Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09/11/2020, 19:53

General

  • Target

    newbuer.exe

  • Size

    111KB

  • MD5

    4df84f8de8a5526f119c26518b529757

  • SHA1

    42d281abeb10649bff097504f20e8fc2c8e85f5c

  • SHA256

    9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c

  • SHA512

    68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

Score
10/10

Malware Config

Extracted

Family

buer

C2

https://maldivosgrant.net/

https://jokenoiam.net/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Buer Loader 6 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\newbuer.exe
    "C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Users\Admin\AppData\Local\Temp\newbuer.exe
      "C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\ProgramData\RedTools\networker.exe
        C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\ProgramData\RedTools\networker.exe
          C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Deletes itself
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:836
          • C:\Windows\SysWOW64\secinit.exe
            C:\ProgramData\RedTools\networker.exe
            5⤵
              PID:640

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/584-14-0x0000000002350000-0x000000000235C000-memory.dmp

      Filesize

      48KB

    • memory/4272-3-0x0000000040000000-0x000000004000C000-memory.dmp

      Filesize

      48KB

    • memory/4272-1-0x0000000040000000-0x000000004000C000-memory.dmp

      Filesize

      48KB

    • memory/4760-4-0x0000000002140000-0x000000000214C000-memory.dmp

      Filesize

      48KB