buer | f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247

General

Target

f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe
Size

35KB
MD5

765274ee8121b9bfef342fb1e253de46
SHA1

2ed894e1cc06b262193933bd1adccdfa9e96c3ee
SHA256

f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247
SHA512

7dafb97890c32605a7455c2ae32d50f24c3163ab85e77f2cabeef4f301fd52d46b1cd5286e0f886a6e8cfb1a8087aef1f9919c3b0fc8813563756b79e7d81f28

Score

10^/10

Family

buer

C2

https://maldivosgrant.net/

https://jokenoiam.net/

Modifies WinLogon for persistence 2 TTPs 2 IoCs

Winlogon Helper DLL

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\""	networker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\""	secinit.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/files/0x000300000001a2df-1.dat	buer
behavioral2/files/0x000300000001a2df-2.dat	buer
behavioral2/memory/2668-4-0x0000000000000000-mapping.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
3196	networker.exe

Deletes itself 1 IoCs

pid	Process
3196	networker.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2668	secinit.exe
2668	secinit.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 3196	4712	f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe	78
PID 4712 wrote to memory of 3196	4712	f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe	78
PID 4712 wrote to memory of 3196	4712	f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe	78
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79
PID 3196 wrote to memory of 2668	3196	networker.exe	79

C:\Users\Admin\AppData\Local\Temp\f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe
"C:\Users\Admin\AppData\Local\Temp\f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\ProgramData\RedTools\networker.exe
  C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\f999edd74944952bddbe025dcb0245ede599cee22c7fadd61b748eabfec44247.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\RedTools\networker.exe
    3⤵
    - Modifies WinLogon for persistence
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:2668