Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-11-2020 08:22
Static task
static1
Behavioral task
behavioral1
Sample
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe
Resource
win10v20201028
General
-
Target
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe
-
Size
48KB
-
MD5
76a230f34d4a3a9127ba6006c1260438
-
SHA1
c52117e45e24a8c3c6ef53286ff29cfcdd12ca85
-
SHA256
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd
-
SHA512
c1f32f1600558ccf5898a2fb4d8cf2b34d6380e73c31804e667325fb9e6fa6e392b0da61c86228cc00d7a36b4340a10a29b54d355101a9c95946d31445d63d8b
Malware Config
Extracted
buer
https://restaurantfutureworld.net/
https://snowhotdogletter.net/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\108d6786562a3ba74b72\\AutoReg.exe\"" AutoReg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\108d6786562a3ba74b72\\AutoReg.exe\"" secinit.exe -
Buer Loader 5 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/files/0x00040000000130ca-0.dat buer behavioral1/files/0x00040000000130ca-1.dat buer behavioral1/files/0x00040000000130ca-3.dat buer behavioral1/files/0x00040000000130ca-4.dat buer behavioral1/memory/2040-6-0x0000000000000000-mapping.dmp buer -
Executes dropped EXE 1 IoCs
pid Process 1436 AutoReg.exe -
Deletes itself 1 IoCs
pid Process 1436 AutoReg.exe -
Loads dropped DLL 2 IoCs
pid Process 1080 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 1080 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\R: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\S: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\X: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\J: secinit.exe File opened (read-only) \??\M: secinit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2044 powershell.exe 2044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2044 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1080 wrote to memory of 1436 1080 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 25 PID 1080 wrote to memory of 1436 1080 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 25 PID 1080 wrote to memory of 1436 1080 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 25 PID 1080 wrote to memory of 1436 1080 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 25 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 1436 wrote to memory of 2040 1436 AutoReg.exe 26 PID 2040 wrote to memory of 2044 2040 secinit.exe 27 PID 2040 wrote to memory of 2044 2040 secinit.exe 27 PID 2040 wrote to memory of 2044 2040 secinit.exe 27 PID 2040 wrote to memory of 2044 2040 secinit.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe"C:\Users\Admin\AppData\Local\Temp\340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\ProgramData\108d6786562a3ba74b72\AutoReg.exeC:\ProgramData\108d6786562a3ba74b72\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\108d6786562a3ba74b72\AutoReg.exe3⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\108d6786562a3ba74b72}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
-