buer | c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff

Resubmissions

26-01-2021 19:10

210126-s9mbhrjkye 10

26-01-2021 18:38

210126-wq8yb2fmb2 10

Analysis

max time kernel
1737s
max time network
1736s
platform
windows7_x64
resource
win7v20201028
submitted
26-01-2021 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

font.tiff.exe
Size

235KB
MD5

cc0631f2ca59175c237e7fba06a7d533
SHA1

0c93576aeee786b1ef8818a56653d4c0e41a67df
SHA256

c1a1988e6f043d0e73c9555ccaad2adb3683c22b0569fc0f6be24c3e4f8c82ff
SHA512

d33b7ecd31f69e230c33dd3a86cc337c62870630c95e679d504a22779e9c57715754b58587f53e758e2becd0eef4bcf26d41d9a5ac1e6f42b961c84cc92bc918

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

hetaskosupportcenter.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/2028-3-0x0000000000220000-0x0000000000228000-memory.dmp	buer
behavioral1/memory/2028-4-0x0000000040000000-0x000000004000A000-memory.dmp	buer

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	font.tiff.exe
File opened (read-only)	\??\U:	font.tiff.exe
File opened (read-only)	\??\V:	font.tiff.exe
File opened (read-only)	\??\W:	font.tiff.exe
File opened (read-only)	\??\Y:	font.tiff.exe
File opened (read-only)	\??\B:	font.tiff.exe
File opened (read-only)	\??\F:	font.tiff.exe
File opened (read-only)	\??\J:	font.tiff.exe
File opened (read-only)	\??\K:	font.tiff.exe
File opened (read-only)	\??\M:	font.tiff.exe
File opened (read-only)	\??\O:	font.tiff.exe
File opened (read-only)	\??\R:	font.tiff.exe
File opened (read-only)	\??\S:	font.tiff.exe
File opened (read-only)	\??\E:	font.tiff.exe
File opened (read-only)	\??\I:	font.tiff.exe
File opened (read-only)	\??\Z:	font.tiff.exe
File opened (read-only)	\??\L:	font.tiff.exe
File opened (read-only)	\??\N:	font.tiff.exe
File opened (read-only)	\??\Q:	font.tiff.exe
File opened (read-only)	\??\X:	font.tiff.exe
File opened (read-only)	\??\A:	font.tiff.exe
File opened (read-only)	\??\H:	font.tiff.exe
File opened (read-only)	\??\G:	font.tiff.exe
File opened (read-only)	\??\T:	font.tiff.exe

C:\Users\Admin\AppData\Local\Temp\font.tiff.exe
"C:\Users\Admin\AppData\Local\Temp\font.tiff.exe"
1⤵
- Enumerates connected drives
PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-2-0x0000000001BB0000-0x0000000001BC1000-memory.dmp

Filesize
68KB

Download
memory/2028-3-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2028-4-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download