buer | 070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

General

Target

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
Size

38KB
MD5

d91043ee270758fbc29613e993cf17a6
SHA1

bf3baf3e2d446f65b14d310e0e0a79d4002f9c03
SHA256

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083
SHA512

1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://66.228.45.248/

https://server-linode.nl/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

gennt.exesecinit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\""	gennt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\de8a63018a2b5e297469\\gennt.exe\""	secinit.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

Processes:

resource	yara_rule
C:\ProgramData\de8a63018a2b5e297469\gennt.exe	buer
C:\ProgramData\de8a63018a2b5e297469\gennt.exe	buer
behavioral2/memory/3996-3-0x0000000000000000-mapping.dmp	buer

Executes dropped EXE 1 IoCs

Processes:

gennt.exe

pid process

3892 gennt.exe
Deletes itself 1 IoCs

Processes:

gennt.exe

pid process

3892 gennt.exe

pid	process
3892	gennt.exe

pid	process
3892	gennt.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

secinit.exe

description	ioc	process
File opened (read-only)	\??\N:	secinit.exe
File opened (read-only)	\??\U:	secinit.exe
File opened (read-only)	\??\Y:	secinit.exe
File opened (read-only)	\??\H:	secinit.exe
File opened (read-only)	\??\F:	secinit.exe
File opened (read-only)	\??\G:	secinit.exe
File opened (read-only)	\??\K:	secinit.exe
File opened (read-only)	\??\O:	secinit.exe
File opened (read-only)	\??\R:	secinit.exe
File opened (read-only)	\??\E:	secinit.exe
File opened (read-only)	\??\B:	secinit.exe
File opened (read-only)	\??\J:	secinit.exe
File opened (read-only)	\??\L:	secinit.exe
File opened (read-only)	\??\P:	secinit.exe
File opened (read-only)	\??\Q:	secinit.exe
File opened (read-only)	\??\S:	secinit.exe
File opened (read-only)	\??\W:	secinit.exe
File opened (read-only)	\??\A:	secinit.exe
File opened (read-only)	\??\Z:	secinit.exe
File opened (read-only)	\??\X:	secinit.exe
File opened (read-only)	\??\M:	secinit.exe
File opened (read-only)	\??\T:	secinit.exe
File opened (read-only)	\??\V:	secinit.exe
File opened (read-only)	\??\I:	secinit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

secinit.exe

pid process

3996 secinit.exe
3996 secinit.exe

pid	process
3996	secinit.exe
3996	secinit.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exegennt.exesecinit.exe

description	pid	process	target process
PID 3148 wrote to memory of 3892	3148	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 3148 wrote to memory of 3892	3148	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 3148 wrote to memory of 3892	3148	070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe	gennt.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3892 wrote to memory of 3996	3892	gennt.exe	secinit.exe
PID 3996 wrote to memory of 1596	3996	secinit.exe	cmd.exe
PID 3996 wrote to memory of 1596	3996	secinit.exe	cmd.exe
PID 3996 wrote to memory of 1596	3996	secinit.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe
"C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\ProgramData\de8a63018a2b5e297469\gennt.exe
C:\ProgramData\de8a63018a2b5e297469\gennt.exe "C:\Users\Admin\AppData\Local\Temp\070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083.exe" ensgJJ
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\secinit.exe
C:\ProgramData\de8a63018a2b5e297469\gennt.exe
3⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\de8a63018a2b5e297469}"
4⤵
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\de8a63018a2b5e297469\gennt.exe
MD5
d91043ee270758fbc29613e993cf17a6

SHA1
bf3baf3e2d446f65b14d310e0e0a79d4002f9c03

SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

SHA512
1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Download Submit
C:\ProgramData\de8a63018a2b5e297469\gennt.exe
MD5
d91043ee270758fbc29613e993cf17a6

SHA1
bf3baf3e2d446f65b14d310e0e0a79d4002f9c03

SHA256
070d785aab37f9ac742f0c5ad255be4d46147ae9917960058fe5846a2e2e1083

SHA512
1b8daad67e37e02835666acb1a815baccd235f955c95cf34bb28a9f4301eae32767919c1a473614da61ff7c0c0e646ac04317145228d6c57f02f3a0e55535000

Download Submit
memory/1596-4-0x0000000000000000-mapping.dmp

Download
memory/3892-0-0x0000000000000000-mapping.dmp

Download
memory/3996-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads