Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-02-2021 21:37
Static task
static1
Behavioral task
behavioral1
Sample
form.txt.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
form.txt.exe
-
Size
123KB
-
MD5
cb80d26975639b66bb5ecd1f90e623ed
-
SHA1
95c973e9aad17101b29bd195f9c4624922d987ee
-
SHA256
9cd888fa0692f8d0ca69548532ae72171b426d0e9d8b3b46acdbbe7636d653da
-
SHA512
2adf13898114f0a2ebe3b8d279ae3dbc6693db4b44ac7a35ca9e61064caf77edbcbc6b4389542529d74d8347752b7ea00ea969ad7cc8ba6fa5dc0def31f32040
Malware Config
Extracted
Family
buer
C2
officewestbankingconc.com
Signatures
-
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/memory/1528-5-0x0000000040000000-0x000000004000A000-memory.dmp buer -
Loads dropped DLL 1 IoCs
pid Process 792 form.txt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 792 set thread context of 1528 792 form.txt.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 792 form.txt.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 792 wrote to memory of 1528 792 form.txt.exe 29 PID 792 wrote to memory of 1528 792 form.txt.exe 29 PID 792 wrote to memory of 1528 792 form.txt.exe 29 PID 792 wrote to memory of 1528 792 form.txt.exe 29 PID 792 wrote to memory of 1528 792 form.txt.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\form.txt.exe"C:\Users\Admin\AppData\Local\Temp\form.txt.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\form.txt.exe"C:\Users\Admin\AppData\Local\Temp\form.txt.exe"2⤵PID:1528
-