Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-11-2020 21:44
Static task
static1
Behavioral task
behavioral1
Sample
web.exe
Resource
win7v20201028
General
-
Target
web.exe
-
Size
95KB
-
MD5
bf613fe70f790d4b932601daa60a8797
-
SHA1
b53db9020c6115cea9e36dc9764bd45e5d9cfd6c
-
SHA256
1c8260f2d597cfc1922ca72162e1eb3f8272c2d18fa41d77b145d32256c0063d
-
SHA512
ce53eab5bd74fc2c70cf01d44597e63f50d27d2baaaf25cb166ab0f2c83add4773d936bbbebdfe03b30cd0a677b6b269abf8c8af02b3597c055a149e416db286
Malware Config
Extracted
buer
basiliskbank.com
Signatures
-
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/1252-3-0x0000000040000000-0x0000000040009000-memory.dmp buer behavioral1/memory/1252-4-0x0000000040005DA8-mapping.dmp buer behavioral1/memory/1252-5-0x0000000040000000-0x0000000040009000-memory.dmp buer -
Loads dropped DLL 1 IoCs
Processes:
web.exepid process 756 web.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
web.exedescription pid process target process PID 756 set thread context of 1252 756 web.exe web.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
web.exepid process 756 web.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
web.exedescription pid process target process PID 756 wrote to memory of 1252 756 web.exe web.exe PID 756 wrote to memory of 1252 756 web.exe web.exe PID 756 wrote to memory of 1252 756 web.exe web.exe PID 756 wrote to memory of 1252 756 web.exe web.exe PID 756 wrote to memory of 1252 756 web.exe web.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\web.exe"C:\Users\Admin\AppData\Local\Temp\web.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\web.exe"C:\Users\Admin\AppData\Local\Temp\web.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nss6807.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/1252-3-0x0000000040000000-0x0000000040009000-memory.dmpFilesize
36KB
-
memory/1252-4-0x0000000040005DA8-mapping.dmp
-
memory/1252-5-0x0000000040000000-0x0000000040009000-memory.dmpFilesize
36KB