Analysis
-
max time kernel
63s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-10-2020 03:31
Static task
static1
Behavioral task
behavioral1
Sample
4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe
-
Size
693KB
-
MD5
b61b330f0ad589422d862cebf65e92c1
-
SHA1
54d7cb2745607e2ea52db8423cf9f210c7674ee6
-
SHA256
4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d
-
SHA512
534bc27db1c8df0ff2c7e5aaf4dc6a4aaffde931e3dacb2490b219c3a0323362afdec5d65d18d6c1ba44cbd384a1020319ff3298ab1330cab459b8b198d46dc1
Malware Config
Extracted
Family
buer
C2
https://bankcreditsign.com/
Signatures
-
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral2/memory/788-0-0x0000000002550000-0x00000000025B0000-memory.dmp buer behavioral2/memory/788-1-0x0000000040000000-0x000000004005D000-memory.dmp buer -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\Y: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\O: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\R: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\T: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\L: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\N: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\V: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\W: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\B: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\E: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\I: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\J: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\P: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\Z: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\A: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\F: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\G: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\Q: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\S: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\U: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\H: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\K: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe File opened (read-only) \??\M: 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3596 powershell.exe 3596 powershell.exe 3596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3596 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 788 wrote to memory of 3596 788 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe 73 PID 788 wrote to memory of 3596 788 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe 73 PID 788 wrote to memory of 3596 788 4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe"C:\Users\Admin\AppData\Local\Temp\4c51b8b7cd48ab404a9259da953f6222d73b80b9ce440dd2fe6632000090e73d.exe"1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\2ddb0287d95da9fd3e75}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-