buer | c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5

Analysis

max time kernel
127s
max time network
70s
platform
windows7_x64
resource
win7
submitted
10-08-2020 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ken.exe
Size

228KB
MD5

14e0e1a26f0e29171486cb2feb89fc3e
SHA1

cb3f2b4e3f5060088c6158f4b6c5b6d627f68a20
SHA256

c69a9adf7333a5098d91be899802e6f0e77de4d1be8d11363dccd0fc830311c5
SHA512

12ea8bb6bdcc809a2ba46a33cb69e4535af3a5ba9750179cf1a8f050ae1e3f0ea544000d504a2318c8d22e297eaa466f7977c593f3d00ec2c24276e66abd8430

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

https://rawcookies.ru/

https://westkingz.ru/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/1864-0-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/1864-1-0x0000000040003030-mapping.dmp	buer
behavioral1/memory/1864-2-0x0000000040000000-0x000000004000C000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
1536	gennt.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	ken.exe
1864	ken.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1864	900	ken.exe	25

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	ken.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 900 wrote to memory of 1864	900	ken.exe	25
PID 1864 wrote to memory of 1536	1864	ken.exe	28
PID 1864 wrote to memory of 1536	1864	ken.exe	28
PID 1864 wrote to memory of 1536	1864	ken.exe	28
PID 1864 wrote to memory of 1536	1864	ken.exe	28

C:\Users\Admin\AppData\Local\Temp\ken.exe
"C:\Users\Admin\AppData\Local\Temp\ken.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\ken.exe
  C:\Users\Admin\AppData\Local\Temp\ken.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\ProgramData\442665b0da518c45c03d\gennt.exe
    C:\ProgramData\442665b0da518c45c03d\gennt.exe "C:\Users\Admin\AppData\Local\Temp\ken.exe" ensgJJ
    3⤵
    - Executes dropped EXE
    PID:1536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1864-0-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/1864-2-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download