 3816 Preview.exe 76 PID 3816 wrote to memory of 3572 3816 Preview.exe 76 PID 3816 wrote to memory of 3572 3816 Preview.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\Preview.exe"C:\Users\Admin\AppData\Local\Temp\Preview.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\c960ed411bbc5376cd17}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572
-