Analysis
-
max time kernel
135s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-05-2020 13:29
Static task
static1
Behavioral task
behavioral1
Sample
buer.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
buer.exe
Resource
win10v200430
General
-
Target
buer.exe
-
Size
111KB
-
MD5
f884618092b55e3edc48096757aab143
-
SHA1
0c0ad1301fc561699dba22cc779decc0df5570a1
-
SHA256
6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
-
SHA512
195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad
Malware Config
Extracted
buer
https://oopscll5.top/
https://1raidertr.top/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
errorResponder.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\"" errorResponder.exe -
Buer Loader 2 IoCs
Detects Buer loader in memory or disk.
Processes:
resource yara_rule behavioral1/memory/1708-1-0x0000000040000000-0x000000004000B000-memory.dmp buer behavioral1/memory/1708-2-0x0000000040000000-0x000000004000B000-memory.dmp buer -
Executes dropped EXE 2 IoCs
Processes:
errorResponder.exeerrorResponder.exepid process 1796 errorResponder.exe 1856 errorResponder.exe -
Deletes itself 1 IoCs
Processes:
errorResponder.exepid process 1856 errorResponder.exe -
Loads dropped DLL 3 IoCs
Processes:
buer.exebuer.exeerrorResponder.exepid process 1416 buer.exe 1708 buer.exe 1796 errorResponder.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
buer.exeerrorResponder.exedescription pid process target process PID 1416 set thread context of 1708 1416 buer.exe buer.exe PID 1796 set thread context of 1856 1796 errorResponder.exe errorResponder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \ProgramData\ErrorResponder\errorResponder.exe nsis_installer_1 \ProgramData\ErrorResponder\errorResponder.exe nsis_installer_2 C:\ProgramData\ErrorResponder\errorResponder.exe nsis_installer_1 C:\ProgramData\ErrorResponder\errorResponder.exe nsis_installer_2 C:\ProgramData\ErrorResponder\errorResponder.exe nsis_installer_1 C:\ProgramData\ErrorResponder\errorResponder.exe nsis_installer_2 C:\ProgramData\ErrorResponder\errorResponder.exe nsis_installer_1 C:\ProgramData\ErrorResponder\errorResponder.exe nsis_installer_2 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
buer.exeerrorResponder.exepid process 1416 buer.exe 1796 errorResponder.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
buer.exebuer.exeerrorResponder.exeerrorResponder.exedescription pid process target process PID 1416 wrote to memory of 1708 1416 buer.exe buer.exe PID 1416 wrote to memory of 1708 1416 buer.exe buer.exe PID 1416 wrote to memory of 1708 1416 buer.exe buer.exe PID 1416 wrote to memory of 1708 1416 buer.exe buer.exe PID 1416 wrote to memory of 1708 1416 buer.exe buer.exe PID 1708 wrote to memory of 1796 1708 buer.exe errorResponder.exe PID 1708 wrote to memory of 1796 1708 buer.exe errorResponder.exe PID 1708 wrote to memory of 1796 1708 buer.exe errorResponder.exe PID 1708 wrote to memory of 1796 1708 buer.exe errorResponder.exe PID 1796 wrote to memory of 1856 1796 errorResponder.exe errorResponder.exe PID 1796 wrote to memory of 1856 1796 errorResponder.exe errorResponder.exe PID 1796 wrote to memory of 1856 1796 errorResponder.exe errorResponder.exe PID 1796 wrote to memory of 1856 1796 errorResponder.exe errorResponder.exe PID 1796 wrote to memory of 1856 1796 errorResponder.exe errorResponder.exe PID 1856 wrote to memory of 1760 1856 errorResponder.exe secinit.exe PID 1856 wrote to memory of 1760 1856 errorResponder.exe secinit.exe PID 1856 wrote to memory of 1760 1856 errorResponder.exe secinit.exe PID 1856 wrote to memory of 1760 1856 errorResponder.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\buer.exe"C:\Users\Admin\AppData\Local\Temp\buer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\buer.exe"C:\Users\Admin\AppData\Local\Temp\buer.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\ProgramData\ErrorResponder\errorResponder.exeC:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\ProgramData\ErrorResponder\errorResponder.exeC:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\ErrorResponder\errorResponder.exe5⤵PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f884618092b55e3edc48096757aab143
SHA10c0ad1301fc561699dba22cc779decc0df5570a1
SHA2566728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad
-
MD5
f884618092b55e3edc48096757aab143
SHA10c0ad1301fc561699dba22cc779decc0df5570a1
SHA2566728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad
-
MD5
f884618092b55e3edc48096757aab143
SHA10c0ad1301fc561699dba22cc779decc0df5570a1
SHA2566728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad
-
MD5
87658830198393d3f18326c271d5f28a
SHA10bdcba1892842bb90535ae17348caf116456c67f
SHA256b1a2da1bcc4f41685772dcddd75d54f496d4f9814c6b6c6860c73bcd8d6f85e9
SHA5122cbb3f80a55273c5285fb67c1d341bc70b9fb12c84de8e9bdd3fb7a5314ffb397473e6a7dfa51d405c3714532e52a2e323c851707376819e97b1a592237c5f96
-
MD5
f884618092b55e3edc48096757aab143
SHA10c0ad1301fc561699dba22cc779decc0df5570a1
SHA2566728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
SHA512195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad
-
MD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
MD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0