Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
24-07-2022 17:11
General
-
Target
f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1.exe
-
Size
1.8MB
-
MD5
5fcc7f613eb5fe47512efb5c67830712
-
SHA1
0db872d896a9991aa6703cb0d7d7960fa8c2a0e8
-
SHA256
f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1
-
SHA512
a5d4133fe3b8f13dc02eb319403021834ed63595331a8530d0775bc1a6c83a80983fa7a5cf548a47c058263cc8a1a5c0a719df55b9becafa296c1cd95f39a5e2
Malware Config
Extracted
buer
http://loy01.top/
http://loy02.top/
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Buer Loader 4 IoCs
Detects Buer loader in memory or disk.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1.exe"C:\Users\Admin\AppData\Local\Temp\f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UBlockPlugin\plugin.exeC:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1.exe" ensgJJ2⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Deletes itself
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\UBlockPlugin\plugin.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD55fcc7f613eb5fe47512efb5c67830712
SHA10db872d896a9991aa6703cb0d7d7960fa8c2a0e8
SHA256f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1
SHA512a5d4133fe3b8f13dc02eb319403021834ed63595331a8530d0775bc1a6c83a80983fa7a5cf548a47c058263cc8a1a5c0a719df55b9becafa296c1cd95f39a5e2
-
Filesize
1.8MB
MD55fcc7f613eb5fe47512efb5c67830712
SHA10db872d896a9991aa6703cb0d7d7960fa8c2a0e8
SHA256f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1
SHA512a5d4133fe3b8f13dc02eb319403021834ed63595331a8530d0775bc1a6c83a80983fa7a5cf548a47c058263cc8a1a5c0a719df55b9becafa296c1cd95f39a5e2
-
Filesize
1.8MB
MD55fcc7f613eb5fe47512efb5c67830712
SHA10db872d896a9991aa6703cb0d7d7960fa8c2a0e8
SHA256f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1
SHA512a5d4133fe3b8f13dc02eb319403021834ed63595331a8530d0775bc1a6c83a80983fa7a5cf548a47c058263cc8a1a5c0a719df55b9becafa296c1cd95f39a5e2
-
Filesize
1.8MB
MD55fcc7f613eb5fe47512efb5c67830712
SHA10db872d896a9991aa6703cb0d7d7960fa8c2a0e8
SHA256f2df4c45300e982fc3c0131ad426ea3b55d28e983ec3221f243f4c496ca618b1
SHA512a5d4133fe3b8f13dc02eb319403021834ed63595331a8530d0775bc1a6c83a80983fa7a5cf548a47c058263cc8a1a5c0a719df55b9becafa296c1cd95f39a5e2
-
Filesize
1.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
8KB
-
Filesize
1.5MB