buer | f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7v20201028
submitted
02-03-2021 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ServApi.exe
Size

281KB
MD5

19ca9bf5eebc9e2f0bd3230f262348fd
SHA1

e8157d7e277ccf04de3476c1845cd597c112786e
SHA256

f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
SHA512

636859bd44528e75e5c6c25ad4fce12e0482fdd0de3798c863efbf4326e77db184b1354fc5433672239dee4350a0fc12427acc9a4bedfd17487e96ee5e397d72

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

verstudiosan.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/1368-5-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
548	ServApi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 548 set thread context of 1368	548	ServApi.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
548	ServApi.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29
PID 548 wrote to memory of 1368	548	ServApi.exe	29

C:\Users\Admin\AppData\Local\Temp\ServApi.exe
"C:\Users\Admin\AppData\Local\Temp\ServApi.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\ServApi.exe
  "C:\Users\Admin\AppData\Local\Temp\ServApi.exe"
  2⤵
  PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-2-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1368-5-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download