Overview

overview

10

Static

static

1

Test1

windows10_x64

10

Resubmissions

12-02-2021 16:10

210212-y931k5cqtn 10

10-02-2021 20:48

210210-yxgp15f1tx 10

Analysis

  • max time kernel
    1121s
  • max time network
    1124s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-02-2021 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCD10093264.jpg.exe

  • Size

    104KB

  • MD5

    1fa27c5e084887e9e3a2e232d27e10e3

  • SHA1

    a7c98a694753ed745e8618369d16e39c46cca1e7

  • SHA256

    41a4ee153b3c61cc8ed50de571e5b8f884de1c8c07332b7b31f238360832988c

  • SHA512

    81ecb5e4b3ea478f27509d1eafd106ec224fc0ccdfd411cb3b2345fc752d738f6300fd575a2941611e1763dce125364fb765a48835249cd7e7e33e28a01f40b5

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

dtermalherbhos.com

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Buer Loader 1 IoCs

    Detects Buer loader in memory or disk.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe"
      2⤵
      • Enumerates connected drives
      PID:2668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 22696
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd2A04.tmp\System.dll
    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • memory/2668-3-0x000000004000626A-mapping.dmp

    Download

  • memory/2668-4-0x0000000040000000-0x000000004000A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3844-5-0x00000000043E0000-0x00000000043E1000-memory.dmp

    Filesize

    4KB

    Download