Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 18:22
General
-
Target
OfficeDocument.exe
-
Size
277KB
-
MD5
50991ebb9f7b1eb055901dc643bf50c5
-
SHA1
366e13a36809fef35d12e46b3f14ce950de6a7c0
-
SHA256
a9ec36c1b7687d5436007f2640795702ec68b69a67561f94e8507857eb1971cd
-
SHA512
3b5388273e490433b9bef0c445dccb628c89be7568effe0bc3f709f3f1bb021f1881846ddc96831a201b74246be87c6404acaebe9f20be6d19b74797f0a903f0
Malware Config
Extracted
buer
officesecuredocapi.com
Signatures
-
Buer
Buer is a new modular loader first seen in August 2019.
-
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy4F5F.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/1120-3-0x0000000040005EFA-mapping.dmp
-
memory/1120-4-0x0000000040000000-0x0000000040009000-memory.dmpFilesize
36KB