Analysis
-
max time kernel
7s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-02-2021 07:21
Static task
static1
Behavioral task
behavioral1
Sample
licenser.txt.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
licenser.txt.exe
-
Size
110KB
-
MD5
63e7beb498ebe532263c977d71f664c3
-
SHA1
ba5e80517cef90a4fe50753a2b3c134a400b478c
-
SHA256
7d502dec22302537441fdc43c60eed70bcde7f97bb14414e7859439d2ec7914f
-
SHA512
cd4385b9e1bfbe504fd1d69388e5839fd196801b9c5f41e020d39083092d7f402662753464626d633b06fe1f0bb97e6360f93602f34e4eb88dfd06ba9fce6758
Malware Config
Extracted
Family
buer
C2
webgraitupeople.com
Signatures
-
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/memory/1828-5-0x0000000040000000-0x000000004000A000-memory.dmp buer -
Loads dropped DLL 1 IoCs
pid Process 1088 licenser.txt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1088 set thread context of 1828 1088 licenser.txt.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1088 licenser.txt.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1088 wrote to memory of 1828 1088 licenser.txt.exe 29 PID 1088 wrote to memory of 1828 1088 licenser.txt.exe 29 PID 1088 wrote to memory of 1828 1088 licenser.txt.exe 29 PID 1088 wrote to memory of 1828 1088 licenser.txt.exe 29 PID 1088 wrote to memory of 1828 1088 licenser.txt.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\licenser.txt.exe"C:\Users\Admin\AppData\Local\Temp\licenser.txt.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\licenser.txt.exe"C:\Users\Admin\AppData\Local\Temp\licenser.txt.exe"2⤵PID:1828
-