Analysis

  • max time kernel
    14s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-02-2021 21:38

General

  • Target

    form.txt.exe

  • Size

    123KB

  • MD5

    cb80d26975639b66bb5ecd1f90e623ed

  • SHA1

    95c973e9aad17101b29bd195f9c4624922d987ee

  • SHA256

    9cd888fa0692f8d0ca69548532ae72171b426d0e9d8b3b46acdbbe7636d653da

  • SHA512

    2adf13898114f0a2ebe3b8d279ae3dbc6693db4b44ac7a35ca9e61064caf77edbcbc6b4389542529d74d8347752b7ea00ea969ad7cc8ba6fa5dc0def31f32040

Score
10/10

Malware Config

Extracted

Family

buer

C2

officewestbankingconc.com

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Buer Loader 1 IoCs

    Detects Buer loader in memory or disk.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\form.txt.exe
    "C:\Users\Admin\AppData\Local\Temp\form.txt.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Users\Admin\AppData\Local\Temp\form.txt.exe
      "C:\Users\Admin\AppData\Local\Temp\form.txt.exe"
      2⤵
        PID:2728

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2728-4-0x0000000040000000-0x000000004000A000-memory.dmp

      Filesize

      40KB