Overview

overview

10

Static

static

ca334df8e4...db.exe

windows7-x64

10

ca334df8e4...db.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe

  • Size

    2.0MB

  • MD5

    2f7f60ef423947bac5628fa46a7762ac

  • SHA1

    dd4d6463e1b4fad95790682604cde103d457d7c3

  • SHA256

    ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

  • SHA512

    8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

Score
10/10
buerevasionloaderpersistence

Malware Config

Extracted

Family

buer

C2

http://loood1.top/

http://loood2.top/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

    loader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe
    "C:\Users\Admin\AppData\Local\Temp\ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
      C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db.exe" ensgJJ
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\SysWOW64\secinit.exe
        C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
        3⤵
          PID:3464
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 284
            4⤵
            • Program crash
            PID:2516
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 292
            4⤵
            • Program crash
            PID:3172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3464 -ip 3464
      1⤵
        PID:4824
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3464 -ip 3464
        1⤵
          PID:432

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
          Filesize

          2.0MB

          MD5

          2f7f60ef423947bac5628fa46a7762ac

          SHA1

          dd4d6463e1b4fad95790682604cde103d457d7c3

          SHA256

          ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

          SHA512

          8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
          Filesize

          2.0MB

          MD5

          2f7f60ef423947bac5628fa46a7762ac

          SHA1

          dd4d6463e1b4fad95790682604cde103d457d7c3

          SHA256

          ca334df8e40d7a2977d979ce91cf79c225612b3bd5bada4920d3777cb08bd5db

          SHA512

          8f867da39f77b30a6d405556389ec897aff4213dbf7ee16faff098c5956cdf810b6c83e59c94a25359b6e49ad4f6552724cf8a2b39383d2cd5fabf1abc032653

          Download Submit

        • memory/820-137-0x0000000077980000-0x0000000077B23000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/820-138-0x000000003F6D0000-0x000000003FBB6000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/820-140-0x0000000077980000-0x0000000077B23000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/820-141-0x000000003F6D0000-0x000000003FBB6000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3464-139-0x0000000001200000-0x00000000016E6000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4524-130-0x000000003F1F0000-0x000000003F6D6000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4524-134-0x0000000077980000-0x0000000077B23000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4524-135-0x000000003F1F0000-0x000000003F6D6000-memory.dmp

          Filesize

          4.9MB

          Download