Overview

overview

10

Static

static

StolenImag...e.xlsm

windows7_x64

10

StolenImag...e.xlsm

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-06-2020 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    StolenImagesEvidence.xlsm

  • Size

    2.7MB

  • MD5

    19e4dc06d4ccb13ede93bd8a3f115848

  • SHA1

    f6f89dd11b43563abfbe19572d61168ab95825ee

  • SHA256

    d3e6f290c2bb3453ca9c6eca018c3256d5a4e0e8bf3ab26316d904f3dfa82c23

  • SHA512

    12bf4eb62cda66cd25aeb8ee9f0e6ba7e6633b7bcf424ed321f7f7f0f0e6279ec4470a06ddd95eb431d843eb0805b10dac8e7eeba7bda6803f287d1a9fd7d960

Score
10/10
buerloaderpersistence

Malware Config

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm
    1⤵
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\programdata\honey.exe
        C:\programdata\honey.exe
        3⤵
        • Executes dropped EXE
        PID:1536
  • C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ren %tmp%\mm v&WSCRIPT %tmp%\v?..wsf  C
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\wscript.exe
        WSCRIPT C:\Users\Admin\AppData\Local\Temp\v?..wsf  C
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\SysWOW64\cscript.exe
            cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\ProgramData\honey.exe
              "C:\ProgramData\honey.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
                C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe "C:\ProgramData\honey.exe" ensgJJ
                7⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Loads dropped DLL
                • Enumerates connected drives
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1636
                • C:\Windows\SysWOW64\secinit.exe
                  C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1044
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 280
                    9⤵
                    • Program crash
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1508
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\42a9a9fda9eb1654f552}"
                  8⤵
                    PID:836
                  • C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
                    C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
                    8⤵
                    • Executes dropped EXE
                    PID:1760
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1172

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/744-7-0x0000000002590000-0x0000000002594000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1100-3-0x00000000061E0000-0x00000000062E0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1172-39-0x0000000004E60000-0x0000000004E63000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1172-38-0x0000000006C50000-0x0000000006C73000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1508-28-0x0000000002170000-0x0000000002181000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1508-32-0x0000000002640000-0x0000000002651000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1788-19-0x0000000002740000-0x0000000002744000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1808-13-0x00000000023D0000-0x00000000023D4000-memory.dmp

      Filesize

      16KB

      Download