Analysis
-
max time kernel
132s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 05:42
General
-
Target
422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe
-
Size
395KB
-
MD5
21ca840d524b862b43421ce8119ca7a8
-
SHA1
da7271cd8618d4edb72fa704c82e8b7e53c2e9a8
-
SHA256
422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579
-
SHA512
4fcb8916e825193eb38983357dfd7f2b8c979d918257dc4dfc7e7a8f5330274eb4ef747766650affd564b65b3e39c8e876c43ec6a542cfbf47452cb490ccb9ac
Malware Config
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
NSIS installer 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe"C:\Users\Admin\AppData\Local\Temp\422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe"C:\Users\Admin\AppData\Local\Temp\422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\b62ed3ea95696e036e03\AutoReg.exeC:\ProgramData\b62ed3ea95696e036e03\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe" ensgJJ3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\b62ed3ea95696e036e03\AutoReg.exeC:\ProgramData\b62ed3ea95696e036e03\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\b62ed3ea95696e036e03\AutoReg.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 4526⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\b62ed3ea95696e036e03}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 400 -ip 4001⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD521ca840d524b862b43421ce8119ca7a8
SHA1da7271cd8618d4edb72fa704c82e8b7e53c2e9a8
SHA256422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579
SHA5124fcb8916e825193eb38983357dfd7f2b8c979d918257dc4dfc7e7a8f5330274eb4ef747766650affd564b65b3e39c8e876c43ec6a542cfbf47452cb490ccb9ac
-
Filesize
395KB
MD521ca840d524b862b43421ce8119ca7a8
SHA1da7271cd8618d4edb72fa704c82e8b7e53c2e9a8
SHA256422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579
SHA5124fcb8916e825193eb38983357dfd7f2b8c979d918257dc4dfc7e7a8f5330274eb4ef747766650affd564b65b3e39c8e876c43ec6a542cfbf47452cb490ccb9ac
-
Filesize
395KB
MD521ca840d524b862b43421ce8119ca7a8
SHA1da7271cd8618d4edb72fa704c82e8b7e53c2e9a8
SHA256422c8805c090ca0e7bf7b53ee5c0a2d66c2e1d38ab54797d7c46ce72cf0d5579
SHA5124fcb8916e825193eb38983357dfd7f2b8c979d918257dc4dfc7e7a8f5330274eb4ef747766650affd564b65b3e39c8e876c43ec6a542cfbf47452cb490ccb9ac
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
247KB
MD5fe99bfe4249b2fc154b1c2bb0de4f558
SHA18e1dc813f9f76f315af49f47a288cac79fac1542
SHA2560d119d6836ba5b2e2f3c925b7929a4c397f3a5cc5aa6ecdd74f712a639226e6f
SHA512ffc8c6e3526371015c65a297e24cce9e391443e29d7ffda8eedfd63271a858f44ea6fa233346403d0a7887f376ea19d7a97bafc63f112feaa9406060f5b3c4d8
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
8KB
-
Filesize
200KB
-
Filesize
216KB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB