Overview

overview

10

Static

static

5ba2402e13...0f.exe

windows7_x64

10

5ba2402e13...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    65s
  • max time network
    86s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 04:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe

  • Size

    1.7MB

  • MD5

    cd8e0ff55fdfb32912795718b6b1542f

  • SHA1

    ce9875fef041ebc5248eb41dfd3201ea4e5da76b

  • SHA256

    5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f

  • SHA512

    4d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450

Score
10/10
buerevasionloaderpersistence

Malware Config

Extracted

Family

buer

C2

http://lodddd01.info/

http://lodddd02.info/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Buer Loader 4 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe
    "C:\Users\Admin\AppData\Local\Temp\5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\ProgramData\UBlockPlugin\plugin.exe
      C:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe" ensgJJ
      2⤵
      • Modifies WinLogon for persistence
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Deletes itself
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\secinit.exe
        C:\ProgramData\UBlockPlugin\plugin.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 136
          4⤵
          • Program crash
          PID:1892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 564
        3⤵
        • Program crash
        PID:1952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\UBlockPlugin\plugin.exe
    Filesize

    1.7MB

    MD5

    cd8e0ff55fdfb32912795718b6b1542f

    SHA1

    ce9875fef041ebc5248eb41dfd3201ea4e5da76b

    SHA256

    5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f

    SHA512

    4d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450

    Download Submit

  • C:\ProgramData\UBlockPlugin\plugin.exe
    Filesize

    1.7MB

    MD5

    cd8e0ff55fdfb32912795718b6b1542f

    SHA1

    ce9875fef041ebc5248eb41dfd3201ea4e5da76b

    SHA256

    5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f

    SHA512

    4d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450

    Download Submit

  • \ProgramData\UBlockPlugin\plugin.exe
    Filesize

    1.7MB

    MD5

    cd8e0ff55fdfb32912795718b6b1542f

    SHA1

    ce9875fef041ebc5248eb41dfd3201ea4e5da76b

    SHA256

    5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f

    SHA512

    4d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450

    Download Submit

  • \ProgramData\UBlockPlugin\plugin.exe
    Filesize

    1.7MB

    MD5

    cd8e0ff55fdfb32912795718b6b1542f

    SHA1

    ce9875fef041ebc5248eb41dfd3201ea4e5da76b

    SHA256

    5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f

    SHA512

    4d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450

    Download Submit

  • memory/1172-55-0x00000000755A1000-0x00000000755A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1172-54-0x000000003FF00000-0x0000000040365000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1172-60-0x000000003FF00000-0x0000000040365000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1172-61-0x0000000077070000-0x00000000771F0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1280-68-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1280-75-0x0000000000080000-0x0000000000081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1280-66-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1280-65-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1280-71-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1280-70-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1280-72-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1280-74-0x00000000002F0000-0x0000000000755000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2020-62-0x000000003F780000-0x000000003FBE5000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2020-79-0x0000000077070000-0x00000000771F0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2020-80-0x000000003F780000-0x000000003FBE5000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2020-81-0x000000003F780000-0x000000003FBE5000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2020-82-0x000000003F780000-0x000000003FBE5000-memory.dmp

    Filesize

    4.4MB

    Download