Overview

overview

10

Static

static

1884d4a7e5...c5.exe

windows7_x64

10

1884d4a7e5...c5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294179s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    14-04-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1884d4a7e597fe560258585106a474c464659864a51ccd6ecd0e245409594dc5.exe

  • Size

    858KB

  • MD5

    c2b6fbbc4fcda94fe3eb98afb72f8263

  • SHA1

    040ec98f152d0debfaa703cc1e055108da415fbc

  • SHA256

    1884d4a7e597fe560258585106a474c464659864a51ccd6ecd0e245409594dc5

  • SHA512

    f539dc223290b2112c68511624ca59d9d60d3984796fe090f41f1149202fa74c9dd135725eefede18b35442215692109a039e6e7a078d1278f99a075e170deb0

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

https://gpsdrlow.net/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1884d4a7e597fe560258585106a474c464659864a51ccd6ecd0e245409594dc5.exe
    "C:\Users\Admin\AppData\Local\Temp\1884d4a7e597fe560258585106a474c464659864a51ccd6ecd0e245409594dc5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\1884d4a7e597fe560258585106a474c464659864a51ccd6ecd0e245409594dc5.exe
      "C:\Users\Admin\AppData\Local\Temp\1884d4a7e597fe560258585106a474c464659864a51ccd6ecd0e245409594dc5.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\50102f6ae4ce2e3956ba}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1984
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
    1⤵
    • Drops startup file
    PID:336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/432-58-0x0000000040000000-0x000000004000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/432-61-0x0000000040000000-0x000000004000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/432-64-0x0000000040000000-0x000000004000C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1584-54-0x0000000076861000-0x0000000076863000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1584-56-0x0000000001F10000-0x0000000001F8B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1584-59-0x0000000002C50000-0x0000000002DD0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1984-65-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1984-66-0x0000000002390000-0x0000000002FDA000-memory.dmp

    Filesize

    12.3MB

    Download