Resubmissions
02-12-2020 13:57
201202-jdp64q14ds 702-12-2020 13:45
201202-1y5asrdnke 701-12-2020 09:29
201201-zsltvgg6kj 701-12-2020 09:16
201201-4t8lf6xbr6 10Analysis
-
max time kernel
5s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-12-2020 09:16
General
-
Target
sprintopen.exe
-
Size
80KB
-
MD5
e91d1087dc9767e75f14b335c8d88233
-
SHA1
ddafa725ecd7b2a59bef559904a45d379f593bc7
-
SHA256
b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277
-
SHA512
e7e38ada160ac79ba3204700a7c92cb3fb48cde6936545007bdca8d0b60692a7b8c6baa1fea3c0127293733046712d479efb3d8793541f71a786cef018780b5d
Score
10/10
Malware Config
Extracted
Family
buer
C2
uskatoinaloffice.com
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
36KB