Overview

overview

10

Static

static

ca334df8e4...db.exe

windows7-x64

10

ca334df8e4...db.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe

  • Size

    2.0MB

  • MD5

    2f7f60ef423947bac5628fa46a7762ac

  • SHA1

    dd4d6463e1b4fad95790682604cde103d457d7c3

  • SHA256

    ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

  • SHA512

    8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

Score
10/10
buerevasionloaderpersistence

Malware Config

Extracted

Family

buer

C2

http://loood1.top/

http://loood2.top/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe
    "C:\Users\Admin\AppData\Local\Temp\ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
      C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe" ensgJJ
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Deletes itself
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\secinit.exe
        C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
        3⤵
          PID:1580

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
      Filesize

      2.0MB

      MD5

      2f7f60ef423947bac5628fa46a7762ac

      SHA1

      dd4d6463e1b4fad95790682604cde103d457d7c3

      SHA256

      ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

      SHA512

      8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
      Filesize

      2.0MB

      MD5

      2f7f60ef423947bac5628fa46a7762ac

      SHA1

      dd4d6463e1b4fad95790682604cde103d457d7c3

      SHA256

      ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

      SHA512

      8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

      Download Submit

    • \Users\Admin\AppData\Roaming\ActiveX\manager.exe
      Filesize

      2.0MB

      MD5

      2f7f60ef423947bac5628fa46a7762ac

      SHA1

      dd4d6463e1b4fad95790682604cde103d457d7c3

      SHA256

      ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

      SHA512

      8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

      Download Submit

    • \Users\Admin\AppData\Roaming\ActiveX\manager.exe
      Filesize

      2.0MB

      MD5

      2f7f60ef423947bac5628fa46a7762ac

      SHA1

      dd4d6463e1b4fad95790682604cde103d457d7c3

      SHA256

      ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

      SHA512

      8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

      Download Submit

    • memory/888-59-0x000000003FB20000-0x0000000040006000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/888-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/888-60-0x00000000771F0000-0x0000000077370000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1580-74-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1580-67-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-64-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-65-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-69-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-70-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-71-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-77-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1580-73-0x0000000000280000-0x0000000000766000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1720-61-0x000000003FB50000-0x0000000040036000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1720-78-0x00000000771F0000-0x0000000077370000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1720-79-0x000000003FB50000-0x0000000040036000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1720-80-0x000000003FB50000-0x0000000040036000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1720-81-0x00000000771F0000-0x0000000077370000-memory.dmp

      Filesize

      1.5MB

      Download