Overview

overview

10

Static

static

ca833b3820...d4.exe

windows7_x64

10

ca833b3820...d4.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    11-10-2020 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca833b3820cff853dc84eb98bf8910249a80a28ed2a7e1da2cc13937df1b39d4.exe

  • Size

    1.3MB

  • MD5

    6def4f90609b737a0d4ed1970029c1cf

  • SHA1

    bd8a68f7ce2ed1ff2f2e9d3db7b07f23c06d3698

  • SHA256

    ca833b3820cff853dc84eb98bf8910249a80a28ed2a7e1da2cc13937df1b39d4

  • SHA512

    168793273138156661ed22c49008e24ffffeb70c3ad8ec3c54d4a1cd0cb45e8d5b4369c4f6ff7b9ba213a3efcb0a126c37b722bd76da2a5cb74ed1a16a3b4682

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

https://supsuncorner.com/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 2 IoCs

    Detects Buer loader in memory or disk.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca833b3820cff853dc84eb98bf8910249a80a28ed2a7e1da2cc13937df1b39d4.exe
    "C:\Users\Admin\AppData\Local\Temp\ca833b3820cff853dc84eb98bf8910249a80a28ed2a7e1da2cc13937df1b39d4.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\0856595400cfe9608e9f}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/496-0-0x0000000000830000-0x0000000000890000-memory.dmp

    Filesize

    384KB

    Download

  • memory/496-1-0x0000000040000000-0x000000004005D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/3936-3-0x0000000073570000-0x0000000073C5E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3936-4-0x0000000004280000-0x0000000004281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-5-0x0000000006F00000-0x0000000006F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-6-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-7-0x0000000006D80000-0x0000000006D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-8-0x0000000006E60000-0x0000000006E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-9-0x0000000007530000-0x0000000007531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-10-0x0000000007980000-0x0000000007981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-11-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-12-0x0000000007D70000-0x0000000007D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-14-0x0000000008B40000-0x0000000008B73000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3936-21-0x0000000008B20000-0x0000000008B21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-22-0x0000000008C90000-0x0000000008C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-23-0x00000000090C0000-0x00000000090C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-24-0x0000000009020000-0x0000000009021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-26-0x0000000006930000-0x0000000006931000-memory.dmp

    Filesize

    4KB

    Download