buer | 63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2

General

Target

ReviewDocument.exe
Size

178KB
MD5

9bd3bbc082d0b3446fd456d750a8bbbe
SHA1

d50d739d91ff82ad31a6227ba734b6658f1a577a
SHA256

63913936a820bf5e79bccb7ac74b80f78fae9aec0f2dbfa097f057227a2e4aa2
SHA512

c0ba3a8a7a305dfc2539ef0ead8e418795532eb39a70571296e06d5b27c2cdd9425165dd88afbb90511c2bb68be5bd587c5233743a395d0b3dfe76d90a42bb7b

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://162.244.81.87/

http://162.244.81.87:8080/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\fd8fd7c8e06052eddca4\\gennt.exe\""	gennt.exe

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/memory/3820-0-0x0000000000E20000-0x0000000000E2C000-memory.dmp	buer
behavioral2/memory/2836-4-0x00000000010B0000-0x00000000010BC000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
2836	gennt.exe

Deletes itself 1 IoCs

pid	Process
2836	gennt.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	gennt.exe
File opened (read-only)	\??\V:	gennt.exe
File opened (read-only)	\??\X:	gennt.exe
File opened (read-only)	\??\Y:	gennt.exe
File opened (read-only)	\??\B:	gennt.exe
File opened (read-only)	\??\E:	gennt.exe
File opened (read-only)	\??\G:	gennt.exe
File opened (read-only)	\??\M:	gennt.exe
File opened (read-only)	\??\Z:	gennt.exe
File opened (read-only)	\??\J:	gennt.exe
File opened (read-only)	\??\L:	gennt.exe
File opened (read-only)	\??\P:	gennt.exe
File opened (read-only)	\??\T:	gennt.exe
File opened (read-only)	\??\U:	gennt.exe
File opened (read-only)	\??\I:	gennt.exe
File opened (read-only)	\??\K:	gennt.exe
File opened (read-only)	\??\R:	gennt.exe
File opened (read-only)	\??\S:	gennt.exe
File opened (read-only)	\??\Q:	gennt.exe
File opened (read-only)	\??\W:	gennt.exe
File opened (read-only)	\??\A:	gennt.exe
File opened (read-only)	\??\F:	gennt.exe
File opened (read-only)	\??\H:	gennt.exe
File opened (read-only)	\??\O:	gennt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2836	gennt.exe
2836	gennt.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 2836	3820	ReviewDocument.exe	74
PID 3820 wrote to memory of 2836	3820	ReviewDocument.exe	74
PID 3820 wrote to memory of 2836	3820	ReviewDocument.exe	74
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 564	2836	gennt.exe	76
PID 2836 wrote to memory of 796	2836	gennt.exe	77
PID 2836 wrote to memory of 796	2836	gennt.exe	77
PID 2836 wrote to memory of 796	2836	gennt.exe	77

C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe
"C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3820
- C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe
  C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ReviewDocument.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\fd8fd7c8e06052eddca4\gennt.exe
    3⤵
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\fd8fd7c8e06052eddca4}"
    3⤵
    PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2836-4-0x00000000010B0000-0x00000000010BC000-memory.dmp

Filesize
48KB

Download
memory/3820-0-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing