Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:38
Static task
static1
Behavioral task
behavioral1
Sample
buer.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
buer.exe
-
Size
111KB
-
MD5
f884618092b55e3edc48096757aab143
-
SHA1
0c0ad1301fc561699dba22cc779decc0df5570a1
-
SHA256
6728db086194c2fa6a8e17e7b13bac1f5329b501e6f93b3587416895d387d343
-
SHA512
195f4995907e34867d72778fb7e5857ea16e802376cf7ef17e2af3afa64e929bacfed4ed1b60d71a1ad8ea29e47c795c97ee7e41b6a02db59c9cc68fbb32e6ad
Score
10/10
Malware Config
Extracted
Family
buer
C2
https://oopscll5.top/
https://1raidertr.top/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\"" errorResponder.exe -
Buer Loader 4 IoCs
Detects Buer loader in memory or disk.
resource yara_rule behavioral1/memory/1648-1-0x0000000040000000-0x000000004000B000-memory.dmp buer behavioral1/memory/1648-2-0x00000000400030B5-mapping.dmp buer behavioral1/memory/1648-3-0x0000000040000000-0x000000004000B000-memory.dmp buer behavioral1/memory/1064-11-0x00000000400030B5-mapping.dmp buer -
Executes dropped EXE 2 IoCs
pid Process 1352 errorResponder.exe 1064 errorResponder.exe -
Deletes itself 1 IoCs
pid Process 1064 errorResponder.exe -
Loads dropped DLL 3 IoCs
pid Process 1128 buer.exe 1648 buer.exe 1352 errorResponder.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1128 set thread context of 1648 1128 buer.exe 29 PID 1352 set thread context of 1064 1352 errorResponder.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
resource yara_rule behavioral1/files/0x000d00000000560a-4.dat nsis_installer_1 behavioral1/files/0x000d00000000560a-4.dat nsis_installer_2 behavioral1/files/0x000d00000000560a-6.dat nsis_installer_1 behavioral1/files/0x000d00000000560a-6.dat nsis_installer_2 behavioral1/files/0x000d00000000560a-7.dat nsis_installer_1 behavioral1/files/0x000d00000000560a-7.dat nsis_installer_2 behavioral1/files/0x000d00000000560a-12.dat nsis_installer_1 behavioral1/files/0x000d00000000560a-12.dat nsis_installer_2 -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1128 buer.exe 1352 errorResponder.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1128 wrote to memory of 1648 1128 buer.exe 29 PID 1128 wrote to memory of 1648 1128 buer.exe 29 PID 1128 wrote to memory of 1648 1128 buer.exe 29 PID 1128 wrote to memory of 1648 1128 buer.exe 29 PID 1128 wrote to memory of 1648 1128 buer.exe 29 PID 1648 wrote to memory of 1352 1648 buer.exe 30 PID 1648 wrote to memory of 1352 1648 buer.exe 30 PID 1648 wrote to memory of 1352 1648 buer.exe 30 PID 1648 wrote to memory of 1352 1648 buer.exe 30 PID 1352 wrote to memory of 1064 1352 errorResponder.exe 31 PID 1352 wrote to memory of 1064 1352 errorResponder.exe 31 PID 1352 wrote to memory of 1064 1352 errorResponder.exe 31 PID 1352 wrote to memory of 1064 1352 errorResponder.exe 31 PID 1352 wrote to memory of 1064 1352 errorResponder.exe 31 PID 1064 wrote to memory of 428 1064 errorResponder.exe 32 PID 1064 wrote to memory of 428 1064 errorResponder.exe 32 PID 1064 wrote to memory of 428 1064 errorResponder.exe 32 PID 1064 wrote to memory of 428 1064 errorResponder.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\buer.exe"C:\Users\Admin\AppData\Local\Temp\buer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\buer.exe"C:\Users\Admin\AppData\Local\Temp\buer.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\ProgramData\ErrorResponder\errorResponder.exeC:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\ProgramData\ErrorResponder\errorResponder.exeC:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\buer.exe" ensgJJ4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\secinit.exeC:\ProgramData\ErrorResponder\errorResponder.exe5⤵PID:428
-
-
-
-