rustybuer | 3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac

Analysis

max time kernel
1560s
max time network
1603s
platform
windows7_x64
resource
win7v20210408
submitted
27-06-2021 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OfficeVerifySign.exe
Size

1.5MB
MD5

65d160b89f6f563bca60461adc71f979
SHA1

a61e74e58d3c5eee4a127dd108cff9dbbcfc8ef1
SHA256

3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac
SHA512

d7dc4a53fda4880ee689e1e39129af4100f9a877a4ebb8f9915554c7739a956011338bcd7a43726261f0041f1a5976ffc044475e7ceb9b08073cd037bc59a88d

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

https://documentssign-api.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Loads dropped DLL 1 IoCs

pid	Process
1988	OfficeVerifySign.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\z:	OfficeVerifySign.exe
File opened (read-only)	\??\M:	OfficeVerifySign.exe
File opened (read-only)	\??\N:	OfficeVerifySign.exe
File opened (read-only)	\??\Q:	OfficeVerifySign.exe
File opened (read-only)	\??\u:	OfficeVerifySign.exe
File opened (read-only)	\??\W:	OfficeVerifySign.exe
File opened (read-only)	\??\x:	OfficeVerifySign.exe
File opened (read-only)	\??\y:	OfficeVerifySign.exe
File opened (read-only)	\??\R:	OfficeVerifySign.exe
File opened (read-only)	\??\S:	OfficeVerifySign.exe
File opened (read-only)	\??\T:	OfficeVerifySign.exe
File opened (read-only)	\??\V:	OfficeVerifySign.exe
File opened (read-only)	\??\m:	OfficeVerifySign.exe
File opened (read-only)	\??\w:	OfficeVerifySign.exe
File opened (read-only)	\??\Z:	OfficeVerifySign.exe
File opened (read-only)	\??\f:	OfficeVerifySign.exe
File opened (read-only)	\??\I:	OfficeVerifySign.exe
File opened (read-only)	\??\J:	OfficeVerifySign.exe
File opened (read-only)	\??\K:	OfficeVerifySign.exe
File opened (read-only)	\??\U:	OfficeVerifySign.exe
File opened (read-only)	\??\v:	OfficeVerifySign.exe
File opened (read-only)	\??\G:	OfficeVerifySign.exe
File opened (read-only)	\??\L:	OfficeVerifySign.exe
File opened (read-only)	\??\p:	OfficeVerifySign.exe
File opened (read-only)	\??\s:	OfficeVerifySign.exe
File opened (read-only)	\??\g:	OfficeVerifySign.exe
File opened (read-only)	\??\i:	OfficeVerifySign.exe
File opened (read-only)	\??\o:	OfficeVerifySign.exe
File opened (read-only)	\??\a:	OfficeVerifySign.exe
File opened (read-only)	\??\A:	OfficeVerifySign.exe
File opened (read-only)	\??\O:	OfficeVerifySign.exe
File opened (read-only)	\??\X:	OfficeVerifySign.exe
File opened (read-only)	\??\l:	OfficeVerifySign.exe
File opened (read-only)	\??\n:	OfficeVerifySign.exe
File opened (read-only)	\??\q:	OfficeVerifySign.exe
File opened (read-only)	\??\Y:	OfficeVerifySign.exe
File opened (read-only)	\??\e:	OfficeVerifySign.exe
File opened (read-only)	\??\E:	OfficeVerifySign.exe
File opened (read-only)	\??\H:	OfficeVerifySign.exe
File opened (read-only)	\??\k:	OfficeVerifySign.exe
File opened (read-only)	\??\h:	OfficeVerifySign.exe
File opened (read-only)	\??\j:	OfficeVerifySign.exe
File opened (read-only)	\??\P:	OfficeVerifySign.exe
File opened (read-only)	\??\r:	OfficeVerifySign.exe
File opened (read-only)	\??\b:	OfficeVerifySign.exe
File opened (read-only)	\??\B:	OfficeVerifySign.exe
File opened (read-only)	\??\D:	OfficeVerifySign.exe
File opened (read-only)	\??\F:	OfficeVerifySign.exe
File opened (read-only)	\??\t:	OfficeVerifySign.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 1620	1988	OfficeVerifySign.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1988	OfficeVerifySign.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	29
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	29
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	29
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	29
PID 1988 wrote to memory of 1620	1988	OfficeVerifySign.exe	29

C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe
  "C:\Users\Admin\AppData\Local\Temp\OfficeVerifySign.exe"
  2⤵
  - Enumerates connected drives
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-62-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download