Static

static

1

web.exe

windows7_x64

10

web.exe

windows10_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30-11-2020 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    web.exe

  • Size

    95KB

  • MD5

    bf613fe70f790d4b932601daa60a8797

  • SHA1

    b53db9020c6115cea9e36dc9764bd45e5d9cfd6c

  • SHA256

    1c8260f2d597cfc1922ca72162e1eb3f8272c2d18fa41d77b145d32256c0063d

  • SHA512

    ce53eab5bd74fc2c70cf01d44597e63f50d27d2baaaf25cb166ab0f2c83add4773d936bbbebdfe03b30cd0a677b6b269abf8c8af02b3597c055a149e416db286

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

basiliskbank.com

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\web.exe
    "C:\Users\Admin\AppData\Local\Temp\web.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\web.exe
      "C:\Users\Admin\AppData\Local\Temp\web.exe"
      2⤵
        PID:2016

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsm31C5.tmp\System.dll
      MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

      SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

      SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

      SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      Download Submit
    • memory/2016-3-0x0000000040000000-0x0000000040009000-memory.dmp
      Filesize

      36KB

      Download
    • memory/2016-4-0x0000000040005DA8-mapping.dmp
      Download
    • memory/2016-5-0x0000000040000000-0x0000000040009000-memory.dmp
      Filesize

      36KB

      Download