buer | 211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5

General

Target

211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe
Size

33KB
MD5

ccf7d3adb21dfd77bf7f60e4a4751d1e
SHA1

093757c4099cd0cd2bd1e7a0f4d64b78754888b9
SHA256

211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5
SHA512

109923ef9c06016a0e376b862b88e415a4943fecbe907687751abd604d4d052987029cea9e5b5b165ec694c468b2491c8063787e073522e1813ff20907ae6936

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://wowvideos.online/

https://95.216.251.216/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\""	errorResponder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\""	secinit.exe

Buer Loader 5 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/files/0x001900000000f55b-0.dat	buer
behavioral1/files/0x001900000000f55b-1.dat	buer
behavioral1/files/0x001900000000f55b-3.dat	buer
behavioral1/files/0x001900000000f55b-4.dat	buer
behavioral1/memory/536-6-0x0000000000000000-mapping.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
1684	errorResponder.exe

Deletes itself 1 IoCs

pid	Process
1684	errorResponder.exe

Loads dropped DLL 2 IoCs

pid	Process
1912	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe
1912	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
536	secinit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1684	1912	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	29
PID 1912 wrote to memory of 1684	1912	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	29
PID 1912 wrote to memory of 1684	1912	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	29
PID 1912 wrote to memory of 1684	1912	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	29
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30
PID 1684 wrote to memory of 536	1684	errorResponder.exe	30

C:\Users\Admin\AppData\Local\Temp\211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe
"C:\Users\Admin\AppData\Local\Temp\211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\ProgramData\ErrorResponder\errorResponder.exe
  C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\ErrorResponder\errorResponder.exe
    3⤵
    - Modifies WinLogon for persistence
    - Suspicious behavior: EnumeratesProcesses
    PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-5-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing