buer | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

General

Target

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
Size

38KB
MD5

d91043ee270758fbc29613e993cf17a6
SHA1

bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512

1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Score

10^/10

Family

buer

C2

https://66.228.45.248/

https://server-linode.nl/

Modifies WinLogon for persistence 2 TTPs 2 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\""	gennt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\""	secinit.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/files/0x000300000001adb5-1.dat	buer
behavioral2/files/0x000300000001adb5-2.dat	buer
behavioral2/memory/3996-3-0x0000000000000000-mapping.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
3892	gennt.exe

Deletes itself 1 IoCs

pid	Process
3892	gennt.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3996	secinit.exe
3996	secinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3892	3148	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	67
PID 3148 wrote to memory of 3892	3148	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	67
PID 3148 wrote to memory of 3892	3148	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	67
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3892 wrote to memory of 3996	3892	gennt.exe	68
PID 3996 wrote to memory of 1596	3996	secinit.exe	75
PID 3996 wrote to memory of 1596	3996	secinit.exe	75
PID 3996 wrote to memory of 1596	3996	secinit.exe	75

C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\ProgramData\de8a63018a2b5e297469\gennt.exe
  C:\ProgramData\de8a63018a2b5e297469\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\de8a63018a2b5e297469\gennt.exe
    3⤵
    - Modifies WinLogon for persistence
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\de8a63018a2b5e297469}"
      4⤵
      PID:1596