Analysis
-
max time kernel
39s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-02-2021 20:39
Static task
static1
Behavioral task
behavioral1
Sample
winword.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
winword.exe
-
Size
82KB
-
MD5
49392cc9138f2d685737955950fd8d69
-
SHA1
8b418f639b4bc71ab224972537278f2d23676df8
-
SHA256
4f7ccbc55dda5ed45be0fc7dc48b18719556ac9018d5aa4eb9f9ff0470eaca95
-
SHA512
a75a58cda433f1baeeede01418661fc57512ba52dba585e2cf576294d7be4e39e9fc6af588cd5a3f855665abd038ca4d711567c22bbb1505752421d6357ff123
Malware Config
Extracted
Family
buer
C2
webgraitupeople.com
Signatures
-
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/memory/1640-5-0x0000000040000000-0x000000004000A000-memory.dmp buer -
Loads dropped DLL 1 IoCs
pid Process 2044 winword.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 1640 2044 winword.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2044 winword.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29 PID 2044 wrote to memory of 1640 2044 winword.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\winword.exe"C:\Users\Admin\AppData\Local\Temp\winword.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\winword.exe"C:\Users\Admin\AppData\Local\Temp\winword.exe"2⤵PID:1640
-