buer | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

General

Target

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
Size

38KB
MD5

d91043ee270758fbc29613e993cf17a6
SHA1

bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512

1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://66.228.45.248/

https://server-linode.nl/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

gennt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\d27b15bf5fed4179aa6c\\gennt.exe\""	gennt.exe

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

Processes:

resource	yara_rule
\ProgramData\d27b15bf5fed4179aa6c\gennt.exe	buer
\ProgramData\d27b15bf5fed4179aa6c\gennt.exe	buer
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe	buer
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe	buer

Executes dropped EXE 1 IoCs

Processes:

gennt.exe

pid process

1828 gennt.exe
Deletes itself 1 IoCs

Processes:

gennt.exe

pid process

1828 gennt.exe

pid	process
1828	gennt.exe

pid	process
1828	gennt.exe

Loads dropped DLL 2 IoCs

Processes:

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe

pid	process
1528	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
1528	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gennt.exe

description	ioc	process
File opened (read-only)	\??\V:	gennt.exe
File opened (read-only)	\??\X:	gennt.exe
File opened (read-only)	\??\B:	gennt.exe
File opened (read-only)	\??\E:	gennt.exe
File opened (read-only)	\??\Q:	gennt.exe
File opened (read-only)	\??\T:	gennt.exe
File opened (read-only)	\??\R:	gennt.exe
File opened (read-only)	\??\U:	gennt.exe
File opened (read-only)	\??\J:	gennt.exe
File opened (read-only)	\??\K:	gennt.exe
File opened (read-only)	\??\N:	gennt.exe
File opened (read-only)	\??\O:	gennt.exe
File opened (read-only)	\??\Z:	gennt.exe
File opened (read-only)	\??\A:	gennt.exe
File opened (read-only)	\??\G:	gennt.exe
File opened (read-only)	\??\H:	gennt.exe
File opened (read-only)	\??\W:	gennt.exe
File opened (read-only)	\??\P:	gennt.exe
File opened (read-only)	\??\S:	gennt.exe
File opened (read-only)	\??\Y:	gennt.exe
File opened (read-only)	\??\F:	gennt.exe
File opened (read-only)	\??\I:	gennt.exe
File opened (read-only)	\??\L:	gennt.exe
File opened (read-only)	\??\M:	gennt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

gennt.exe

pid process

1828 gennt.exe

pid	process
1828	gennt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exegennt.exe

description	pid	process	target process
PID 1528 wrote to memory of 1828	1528	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 1528 wrote to memory of 1828	1528	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 1528 wrote to memory of 1828	1528	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 1528 wrote to memory of 1828	1528	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 1828 wrote to memory of 1836	1828	gennt.exe	secinit.exe
PID 1828 wrote to memory of 1836	1828	gennt.exe	secinit.exe
PID 1828 wrote to memory of 1836	1828	gennt.exe	secinit.exe
PID 1828 wrote to memory of 1836	1828	gennt.exe	secinit.exe
PID 1828 wrote to memory of 1868	1828	gennt.exe	cmd.exe
PID 1828 wrote to memory of 1868	1828	gennt.exe	cmd.exe
PID 1828 wrote to memory of 1868	1828	gennt.exe	cmd.exe
PID 1828 wrote to memory of 1868	1828	gennt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
3⤵
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\d27b15bf5fed4179aa6c}"
3⤵
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
MD5
d91043ee270758fbc29613e993cf17a6

SHA1
bf3baf3e2d446f65b14d310e0e0a79d4002f9c03

SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

SHA512
1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Download Submit
C:\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
MD5
d91043ee270758fbc29613e993cf17a6

SHA1
bf3baf3e2d446f65b14d310e0e0a79d4002f9c03

SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

SHA512
1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Download Submit
\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
MD5
d91043ee270758fbc29613e993cf17a6

SHA1
bf3baf3e2d446f65b14d310e0e0a79d4002f9c03

SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

SHA512
1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Download Submit
\ProgramData\d27b15bf5fed4179aa6c\gennt.exe
MD5
d91043ee270758fbc29613e993cf17a6

SHA1
bf3baf3e2d446f65b14d310e0e0a79d4002f9c03

SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

SHA512
1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Download Submit
memory/1828-2-0x0000000000000000-mapping.dmp

Download
memory/1868-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads