Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09/11/2020, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
newbuer.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
newbuer.exe
Resource
win10v20201028
General
-
Target
newbuer.exe
-
Size
111KB
-
MD5
4df84f8de8a5526f119c26518b529757
-
SHA1
42d281abeb10649bff097504f20e8fc2c8e85f5c
-
SHA256
9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
-
SHA512
68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88
Malware Config
Extracted
buer
https://maldivosgrant.net/
https://jokenoiam.net/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\"" networker.exe -
Buer Loader 6 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral2/memory/4272-1-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/4272-2-0x0000000040003467-mapping.dmp buer behavioral2/memory/4760-4-0x0000000002140000-0x000000000214C000-memory.dmp buer behavioral2/memory/4272-3-0x0000000040000000-0x000000004000C000-memory.dmp buer behavioral2/memory/836-11-0x0000000040003467-mapping.dmp buer behavioral2/memory/584-14-0x0000000002350000-0x000000000235C000-memory.dmp buer -
Executes dropped EXE 2 IoCs
pid Process 584 networker.exe 836 networker.exe -
Deletes itself 1 IoCs
pid Process 836 networker.exe -
Loads dropped DLL 2 IoCs
pid Process 4760 newbuer.exe 584 networker.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: networker.exe File opened (read-only) \??\O: networker.exe File opened (read-only) \??\E: networker.exe File opened (read-only) \??\J: networker.exe File opened (read-only) \??\M: networker.exe File opened (read-only) \??\T: networker.exe File opened (read-only) \??\V: networker.exe File opened (read-only) \??\W: networker.exe File opened (read-only) \??\A: networker.exe File opened (read-only) \??\F: networker.exe File opened (read-only) \??\I: networker.exe File opened (read-only) \??\Y: networker.exe File opened (read-only) \??\Z: networker.exe File opened (read-only) \??\B: networker.exe File opened (read-only) \??\G: networker.exe File opened (read-only) \??\L: networker.exe File opened (read-only) \??\Q: networker.exe File opened (read-only) \??\R: networker.exe File opened (read-only) \??\S: networker.exe File opened (read-only) \??\U: networker.exe File opened (read-only) \??\X: networker.exe File opened (read-only) \??\H: networker.exe File opened (read-only) \??\K: networker.exe File opened (read-only) \??\P: networker.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4760 set thread context of 4272 4760 newbuer.exe 78 PID 584 set thread context of 836 584 networker.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
resource yara_rule behavioral2/files/0x000300000001a2df-6.dat nsis_installer_1 behavioral2/files/0x000300000001a2df-6.dat nsis_installer_2 behavioral2/files/0x000300000001a2df-7.dat nsis_installer_1 behavioral2/files/0x000300000001a2df-7.dat nsis_installer_2 behavioral2/files/0x000300000001a2df-12.dat nsis_installer_1 behavioral2/files/0x000300000001a2df-12.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 836 networker.exe 836 networker.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4760 newbuer.exe 584 networker.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4272 4760 newbuer.exe 78 PID 4760 wrote to memory of 4272 4760 newbuer.exe 78 PID 4760 wrote to memory of 4272 4760 newbuer.exe 78 PID 4760 wrote to memory of 4272 4760 newbuer.exe 78 PID 4272 wrote to memory of 584 4272 newbuer.exe 79 PID 4272 wrote to memory of 584 4272 newbuer.exe 79 PID 4272 wrote to memory of 584 4272 newbuer.exe 79 PID 584 wrote to memory of 836 584 networker.exe 80 PID 584 wrote to memory of 836 584 networker.exe 80 PID 584 wrote to memory of 836 584 networker.exe 80 PID 584 wrote to memory of 836 584 networker.exe 80 PID 836 wrote to memory of 640 836 networker.exe 81 PID 836 wrote to memory of 640 836 networker.exe 81 PID 836 wrote to memory of 640 836 networker.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\newbuer.exe"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\newbuer.exe"C:\Users\Admin\AppData\Local\Temp\newbuer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\ProgramData\RedTools\networker.exeC:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:584 -
C:\ProgramData\RedTools\networker.exeC:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\RedTools\networker.exe5⤵PID:640
-
-
-
-