buer | 7f43651edf5d5bb92a5c6c66042d068d2d4e27cb9a6e45d46e03ca7cbfe4f39f

Analysis

max time kernel
14s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
04-02-2021 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ST33MQz3ZZ47fFjr8g09.exe
Size

123KB
MD5

0ca7982165af34d00aa28aa8a0564c5e
SHA1

b2aab201e5fda813600514f81f5224d267fcdbb8
SHA256

7f43651edf5d5bb92a5c6c66042d068d2d4e27cb9a6e45d46e03ca7cbfe4f39f
SHA512

ef4c6584a0b3fa255e28e217fc5243c71268eea1883c42b7b228cdaa64f928bf2af093663ce04bc18e75d893912f048d9fae892437904c7e78ed5d8367a9717d

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

officewestbankingconc.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral2/memory/4020-4-0x0000000040000000-0x000000004000A000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
580	ST33MQz3ZZ47fFjr8g09.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 580 set thread context of 4020	580	ST33MQz3ZZ47fFjr8g09.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
580	ST33MQz3ZZ47fFjr8g09.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 4020	580	ST33MQz3ZZ47fFjr8g09.exe	78
PID 580 wrote to memory of 4020	580	ST33MQz3ZZ47fFjr8g09.exe	78
PID 580 wrote to memory of 4020	580	ST33MQz3ZZ47fFjr8g09.exe	78
PID 580 wrote to memory of 4020	580	ST33MQz3ZZ47fFjr8g09.exe	78

C:\Users\Admin\AppData\Local\Temp\ST33MQz3ZZ47fFjr8g09.exe
"C:\Users\Admin\AppData\Local\Temp\ST33MQz3ZZ47fFjr8g09.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:580
- C:\Users\Admin\AppData\Local\Temp\ST33MQz3ZZ47fFjr8g09.exe
  "C:\Users\Admin\AppData\Local\Temp\ST33MQz3ZZ47fFjr8g09.exe"
  2⤵
  PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4020-4-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download