rustybuer | 3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac

General

Target

OfficeVerifySign.exe
Size

1.5MB
MD5

65d160b89f6f563bca60461adc71f979
SHA1

a61e74e58d3c5eee4a127dd108cff9dbbcfc8ef1
SHA256

3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac
SHA512

d7dc4a53fda4880ee689e1e39129af4100f9a877a4ebb8f9915554c7739a956011338bcd7a43726261f0041f1a5976ffc044475e7ceb9b08073cd037bc59a88d

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

C2

https://documentssign-api.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer
Loads dropped DLL 1 IoCs

Processes:

OfficeVerifySign.exe

pid process

1988 OfficeVerifySign.exe

pid	process
1988	OfficeVerifySign.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OfficeVerifySign.exe

description	ioc	process
File opened (read-only)	\??\z:	OfficeVerifySign.exe
File opened (read-only)	\??\M:	OfficeVerifySign.exe
File opened (read-only)	\??\N:	OfficeVerifySign.exe
File opened (read-only)	\??\Q:	OfficeVerifySign.exe
File opened (read-only)	\??\u:	OfficeVerifySign.exe
File opened (read-only)	\??\W:	OfficeVerifySign.exe
File opened (read-only)	\??\x:	OfficeVerifySign.exe
File opened (read-only)	\??\y:	OfficeVerifySign.exe
File opened (read-only)	\??\R:	OfficeVerifySign.exe
File opened (read-only)	\??\S:	OfficeVerifySign.exe
File opened (read-only)	\??\T:	OfficeVerifySign.exe
File opened (read-only)	\??\V:	OfficeVerifySign.exe
File opened (read-only)	\??\m:	OfficeVerifySign.exe
File opened (read-only)	\??\w:	OfficeVerifySign.exe
File opened (read-only)	\??\Z:	OfficeVerifySign.exe
File opened (read-only)	\??\f:	OfficeVerifySign.exe
File opened (read-only)	\??\I:	OfficeVerifySign.exe
File opened (read-only)	\??\J:	OfficeVerifySign.exe
File opened (read-only)	\??\K:	OfficeVerifySign.exe
File opened (read-only)	\??\U:	OfficeVerifySign.exe
File opened (read-only)	\??\v:	OfficeVerifySign.exe
File opened (read-only)	\??\G:	OfficeVerifySign.exe
File opened (read-only)	\??\L:	OfficeVerifySign.exe
File opened (read-only)	\??\p:	OfficeVerifySign.exe
File opened (read-only)	\??\s:	OfficeVerifySign.exe
File opened (read-only)	\??\g:	OfficeVerifySign.exe
File opened (read-only)	\??\i:	OfficeVerifySign.exe
File opened (read-only)	\??\o:	OfficeVerifySign.exe
File opened (read-only)	\??\a:	OfficeVerifySign.exe
File opened (read-only)	\??\A:	OfficeVerifySign.exe
File opened (read-only)	\??\O:	OfficeVerifySign.exe
File opened (read-only)	\??\X:	OfficeVerifySign.exe
File opened (read-only)	\??\l:	OfficeVerifySign.exe
File opened (read-only)	\??\n:	OfficeVerifySign.exe
File opened (read-only)	\??\q:	OfficeVerifySign.exe
File opened (read-only)	\??\Y:	OfficeVerifySign.exe
File opened (read-only)	\??\e:	OfficeVerifySign.exe
File opened (read-only)	\??\E:	OfficeVerifySign.exe
File opened (read-only)	\??\H:	OfficeVerifySign.exe
File opened (read-only)	\??\k:	OfficeVerifySign.exe
File opened (read-only)	\??\h:	OfficeVerifySign.exe
File opened (read-only)	\??\j:	OfficeVerifySign.exe
File opened (read-only)	\??\P:	OfficeVerifySign.exe
File opened (read-only)	\??\r:	OfficeVerifySign.exe
File opened (read-only)	\??\b:	OfficeVerifySign.exe
File opened (read-only)	\??\B:	OfficeVerifySign.exe
File opened (read-only)	\??\D:	OfficeVerifySign.exe
File opened (read-only)	\??\F:	OfficeVerifySign.exe
File opened (read-only)	\??\t:	OfficeVerifySign.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

OfficeVerifySign.exe

description pid process target process

PID 1988 set thread context of 1620 1988 OfficeVerifySign.exe OfficeVerifySign.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

OfficeVerifySign.exe

pid process

1988 OfficeVerifySign.exe

description	pid	process	target process
PID 1988 set thread context of 1620	1988	OfficeVerifySign.exe	OfficeVerifySign.exe

pid	process
1988	OfficeVerifySign.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

OfficeVerifySign.exe

description	pid	process	target process
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	OfficeVerifySign.exe
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	OfficeVerifySign.exe
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	OfficeVerifySign.exe
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	OfficeVerifySign.exe
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	OfficeVerifySign.exe

C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe
  "C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe"
  2⤵
  - Enumerates connected drives
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nss2711.tmp\System.dll

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/1620-61-0x0000000000488AD2-mapping.dmp

Download
memory/1620-62-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing