buer | b0a639215a6ea4dc14ffc7fbc6f3c102605d17008a51de477cb755e35794a8c0

Analysis

max time kernel
6s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
16-12-2020 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64196c73fde1578c805cd9175aab70e5.exe
Size

86KB
MD5

64196c73fde1578c805cd9175aab70e5
SHA1

6b109f1c3844b081edc36ddb65c3a379609a9db9
SHA256

b0a639215a6ea4dc14ffc7fbc6f3c102605d17008a51de477cb755e35794a8c0
SHA512

b752a8cf758540e2bce1bda7799acc4c3d47f9f08f533c70ef924141d1ebf3e18a1bc61afa744e87fd690f990d2d54a30d22c7e70f47c14c43c084d86f6250d1

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

softwareconsbank.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/1544-3-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral1/memory/1544-4-0x0000000040005DA8-mapping.dmp	buer
behavioral1/memory/1544-5-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
1740	64196c73fde1578c805cd9175aab70e5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 1544	1740	64196c73fde1578c805cd9175aab70e5.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1740	64196c73fde1578c805cd9175aab70e5.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1544	1740	64196c73fde1578c805cd9175aab70e5.exe	29
PID 1740 wrote to memory of 1544	1740	64196c73fde1578c805cd9175aab70e5.exe	29
PID 1740 wrote to memory of 1544	1740	64196c73fde1578c805cd9175aab70e5.exe	29
PID 1740 wrote to memory of 1544	1740	64196c73fde1578c805cd9175aab70e5.exe	29
PID 1740 wrote to memory of 1544	1740	64196c73fde1578c805cd9175aab70e5.exe	29

C:\Users\Admin\AppData\Local\Temp\64196c73fde1578c805cd9175aab70e5.exe
"C:\Users\Admin\AppData\Local\Temp\64196c73fde1578c805cd9175aab70e5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\64196c73fde1578c805cd9175aab70e5.exe
  "C:\Users\Admin\AppData\Local\Temp\64196c73fde1578c805cd9175aab70e5.exe"
  2⤵
  PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-3-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/1544-5-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download