Resubmissions
02-12-2020 13:57
201202-jdp64q14ds 702-12-2020 13:45
201202-1y5asrdnke 701-12-2020 09:29
201201-zsltvgg6kj 701-12-2020 09:16
201201-4t8lf6xbr6 10Analysis
-
max time kernel
5s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-12-2020 09:16
Static task
static1
Behavioral task
behavioral1
Sample
sprintopen.exe
Resource
win7v20201028
General
-
Target
sprintopen.exe
-
Size
80KB
-
MD5
e91d1087dc9767e75f14b335c8d88233
-
SHA1
ddafa725ecd7b2a59bef559904a45d379f593bc7
-
SHA256
b298ead0400aaf886dbe0a0720337e6f2efd5e2a3ac1a7e7da54fc7b6e4f4277
-
SHA512
e7e38ada160ac79ba3204700a7c92cb3fb48cde6936545007bdca8d0b60692a7b8c6baa1fea3c0127293733046712d479efb3d8793541f71a786cef018780b5d
Malware Config
Extracted
buer
uskatoinaloffice.com
Signatures
-
Buer Loader 3 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/1364-3-0x0000000040000000-0x0000000040009000-memory.dmp buer behavioral1/memory/1364-4-0x0000000040005DA8-mapping.dmp buer behavioral1/memory/1364-5-0x0000000040000000-0x0000000040009000-memory.dmp buer -
Loads dropped DLL 1 IoCs
Processes:
sprintopen.exepid process 748 sprintopen.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sprintopen.exedescription pid process target process PID 748 set thread context of 1364 748 sprintopen.exe sprintopen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sprintopen.exepid process 748 sprintopen.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
sprintopen.exedescription pid process target process PID 748 wrote to memory of 1364 748 sprintopen.exe sprintopen.exe PID 748 wrote to memory of 1364 748 sprintopen.exe sprintopen.exe PID 748 wrote to memory of 1364 748 sprintopen.exe sprintopen.exe PID 748 wrote to memory of 1364 748 sprintopen.exe sprintopen.exe PID 748 wrote to memory of 1364 748 sprintopen.exe sprintopen.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"C:\Users\Admin\AppData\Local\Temp\sprintopen.exe"2⤵PID:1364
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c