Overview

overview

10

Static

static

1

SCD10093264.jpg.exe

windows7_x64

10

SCD10093264.jpg.exe

windows10_x64

10

Resubmissions

12-02-2021 16:10

210212-y931k5cqtn 10

10-02-2021 20:48

210210-yxgp15f1tx 10

Analysis

  • max time kernel
    91s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    10-02-2021 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCD10093264.jpg.exe

  • Size

    104KB

  • MD5

    1fa27c5e084887e9e3a2e232d27e10e3

  • SHA1

    a7c98a694753ed745e8618369d16e39c46cca1e7

  • SHA256

    41a4ee153b3c61cc8ed50de571e5b8f884de1c8c07332b7b31f238360832988c

  • SHA512

    81ecb5e4b3ea478f27509d1eafd106ec224fc0ccdfd411cb3b2345fc752d738f6300fd575a2941611e1763dce125364fb765a48835249cd7e7e33e28a01f40b5

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

dtermalherbhos.com

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 1 IoCs

    Detects Buer loader in memory or disk.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\SCD10093264.jpg.exe"
      2⤵
        PID:1724

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsx3100.tmp\System.dll
      MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

      SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

      SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

      SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      Download Submit

    • memory/1724-4-0x000000004000626A-mapping.dmp

      Download

    • memory/1724-5-0x0000000040000000-0x000000004000A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2008-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

      Filesize

      8KB

      Download