buer | 25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36

Resubmissions

12-02-2021 17:46

210212-qj1pxv26za 10

12-02-2021 13:49

210212-qh2m1q4eyx 10

Analysis

max time kernel
56s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
12-02-2021 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

independent_appraisal.jar
Size

6KB
MD5

e94dbabc70b4396b39d3a3d3e53cf85b
SHA1

bc6f6267313c0a768ed3f8f92f90c1f105cbd949
SHA256

25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36
SHA512

fb2eb9aeb02d111c23cdb61f668affcfb3e847159ce8a158ed39e2f136b9993f8dc68ddbd649d8f13f75ced7f7499c6410861daa1fde8fb15c010c6ccd2f3582

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

antipublicwestbank.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

Processes:

resource	yara_rule
behavioral2/memory/3428-9-0x0000000040000000-0x000000004000A000-memory.dmp	buer

Executes dropped EXE 2 IoCs

Processes:

vdeodrv32.exevdeodrv32.exe

pid process

3576 vdeodrv32.exe
3428 vdeodrv32.exe
Loads dropped DLL 1 IoCs

Processes:

vdeodrv32.exe

pid process

3576 vdeodrv32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vdeodrv32.exe

description pid process target process

PID 3576 set thread context of 3428 3576 vdeodrv32.exe vdeodrv32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3576	vdeodrv32.exe
3428	vdeodrv32.exe

pid	process
3576	vdeodrv32.exe

description	pid	process	target process
PID 3576 set thread context of 3428	3576	vdeodrv32.exe	vdeodrv32.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\vdeodrv32.exe	nsis_installer_1
C:\ProgramData\vdeodrv32.exe	nsis_installer_2
C:\ProgramData\vdeodrv32.exe	nsis_installer_1
C:\ProgramData\vdeodrv32.exe	nsis_installer_2
C:\ProgramData\vdeodrv32.exe	nsis_installer_1
C:\ProgramData\vdeodrv32.exe	nsis_installer_2

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vdeodrv32.exe

pid process

3576 vdeodrv32.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exe

pid process

496 java.exe
496 java.exe
496 java.exe
496 java.exe

pid	process
3576	vdeodrv32.exe

pid	process
496	java.exe
496	java.exe
496	java.exe
496	java.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

java.exevdeodrv32.exe

description	pid	process	target process
PID 496 wrote to memory of 3576	496	java.exe	vdeodrv32.exe
PID 496 wrote to memory of 3576	496	java.exe	vdeodrv32.exe
PID 496 wrote to memory of 3576	496	java.exe	vdeodrv32.exe
PID 3576 wrote to memory of 3428	3576	vdeodrv32.exe	vdeodrv32.exe
PID 3576 wrote to memory of 3428	3576	vdeodrv32.exe	vdeodrv32.exe
PID 3576 wrote to memory of 3428	3576	vdeodrv32.exe	vdeodrv32.exe
PID 3576 wrote to memory of 3428	3576	vdeodrv32.exe	vdeodrv32.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\independent_appraisal.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496
- C:\ProgramData\vdeodrv32.exe
  "C:\ProgramData\vdeodrv32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\ProgramData\vdeodrv32.exe
    "C:\ProgramData\vdeodrv32.exe"
    3⤵
    - Executes dropped EXE
    PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vdeodrv32.exe

MD5
69819de123d7b83d5881932d706841f5

SHA1
27fe7625cb44c9870fdaf810ec42cb02a0191c86

SHA256
650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

SHA512
fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Download Submit
C:\ProgramData\vdeodrv32.exe

MD5
69819de123d7b83d5881932d706841f5

SHA1
27fe7625cb44c9870fdaf810ec42cb02a0191c86

SHA256
650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

SHA512
fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Download Submit
C:\ProgramData\vdeodrv32.exe

MD5
69819de123d7b83d5881932d706841f5

SHA1
27fe7625cb44c9870fdaf810ec42cb02a0191c86

SHA256
650750b450fd881501aa5a879696e9d61e8fcbbad479ce37b0a2bb081d73c209

SHA512
fdd8578698fbcd278ee0c6820d57b834fd20a9172d8652ddbfd02b12b8f8f63845af01401838ef9b8c342fab919c74da53e4062271c157eb5bfa67a22ec9b907

Download Submit
\Users\Admin\AppData\Local\Temp\nsh232A.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/496-2-0x00000000034C0000-0x0000000003730000-memory.dmp

Filesize
2.4MB

Download
memory/3428-7-0x0000000040006303-mapping.dmp

Download
memory/3428-9-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download
memory/3576-3-0x0000000000000000-mapping.dmp

Download