Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:00
General
-
Target
5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe
-
Size
1.7MB
-
MD5
cd8e0ff55fdfb32912795718b6b1542f
-
SHA1
ce9875fef041ebc5248eb41dfd3201ea4e5da76b
-
SHA256
5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f
-
SHA512
4d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450
Malware Config
Extracted
buer
http://lodddd01.info/
http://lodddd02.info/
cook5**gj____+,)diaj*
cook5**gj____+-)diaj*
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Buer Loader 5 IoCs
Detects Buer loader in memory or disk.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe"C:\Users\Admin\AppData\Local\Temp\5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UBlockPlugin\plugin.exeC:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\5ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\UBlockPlugin\plugin.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 2204⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 11563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1480 -ip 14801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3564 -ip 35641⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5cd8e0ff55fdfb32912795718b6b1542f
SHA1ce9875fef041ebc5248eb41dfd3201ea4e5da76b
SHA2565ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f
SHA5124d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450
-
Filesize
1.7MB
MD5cd8e0ff55fdfb32912795718b6b1542f
SHA1ce9875fef041ebc5248eb41dfd3201ea4e5da76b
SHA2565ba2402e13843c844a0f2204aa72736f146cf1a8c9d1d569fa2379d21f86ef0f
SHA5124d36912e5ed28e037a5b63ffc95a50118c83ad244909a8e4e2c0d281bd1396903d2df6b0e48b4fd4f44d0a24f8b0e01f1d9b892c0ca591e98e7219351df10450
-
Filesize
4.4MB
-
Filesize
1.6MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1.6MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1.6MB
-
Filesize
4.4MB
-
Filesize
1.6MB
-
Filesize
4.4MB