buer | eb9ed562ea848b9b3901a0d9cb2f9793115ba6dad9b2bf3929f75f9358ed2c23

Analysis

max time kernel
11s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
16-12-2020 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8754076d6e5fb4209c4a703eac804881.exe
Size

86KB
MD5

8754076d6e5fb4209c4a703eac804881
SHA1

ad4bc65f8cbae9adc33792bb7115342562cf11d0
SHA256

eb9ed562ea848b9b3901a0d9cb2f9793115ba6dad9b2bf3929f75f9358ed2c23
SHA512

501ee70850266006fd6c43b5042241e007beb7b1463e46f453ca50e63efa2099bd2452d7979003cc9c66431cc1a9609bdb261617ea8c6c368ea6987b4f025fe6

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

softwareconsbank.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/memory/3684-3-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral2/memory/3684-4-0x0000000040005DA8-mapping.dmp	buer
behavioral2/memory/3684-5-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
3988	8754076d6e5fb4209c4a703eac804881.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 3684	3988	8754076d6e5fb4209c4a703eac804881.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3988	8754076d6e5fb4209c4a703eac804881.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 3684	3988	8754076d6e5fb4209c4a703eac804881.exe	79
PID 3988 wrote to memory of 3684	3988	8754076d6e5fb4209c4a703eac804881.exe	79
PID 3988 wrote to memory of 3684	3988	8754076d6e5fb4209c4a703eac804881.exe	79
PID 3988 wrote to memory of 3684	3988	8754076d6e5fb4209c4a703eac804881.exe	79

C:\Users\Admin\AppData\Local\Temp\8754076d6e5fb4209c4a703eac804881.exe
"C:\Users\Admin\AppData\Local\Temp\8754076d6e5fb4209c4a703eac804881.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Users\Admin\AppData\Local\Temp\8754076d6e5fb4209c4a703eac804881.exe
  "C:\Users\Admin\AppData\Local\Temp\8754076d6e5fb4209c4a703eac804881.exe"
  2⤵
  PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3684-3-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/3684-5-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download