Overview

overview

10

Static

static

934e553834...24.exe

windows7_x64

10

934e553834...24.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24.exe

  • Size

    239KB

  • MD5

    d9c64a5e7e3dd6aece2ae1dadba56b8f

  • SHA1

    e898639ea0f46754acd5d9102145e09602341ba7

  • SHA256

    934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24

  • SHA512

    317bbcbca132cfe33c84628af0765139c3b0c93c6f2f9b7e3047c378b64727eb40087e3a869e9014591cb126d7cf7a7e53e1ae183deab26755dfffdfbc87c097

Score
10/10
buerloaderpersistence

Malware Config

Extracted

Family

buer

C2

http://appnoder11113.info/

http://45.138.157.17/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Buer Loader 4 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Executes dropped EXE 1 IoCs
  • Program crash 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24.exe
    "C:\Users\Admin\AppData\Local\Temp\934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\ProgramData\UBlockPlugin\plugin.exe
      C:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24.exe" ensgJJ
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\SysWOW64\secinit.exe
        C:\ProgramData\UBlockPlugin\plugin.exe
        3⤵
          PID:3912
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 220
            4⤵
            • Program crash
            PID:3700
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 228
            4⤵
            • Program crash
            PID:3524
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 732
          3⤵
          • Program crash
          PID:2096
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 768
          3⤵
          • Program crash
          PID:2348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 868
          3⤵
          • Program crash
          PID:1500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 896
          3⤵
          • Program crash
          PID:4344
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 752
          3⤵
          • Program crash
          PID:852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 740
          3⤵
          • Program crash
          PID:2448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4260 -ip 4260
      1⤵
        PID:3664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4260 -ip 4260
        1⤵
          PID:4340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4260 -ip 4260
          1⤵
            PID:1708
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4260 -ip 4260
            1⤵
              PID:4520
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4260 -ip 4260
              1⤵
                PID:5076
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912
                1⤵
                  PID:1152
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3912 -ip 3912
                  1⤵
                    PID:5008
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4260 -ip 4260
                    1⤵
                      PID:1436

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\UBlockPlugin\plugin.exe
                      Filesize

                      239KB

                      MD5

                      d9c64a5e7e3dd6aece2ae1dadba56b8f

                      SHA1

                      e898639ea0f46754acd5d9102145e09602341ba7

                      SHA256

                      934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24

                      SHA512

                      317bbcbca132cfe33c84628af0765139c3b0c93c6f2f9b7e3047c378b64727eb40087e3a869e9014591cb126d7cf7a7e53e1ae183deab26755dfffdfbc87c097

                      Download Submit

                    • C:\ProgramData\UBlockPlugin\plugin.exe
                      Filesize

                      239KB

                      MD5

                      d9c64a5e7e3dd6aece2ae1dadba56b8f

                      SHA1

                      e898639ea0f46754acd5d9102145e09602341ba7

                      SHA256

                      934e5538341e13807b5a173776e947596814f9dd2fd179e8373d70f2b6170b24

                      SHA512

                      317bbcbca132cfe33c84628af0765139c3b0c93c6f2f9b7e3047c378b64727eb40087e3a869e9014591cb126d7cf7a7e53e1ae183deab26755dfffdfbc87c097

                      Download Submit

                    • memory/3912-139-0x0000000000C50000-0x0000000003F34000-memory.dmp

                      Filesize

                      50.9MB

                      Download

                    • memory/3912-141-0x0000000000C50000-0x0000000003F34000-memory.dmp

                      Filesize

                      50.9MB

                      Download

                    • memory/4124-133-0x00000000005E1000-0x00000000005E8000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/4124-134-0x0000000000030000-0x0000000000039000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/4124-135-0x0000000040000000-0x00000000432E4000-memory.dmp

                      Filesize

                      50.9MB

                      Download

                    • memory/4124-140-0x0000000040000000-0x00000000432E4000-memory.dmp

                      Filesize

                      50.9MB

                      Download

                    • memory/4260-137-0x0000000000541000-0x0000000000548000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/4260-138-0x0000000040000000-0x00000000432E4000-memory.dmp

                      Filesize

                      50.9MB

                      Download

                    • memory/4260-142-0x0000000000541000-0x0000000000548000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/4260-143-0x0000000040000000-0x00000000432E4000-memory.dmp

                      Filesize

                      50.9MB

                      Download