Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
OfficeDocument.exe
Resource
win7v20201028
General
-
Target
OfficeDocument.exe
-
Size
277KB
-
MD5
50991ebb9f7b1eb055901dc643bf50c5
-
SHA1
366e13a36809fef35d12e46b3f14ce950de6a7c0
-
SHA256
a9ec36c1b7687d5436007f2640795702ec68b69a67561f94e8507857eb1971cd
-
SHA512
3b5388273e490433b9bef0c445dccb628c89be7568effe0bc3f709f3f1bb021f1881846ddc96831a201b74246be87c6404acaebe9f20be6d19b74797f0a903f0
Malware Config
Extracted
buer
officesecuredocapi.com
Signatures
-
Buer Loader 1 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral2/memory/1120-4-0x0000000040000000-0x0000000040009000-memory.dmp buer -
Loads dropped DLL 1 IoCs
Processes:
OfficeDocument.exepid process 4772 OfficeDocument.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OfficeDocument.exedescription pid process target process PID 4772 set thread context of 1120 4772 OfficeDocument.exe OfficeDocument.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
OfficeDocument.exepid process 4772 OfficeDocument.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
OfficeDocument.exedescription pid process target process PID 4772 wrote to memory of 1120 4772 OfficeDocument.exe OfficeDocument.exe PID 4772 wrote to memory of 1120 4772 OfficeDocument.exe OfficeDocument.exe PID 4772 wrote to memory of 1120 4772 OfficeDocument.exe OfficeDocument.exe PID 4772 wrote to memory of 1120 4772 OfficeDocument.exe OfficeDocument.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy4F5F.tmp\System.dllMD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
memory/1120-3-0x0000000040005EFA-mapping.dmp
-
memory/1120-4-0x0000000040000000-0x0000000040009000-memory.dmpFilesize
36KB