buer | 17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894

General

Target

17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
Size

384KB
MD5

a81d104e7bb627a4d3a0f0b823e17581
SHA1

ddc6f577463ff140e525cf7f4a4f083406acd1f4
SHA256

17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894
SHA512

18bc43f92dd794655a26529634f3683d183c2b130b4ced99a276f389c0e3f3c6f03763c5681ec4c80744dda0699d63919d25333f56295729733a2b09b5283b32

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

C2

https://kackdelar.top/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/2024-9-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/2024-10-0x0000000040002E38-mapping.dmp	buer
behavioral1/memory/2024-11-0x0000000040000000-0x000000004000C000-memory.dmp	buer

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1460 set thread context of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
1180	powershell.exe
1180	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
Token: SeDebugPrivilege	1180	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1932	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	28
PID 1460 wrote to memory of 1932	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	28
PID 1460 wrote to memory of 1932	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	28
PID 1460 wrote to memory of 1932	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	28
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 1460 wrote to memory of 2024	1460	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	30
PID 2024 wrote to memory of 1180	2024	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	31
PID 2024 wrote to memory of 1180	2024	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	31
PID 2024 wrote to memory of 1180	2024	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	31
PID 2024 wrote to memory of 1180	2024	17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe	31

C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
"C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KUCeBegeqW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\17147bfbf7936c807449340f3cbcaf49f16e905d8f768b16f8c2e628bf49a894.exe
  "{path}"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\f6b190b6b4b042caa860}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-17-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1180-16-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/1180-14-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x0000000072D50000-0x000000007343E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-48-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1180-34-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1180-33-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1180-26-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1180-15-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1180-49-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1180-25-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1180-20-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1460-4-0x0000000005140000-0x0000000005197000-memory.dmp

Filesize
348KB

Download
memory/1460-0-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1460-3-0x0000000000210000-0x0000000000213000-memory.dmp

Filesize
12KB

Download
memory/1460-1-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1460-5-0x00000000004D0000-0x0000000000505000-memory.dmp

Filesize
212KB

Download
memory/2024-11-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/2024-9-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads