buer | 211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5

General

Target

211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe
Size

33KB
MD5

ccf7d3adb21dfd77bf7f60e4a4751d1e
SHA1

093757c4099cd0cd2bd1e7a0f4d64b78754888b9
SHA256

211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5
SHA512

109923ef9c06016a0e376b862b88e415a4943fecbe907687751abd604d4d052987029cea9e5b5b165ec694c468b2491c8063787e073522e1813ff20907ae6936

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://wowvideos.online/

https://95.216.251.216/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\""	errorResponder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\""	secinit.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/files/0x000300000001a2df-1.dat	buer
behavioral2/files/0x000300000001a2df-2.dat	buer
behavioral2/memory/2760-4-0x0000000000000000-mapping.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
756	errorResponder.exe

Deletes itself 1 IoCs

pid	Process
756	errorResponder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	secinit.exe
2760	secinit.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 756	696	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	79
PID 696 wrote to memory of 756	696	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	79
PID 696 wrote to memory of 756	696	211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe	79
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80
PID 756 wrote to memory of 2760	756	errorResponder.exe	80

C:\Users\Admin\AppData\Local\Temp\211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe
"C:\Users\Admin\AppData\Local\Temp\211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:696
- C:\ProgramData\ErrorResponder\errorResponder.exe
  C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\211ddc016588fbbf96534c95de2b9c4f48d15ee89e45ddd647a7316497f80ff5.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\ErrorResponder\errorResponder.exe
    3⤵
    - Modifies WinLogon for persistence
    - Suspicious behavior: EnumeratesProcesses
    PID:2760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2760-3-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing