Overview

overview

10

Static

static

Invoice.xlsb

windows7_x64

10

Invoice.xlsb

windows10_x64

10

Analysis

  • max time kernel
    63s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-12-2020 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.xlsb

  • Size

    155KB

  • MD5

    18cb83fa82fb14788d5a1cbafcd9bb28

  • SHA1

    4b61151831eedeb225166c30c2e2b555c9e5b5d0

  • SHA256

    45cc417aeb30d7aaba675077c10f70d66ee9b1b8b4820f0469221f0a87fe9545

  • SHA512

    123acdaeb7baeb1bfe5284a70d920f692ff97927fe05cbbf56b029c93684aea5429c7e619a8a3ea2e55136d8398777f0e0b134cfe27e61b92acda0acf3ec5b4e

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

softwareconsbank.com

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 3 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Invoice.xlsb
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\GSEER\GefeDFpa\spoolv.exe
      "C:\GSEER\GefeDFpa\spoolv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\GSEER\GefeDFpa\spoolv.exe
        "C:\GSEER\GefeDFpa\spoolv.exe"
        3⤵
        • Executes dropped EXE
        PID:1880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1648-2-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1832-13-0x0000000001E40000-0x0000000001E41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1880-8-0x0000000040000000-0x0000000040009000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1880-11-0x0000000040000000-0x0000000040009000-memory.dmp

    Filesize

    36KB

    Download