Overview

overview

10

Static

static

f73cf8983b...f3.exe

windows7_x64

10

f73cf8983b...f3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    33s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f73cf8983ba1581437ef86a24e97cde0929d9ee8d5224a834ab55353cb0fb5f3.exe

  • Size

    1.7MB

  • MD5

    85851bc9cecff7ec618e498f2f52ab5a

  • SHA1

    21f4efb62167f1e9b4f82d41ba3d09b58856f201

  • SHA256

    f73cf8983ba1581437ef86a24e97cde0929d9ee8d5224a834ab55353cb0fb5f3

  • SHA512

    c6cac25fd43ff4d821f991c19ecf47a2f8dcf66fdbff1ce377611093b7db925b0587bd15db23061bd03ae1ad380c6362c644734a5f6ae0e3e723c1500c62813f

Score
10/10
buerevasionloader

Malware Config

Extracted

Family

buer

C2

http://kload01.info/

http://kload02.info/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f73cf8983ba1581437ef86a24e97cde0929d9ee8d5224a834ab55353cb0fb5f3.exe
    "C:\Users\Admin\AppData\Local\Temp\f73cf8983ba1581437ef86a24e97cde0929d9ee8d5224a834ab55353cb0fb5f3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1192-54-0x000000003F900000-0x000000003FD54000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1192-55-0x0000000077B80000-0x0000000077D00000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1192-56-0x000000003F900000-0x000000003FD54000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1192-57-0x000000003F900000-0x000000003FD54000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1192-58-0x0000000077B80000-0x0000000077D00000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1192-59-0x000000003F900000-0x000000003FD54000-memory.dmp

    Filesize

    4.3MB

    Download