Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 03:36

General

  • Target

    4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe

  • Size

    182KB

  • MD5

    87ad62ff5669b41f8994695b3aa05cbf

  • SHA1

    c6eb9d9a0df8ca97784b57ebe719b227ebfaf262

  • SHA256

    4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403

  • SHA512

    2b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd

Score
10/10

Malware Config

Extracted

Family

buer

C2

https://gstatiknetiplist.cc/

https://gstatiknetiplist.com/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe
    "C:\Users\Admin\AppData\Local\Temp\4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\ProgramData\ErrorResponder\responder.exe
      C:\ProgramData\ErrorResponder\responder.exe "C:\Users\Admin\AppData\Local\Temp\4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403.exe" ensgJJ
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Deletes itself
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\secinit.exe
        C:\ProgramData\ErrorResponder\responder.exe
        3⤵
          PID:1328

    Network

    • flag-us
      DNS
      gstatiknetiplist.cc
      responder.exe
      Remote address:
      8.8.8.8:53
      Request
      gstatiknetiplist.cc
      IN A
      Response
    • flag-us
      DNS
      gstatiknetiplist.com
      responder.exe
      Remote address:
      8.8.8.8:53
      Request
      gstatiknetiplist.com
      IN A
      Response
    No results found
    • 8.8.8.8:53
      gstatiknetiplist.cc
      dns
      responder.exe
      65 B
      132 B
      1
      1

      DNS Request

      gstatiknetiplist.cc

    • 8.8.8.8:53
      gstatiknetiplist.com
      dns
      responder.exe
      66 B
      139 B
      1
      1

      DNS Request

      gstatiknetiplist.com

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\ErrorResponder\responder.exe

      Filesize

      182KB

      MD5

      87ad62ff5669b41f8994695b3aa05cbf

      SHA1

      c6eb9d9a0df8ca97784b57ebe719b227ebfaf262

      SHA256

      4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403

      SHA512

      2b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd

    • C:\ProgramData\ErrorResponder\responder.exe

      Filesize

      114KB

      MD5

      2f820b8db532422a9cce2aca2fb415bd

      SHA1

      80d5aa9bff3086d24777b07c75fda5fd9b271628

      SHA256

      500a8fb1c6e3f687375f5dbdfa1a8c384e9519ea8b3579ca87653a06a8433a70

      SHA512

      b299a0b548456164963eed1e2699373e0eefea22801bdc5d576d96b441fe74ca1d38deb2669ed68ab12e1173d53db4349e91b7c78d03ed051e2c1871c25728d4

    • \ProgramData\ErrorResponder\responder.exe

      Filesize

      182KB

      MD5

      87ad62ff5669b41f8994695b3aa05cbf

      SHA1

      c6eb9d9a0df8ca97784b57ebe719b227ebfaf262

      SHA256

      4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403

      SHA512

      2b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd

    • \ProgramData\ErrorResponder\responder.exe

      Filesize

      182KB

      MD5

      87ad62ff5669b41f8994695b3aa05cbf

      SHA1

      c6eb9d9a0df8ca97784b57ebe719b227ebfaf262

      SHA256

      4aba8ea34e057b8239ff29028fa3ab829f53b2861d84a44fa9857b7d96e3a403

      SHA512

      2b728b84f8377f407e293e723c5bb7813320e371d4e604323ddb397f418a367df8d925ac7d69dd53137df67f8d5b460f730f19cb94949dd14ab37da170cc47fd

    • memory/1276-63-0x0000000000348000-0x0000000000350000-memory.dmp

      Filesize

      32KB

    • memory/1276-65-0x0000000000348000-0x0000000000350000-memory.dmp

      Filesize

      32KB

    • memory/1276-66-0x0000000040000000-0x00000000429E4000-memory.dmp

      Filesize

      41.9MB

    • memory/1664-58-0x0000000040000000-0x00000000429E4000-memory.dmp

      Filesize

      41.9MB

    • memory/1664-56-0x0000000000448000-0x0000000000450000-memory.dmp

      Filesize

      32KB

    • memory/1664-57-0x0000000000020000-0x000000000002A000-memory.dmp

      Filesize

      40KB

    • memory/1664-54-0x0000000000448000-0x0000000000450000-memory.dmp

      Filesize

      32KB

    • memory/1664-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

      Filesize

      8KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.