Overview

overview

10

Static

static

Private doc.docm

windows7_x64

1

Private doc.docm

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07-04-2021 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Private doc.docm

  • Size

    3.4MB

  • MD5

    00865fba20ef7d34ed136b9533401755

  • SHA1

    49d83871e2fdf8ca5f05c7eb67a580943cb930ed

  • SHA256

    c036d1c05516a8df5ea47b37cf51676e02f06ddc69532b600e3a9e1e50da3de2

  • SHA512

    7c3507805b52164df804c3bd43520467773bb53a930de0a2ad8275a8747a3a11f4330e955b7b7f7b972a80ef0279cae3a77d4f71ab11adb3eac31c34f9bece80

Score
10/10
rustybuerloader

Malware Config

Extracted

Family

rustybuer

C2

https://bankdocuments-api.com/

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RustyBuer

    RustyBuer is a new variant of Buer loader written in Rust.

    loaderrustybuer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 49 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Private doc.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "explorer.exe /root,C:\ProgramData\OfficeConsultPlugin.exe", vbHide
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Windows\explorer.exe
        explorer.exe /root,C:\ProgramData\OfficeConsultPlugin.exe, vbHide
        3⤵
          PID:1188
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\ProgramData\OfficeConsultPlugin.exe
        "C:\ProgramData\OfficeConsultPlugin.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\ProgramData\OfficeConsultPlugin.exe
          "C:\ProgramData\OfficeConsultPlugin.exe"
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          PID:3832

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\OfficeConsultPlugin.exe
      MD5

      fba1fd894b9201a11e866ba58c80ae61

      SHA1

      89236d9795f1e8db7d895d0e364dd4768ebc6410

      SHA256

      904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

      SHA512

      0d37b91123abb1ded40ae7604980dffa675dcacc1bf772b06e36a2e4c72488558511dd3f8df0fc47d9a6cc870eaef4a9e54a55b20a4432b5802cdeeba327470a

      Download Submit

    • C:\ProgramData\OfficeConsultPlugin.exe
      MD5

      fba1fd894b9201a11e866ba58c80ae61

      SHA1

      89236d9795f1e8db7d895d0e364dd4768ebc6410

      SHA256

      904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

      SHA512

      0d37b91123abb1ded40ae7604980dffa675dcacc1bf772b06e36a2e4c72488558511dd3f8df0fc47d9a6cc870eaef4a9e54a55b20a4432b5802cdeeba327470a

      Download Submit

    • C:\ProgramData\OfficeConsultPlugin.exe
      MD5

      fba1fd894b9201a11e866ba58c80ae61

      SHA1

      89236d9795f1e8db7d895d0e364dd4768ebc6410

      SHA256

      904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a

      SHA512

      0d37b91123abb1ded40ae7604980dffa675dcacc1bf772b06e36a2e4c72488558511dd3f8df0fc47d9a6cc870eaef4a9e54a55b20a4432b5802cdeeba327470a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nshD6FE.tmp\System.dll
      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

      Download Submit

    • memory/816-5-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/816-6-0x00007FFB80F70000-0x00007FFB815A7000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/816-2-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/816-4-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/816-3-0x00007FFB60CA0000-0x00007FFB60CB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1188-8-0x0000000000000000-mapping.dmp

      Download

    • memory/3100-7-0x0000000000000000-mapping.dmp

      Download

    • memory/3832-13-0x0000000000488AD2-mapping.dmp

      Download

    • memory/3832-15-0x0000000000400000-0x0000000000534000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3832-16-0x0000000000400000-0x0000000000534000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4032-10-0x0000000000000000-mapping.dmp

      Download