buer | 593cf2c6d3140a5bf6bb6378aeadbc15abfa17691250e6ef1804d40534fd8a2e

Analysis

max time kernel
8s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
23-12-2020 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSettingIE.exe
Size

80KB
MD5

a20399351b23e0bf909677d85c1025cb
SHA1

30e4e30528bf931f096093ea81822fb89f4d71dc
SHA256

593cf2c6d3140a5bf6bb6378aeadbc15abfa17691250e6ef1804d40534fd8a2e
SHA512

8087b12dad90c54d18e46987aa6ed25cb098097a605c907621bbcf6fa97569b25531b93f5a30f1aca530b8e214d9d5f90b223c1b2bfea3e5637d762c763c15bd

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

selectorbasebanks.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/1116-3-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral1/memory/1116-4-0x0000000040005DA8-mapping.dmp	buer
behavioral1/memory/1116-5-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
1744	MSettingIE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1116	1744	MSettingIE.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1744	MSettingIE.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1116	1744	MSettingIE.exe	29
PID 1744 wrote to memory of 1116	1744	MSettingIE.exe	29
PID 1744 wrote to memory of 1116	1744	MSettingIE.exe	29
PID 1744 wrote to memory of 1116	1744	MSettingIE.exe	29
PID 1744 wrote to memory of 1116	1744	MSettingIE.exe	29

C:\Users\Admin\AppData\Local\Temp\MSettingIE.exe
"C:\Users\Admin\AppData\Local\Temp\MSettingIE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\MSettingIE.exe
  "C:\Users\Admin\AppData\Local\Temp\MSettingIE.exe"
  2⤵
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-3-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/1116-5-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download