Overview

overview

10

Static

static

independen...al.jar

windows7_x64

1

independen...al.jar

windows10_x64

10

Resubmissions

12-02-2021 17:46

210212-qj1pxv26za 10

12-02-2021 13:49

210212-qh2m1q4eyx 10

Analysis

  • max time kernel
    56s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-02-2021 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    independent_appraisal.jar

  • Size

    6KB

  • MD5

    e94dbabc70b4396b39d3a3d3e53cf85b

  • SHA1

    bc6f6267313c0a768ed3f8f92f90c1f105cbd949

  • SHA256

    25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36

  • SHA512

    fb2eb9aeb02d111c23cdb61f668affcfb3e847159ce8a158ed39e2f136b9993f8dc68ddbd649d8f13f75ced7f7499c6410861daa1fde8fb15c010c6ccd2f3582

Score
10/10
buerloader

Malware Config

Extracted

Family

buer

C2

antipublicwestbank.com

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Buer Loader 1 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\independent_appraisal.jar
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:496
    • C:\ProgramData\vdeodrv32.exe
      "C:\ProgramData\vdeodrv32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\ProgramData\vdeodrv32.exe
        "C:\ProgramData\vdeodrv32.exe"
        3⤵
        • Executes dropped EXE
        PID:3428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/496-2-0x00000000034C0000-0x0000000003730000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3428-9-0x0000000040000000-0x000000004000A000-memory.dmp

    Filesize

    40KB

    Download