Overview

overview

10

Static

static

StolenImag...e.xlsm

windows7_x64

10

StolenImag...e.xlsm

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-06-2020 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    StolenImagesEvidence.xlsm

  • Size

    2.7MB

  • MD5

    19e4dc06d4ccb13ede93bd8a3f115848

  • SHA1

    f6f89dd11b43563abfbe19572d61168ab95825ee

  • SHA256

    d3e6f290c2bb3453ca9c6eca018c3256d5a4e0e8bf3ab26316d904f3dfa82c23

  • SHA512

    12bf4eb62cda66cd25aeb8ee9f0e6ba7e6633b7bcf424ed321f7f7f0f0e6279ec4470a06ddd95eb431d843eb0805b10dac8e7eeba7bda6803f287d1a9fd7d960

Score
10/10
buerloaderpersistence

Malware Config

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • NTFS ADS 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\StolenImagesEvidence.xlsm
    1⤵
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\programdata\honey.exe
        C:\programdata\honey.exe
        3⤵
        • Executes dropped EXE
        PID:1536
  • C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ren %tmp%\mm v&WSCRIPT %tmp%\v?..wsf  C
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\wscript.exe
        WSCRIPT C:\Users\Admin\AppData\Local\Temp\v?..wsf  C
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\SysWOW64\cscript.exe
            cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1788
            • C:\ProgramData\honey.exe
              "C:\ProgramData\honey.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1952
              • C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
                C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe "C:\ProgramData\honey.exe" ensgJJ
                7⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Loads dropped DLL
                • Enumerates connected drives
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1636
                • C:\Windows\SysWOW64\secinit.exe
                  C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1044
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 280
                    9⤵
                    • Program crash
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1508
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\42a9a9fda9eb1654f552}"
                  8⤵
                    PID:836
                  • C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
                    C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
                    8⤵
                    • Executes dropped EXE
                    PID:1760
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1172

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
      MD5

      3b213812199ade3a2f51250355bcbb02

      SHA1

      62bf14e1b9cfbc34e5101b780c3b55359c83152c

      SHA256

      a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852

      SHA512

      c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de

      Download Submit
    • C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • C:\ProgramData\42a9a9fda9eb1654f552\gennt.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • C:\ProgramData\honey.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • C:\ProgramData\honey.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\mm
      MD5

      173309b93b0a0f138d015f465f4d8a1b

      SHA1

      7df3563be2296fea9bf66350a09d79168e73247b

      SHA256

      ac5a437cfe1ea4156a9d8cfe4a36417dec046338a91532dfb837890d31340a08

      SHA512

      e128dc628f5647c34a8e969c7a7ce76c318ec9db380747ef3e618b7fc7c946e06c02660dfbc0f87c2c70ba9457d70bd64abe53cf5614b2e2c9d464304f438c27

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xx
      MD5

      fe40904aaae247297d25d511e26311b3

      SHA1

      126559ee3ec7e56ca282d671f10da4a54b19399d

      SHA256

      fc525ba956e261d31d8e0e7f9906c1906aaaab5e47d2e8155358902bd4428ba8

      SHA512

      05815d715e50b1706ff020286a8f51ab0ea31306f3448ea8872034400d1a272348b052cdf2ce08e562830e7e9a94374f3e7472cee177f297e3d0cbc7a243656b

      Download Submit
    • C:\programdata\asc.txt:script1.vbs
      MD5

      db247f41725eccc95440e0de0cb454b0

      SHA1

      c18af0fcdf083be64fa139e1120b1526ba45d7b6

      SHA256

      f65cf77551c4c20c63985a74e7886651ec063996b0fc8e1a486801e27a9bdb88

      SHA512

      f5c4569e6d729885c55cd129461795dc96fa5efdb1e85a99282b149003c785272e148f6a728f66398f3364c9354af1393df7c5e0f2582112dfd4e7d7045c6f5a

      Download Submit
    • C:\programdata\honey.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • C:\programdata\honey.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • \ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
      MD5

      3b213812199ade3a2f51250355bcbb02

      SHA1

      62bf14e1b9cfbc34e5101b780c3b55359c83152c

      SHA256

      a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852

      SHA512

      c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de

      Download Submit
    • \ProgramData\42a9a9fda9eb1654f552\exgitucedis.exe
      MD5

      3b213812199ade3a2f51250355bcbb02

      SHA1

      62bf14e1b9cfbc34e5101b780c3b55359c83152c

      SHA256

      a66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852

      SHA512

      c7a17a972dfc4d80802ce7901d087f07950ed7edfe5c98d84b10af2e8b606e4749da829aef91fc2d3b193320806a6010e72627a9d092f7b3ab7c1d79a7ac60de

      Download Submit
    • \ProgramData\42a9a9fda9eb1654f552\gennt.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • \ProgramData\42a9a9fda9eb1654f552\gennt.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • \ProgramData\honey.exe
      MD5

      f500854e3cf9556688203a3d869b7d6d

      SHA1

      281aab2eb26f31cf2255e2f5a467fc5eebda8df8

      SHA256

      471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975

      SHA512

      bccb54a68003bde3304dd6824f4bc6a3a5f06995a85bf371b1581fd00e0dc9ff40a1765594b61da9a2cbdf9c0372916a8694af2a66759a534b746981418101d4

      Download Submit
    • memory/744-2-0x0000000000000000-mapping.dmp
      Download
    • memory/744-7-0x0000000002590000-0x0000000002594000-memory.dmp
      Filesize

      16KB

      Download
    • memory/836-0-0x0000000000000000-mapping.dmp
      Download
    • memory/836-31-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-29-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-26-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-30-0x0000000000000000-mapping.dmp
      Download
    • memory/1100-3-0x00000000061E0000-0x00000000062E0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1172-39-0x0000000004E60000-0x0000000004E63000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1172-38-0x0000000006C50000-0x0000000006C73000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1172-37-0x0000000000000000-mapping.dmp
      Download
    • memory/1484-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1508-28-0x0000000002170000-0x0000000002181000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1508-27-0x0000000000000000-mapping.dmp
      Download
    • memory/1508-32-0x0000000002640000-0x0000000002651000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1536-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-23-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-35-0x0000000000000000-mapping.dmp
      Download
    • memory/1788-19-0x0000000002740000-0x0000000002744000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1788-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1808-13-0x00000000023D0000-0x00000000023D4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1808-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1952-17-0x0000000000000000-mapping.dmp
      Download