Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3c6bbdfafb3857e5850e95629d00542fd40df0b0a2ede2d49b204158d3e1cea1.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Buffisternes.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Buffisternes.ps1
Resource
win10v2004-20240412-en
General
-
Target
Buffisternes.ps1
-
Size
60KB
-
MD5
536404b62f83ffc1c1ab96b8702ac936
-
SHA1
e3fcddb4a59854532c9628fb842a89e44600d4df
-
SHA256
2257be627271ea9c32361cfcdb142ccb3b807d841dbfc04c08356cd1d8336600
-
SHA512
5e4f55571925250785b7674552960883841caf0ae0949a788d3afaf38494aab49f3838eb2f17a6138f4131ffd9f995a153d1676fc382734fde2b83d43d94663d
-
SSDEEP
768:XRG7q21ttLI7+7VD+oVBbRSI2K4bdIhyjxmFlcikC5pV5tZNN8WUM00WjCi/IDeQ:XRG7q2bt0KJD+obmBIhSqLL3NvGbnt2x
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2388 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2452 powershell.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe Token: SeShutdownPrivilege 2388 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
explorer.exepid process 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 2452 wrote to memory of 2624 2452 powershell.exe cmd.exe PID 2452 wrote to memory of 2624 2452 powershell.exe cmd.exe PID 2452 wrote to memory of 2624 2452 powershell.exe cmd.exe PID 2452 wrote to memory of 2372 2452 powershell.exe wermgr.exe PID 2452 wrote to memory of 2372 2452 powershell.exe wermgr.exe PID 2452 wrote to memory of 2372 2452 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Buffisternes.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2624
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2452" "1124"2⤵PID:2372
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ba9822ad9551aa4f53b3389f6fbd28fc
SHA173b379c841368c06889df36c5cf012e730b2c3ed
SHA256129659d28b930e4ff7fa3f361f9149923151fbf8af6ec0c3f3fbf18577f8f7a2
SHA512e807df156a7eb40b620e1b97c93aaacc0807b18831422ed94389100ac93bd91917b1568ba233d0db11b02be556bf0480a76ab416147a56cb54e98a13c8b8245b