Analysis
-
max time kernel
62s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 08:22
Static task
static1
Behavioral task
behavioral1
Sample
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe
Resource
win10v20201028
General
-
Target
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe
-
Size
48KB
-
MD5
76a230f34d4a3a9127ba6006c1260438
-
SHA1
c52117e45e24a8c3c6ef53286ff29cfcdd12ca85
-
SHA256
340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd
-
SHA512
c1f32f1600558ccf5898a2fb4d8cf2b34d6380e73c31804e667325fb9e6fa6e392b0da61c86228cc00d7a36b4340a10a29b54d355101a9c95946d31445d63d8b
Malware Config
Extracted
buer
https://restaurantfutureworld.net/
https://snowhotdogletter.net/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\66bd8164a22b9a35f4c1\\AutoReg.exe\"" AutoReg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\66bd8164a22b9a35f4c1\\AutoReg.exe\"" secinit.exe -
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral2/files/0x000200000001ab73-1.dat buer behavioral2/files/0x000200000001ab73-2.dat buer behavioral2/memory/3536-4-0x0000000000000000-mapping.dmp buer -
Executes dropped EXE 1 IoCs
pid Process 1000 AutoReg.exe -
Deletes itself 1 IoCs
pid Process 1000 AutoReg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\S: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\M: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\X: secinit.exe File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\J: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\R: secinit.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3640 powershell.exe 3640 powershell.exe 3640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3640 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4752 wrote to memory of 1000 4752 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 74 PID 4752 wrote to memory of 1000 4752 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 74 PID 4752 wrote to memory of 1000 4752 340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe 74 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 1000 wrote to memory of 3536 1000 AutoReg.exe 76 PID 3536 wrote to memory of 3640 3536 secinit.exe 77 PID 3536 wrote to memory of 3640 3536 secinit.exe 77 PID 3536 wrote to memory of 3640 3536 secinit.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe"C:\Users\Admin\AppData\Local\Temp\340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\ProgramData\66bd8164a22b9a35f4c1\AutoReg.exeC:\ProgramData\66bd8164a22b9a35f4c1\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\340cdccf8bccec7270e1fe2ca48cb329b8270872fbf1a84c7f55642962dc1acd.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\66bd8164a22b9a35f4c1\AutoReg.exe3⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\66bd8164a22b9a35f4c1}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640
-
-
-