buer | d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6

Resubmissions

13-02-2021 05:16

210213-atnqs85c7a 10

13-02-2021 00:12

210213-k9zhewha3j 10

02-02-2021 12:35

210202-vg7em3tbxn 10

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
02-02-2021 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe
Size

22KB
MD5

1c3fd3a47171b6312cb28d996da0a0d9
SHA1

7e53bcbf99a3d164431b0318fe4ccb8cfe7da40a
SHA256

d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6
SHA512

762c3d63fa49f972e4e37b0be9627575f24f9527960450f640835c06b72909a9237aac749adf6b77a52790f17358106887d6cb630a196727d00ef113daf05892

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

http://95.216.251.221:8080/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/files/0x0005000000013101-3.dat	buer
behavioral1/files/0x0005000000013101-4.dat	buer
behavioral1/files/0x0005000000013101-6.dat	buer
behavioral1/files/0x0005000000013101-8.dat	buer

Executes dropped EXE 1 IoCs

pid	Process
1700	manager.exe

Deletes itself 1 IoCs

pid	Process
1700	manager.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe
1968	d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe"	manager.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	manager.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1700	1968	d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe	29
PID 1968 wrote to memory of 1700	1968	d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe	29
PID 1968 wrote to memory of 1700	1968	d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe	29
PID 1968 wrote to memory of 1700	1968	d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe	29

C:\Users\Admin\AppData\Local\Temp\d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe
"C:\Users\Admin\AppData\Local\Temp\d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
  C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\d0b8e002997a8fed4ec8ec7996a4c7fabd360a7119d388c632d00ff1405269a6.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-2-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download