Analysis Overview
SHA256
6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
Threat Level: Known bad
The file buer.exe was found to be: Known bad.
Malicious Activity Summary
Buer
Modifies WinLogon for persistence
Buer Loader
Executes dropped EXE
Loads dropped DLL
Deletes itself
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-05-07 13:29
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2020-05-07 13:29
Reported
2020-05-07 13:31
Platform
win7v200430
Max time kernel
135s
Max time network
25s
Command Line
Signatures
Buer
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\"" | C:\ProgramData\ErrorResponder\errorResponder.exe | N/A |
Buer Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ErrorResponder\errorResponder.exe | N/A |
| N/A | N/A | C:\ProgramData\ErrorResponder\errorResponder.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\ErrorResponder\errorResponder.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | N/A |
| N/A | N/A | C:\ProgramData\ErrorResponder\errorResponder.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1416 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | C:\Users\Admin\AppData\Local\Temp\buer.exe |
| PID 1796 set thread context of 1856 | N/A | C:\ProgramData\ErrorResponder\errorResponder.exe | C:\ProgramData\ErrorResponder\errorResponder.exe |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | N/A |
| N/A | N/A | C:\ProgramData\ErrorResponder\errorResponder.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\buer.exe
"C:\Users\Admin\AppData\Local\Temp\buer.exe"
C:\Users\Admin\AppData\Local\Temp\buer.exe
"C:\Users\Admin\AppData\Local\Temp\buer.exe"
C:\ProgramData\ErrorResponder\errorResponder.exe
C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ
C:\ProgramData\ErrorResponder\errorResponder.exe
C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ
C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\ErrorResponder\errorResponder.exe
Network
Files
\Users\Admin\AppData\Local\Temp\nsgEE07.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
memory/1708-1-0x0000000040000000-0x000000004000B000-memory.dmp
memory/1708-2-0x0000000040000000-0x000000004000B000-memory.dmp
\ProgramData\ErrorResponder\errorResponder.exe
| MD5 | f884618092b55e3edc48096757aab143 |
| SHA1 | 0c0ad1301fc561699dba22cc779decc0df5570a1 |
| SHA256 | 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343 |
| SHA512 | 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad |
C:\ProgramData\ErrorResponder\errorResponder.exe
| MD5 | f884618092b55e3edc48096757aab143 |
| SHA1 | 0c0ad1301fc561699dba22cc779decc0df5570a1 |
| SHA256 | 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343 |
| SHA512 | 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad |
C:\ProgramData\ErrorResponder\errorResponder.exe
| MD5 | f884618092b55e3edc48096757aab143 |
| SHA1 | 0c0ad1301fc561699dba22cc779decc0df5570a1 |
| SHA256 | 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343 |
| SHA512 | 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad |
C:\Users\Admin\AppData\Local\Temp\146963395
| MD5 | 87658830198393d3f18326c271d5f28a |
| SHA1 | 0bdcba1892842bb90535ae17348caf116456c67f |
| SHA256 | b1a2da1bcc4f41685772dcddd75d54f496d4f9814c6b6c6860c73bcd8d6f85e9 |
| SHA512 | 2cbb3f80a55273c5285fb67c1d341bc70b9fb12c84de8e9bdd3fb7a5314ffb397473e6a7dfa51d405c3714532e52a2e323c851707376819e97b1a592237c5f96 |
\Users\Admin\AppData\Local\Temp\nsw1C09.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |
C:\ProgramData\ErrorResponder\errorResponder.exe
| MD5 | f884618092b55e3edc48096757aab143 |
| SHA1 | 0c0ad1301fc561699dba22cc779decc0df5570a1 |
| SHA256 | 6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343 |
| SHA512 | 195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad |
Analysis: behavioral2
Detonation Overview
Submitted
2020-05-07 13:29
Reported
2020-05-07 13:31
Platform
win10v200430
Max time kernel
136s
Max time network
129s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3848 set thread context of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | C:\Users\Admin\AppData\Local\Temp\buer.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3848 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | C:\Users\Admin\AppData\Local\Temp\buer.exe |
| PID 3848 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | C:\Users\Admin\AppData\Local\Temp\buer.exe |
| PID 3848 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | C:\Users\Admin\AppData\Local\Temp\buer.exe |
| PID 3848 wrote to memory of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\buer.exe | C:\Users\Admin\AppData\Local\Temp\buer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\buer.exe
"C:\Users\Admin\AppData\Local\Temp\buer.exe"
C:\Users\Admin\AppData\Local\Temp\buer.exe
"C:\Users\Admin\AppData\Local\Temp\buer.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsxE9EE.tmp\System.dll
| MD5 | 0063d48afe5a0cdc02833145667b6641 |
| SHA1 | e7eb614805d183ecb1127c62decb1a6be1b4f7a8 |
| SHA256 | ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7 |
| SHA512 | 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0 |