Overview

overview

10

Static

static

1

newbuer.exe

windows7_x64

10

newbuer.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-05-2020 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    newbuer.exe

  • Size

    111KB

  • MD5

    4df84f8de8a5526f119c26518b529757

  • SHA1

    42d281abeb10649bff097504f20e8fc2c8e85f5c

  • SHA256

    9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c

  • SHA512

    68cd6ce9eb7f01d7e6b2b2fff6dfdf981834168cb406a7d67df1f4c9d78b36b22689b03e408e3e68faf76d3bb4b0abd109024d4e2389258ea64a89f54e4a4b88

Score
10/10
buerloaderpersistence

Malware Config

Extracted

Family

buer

C2

https://maldivosgrant.net/

https://jokenoiam.net/

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Buer Loader 2 IoCs

    Detects Buer loader in memory or disk.

  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\newbuer.exe
    "C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Users\Admin\AppData\Local\Temp\newbuer.exe
      "C:\Users\Admin\AppData\Local\Temp\newbuer.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\ProgramData\RedTools\networker.exe
        C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\ProgramData\RedTools\networker.exe
          C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\newbuer.exe" ensgJJ
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Deletes itself
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\SysWOW64\secinit.exe
            C:\ProgramData\RedTools\networker.exe
            5⤵
              PID:1784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/112-1-0x0000000040000000-0x000000004000C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/112-2-0x0000000040000000-0x000000004000C000-memory.dmp

      Filesize

      48KB

      Download