buer | 0e735a5773b8aa36e2a596ea6e468d75038db7dd644236b4eb745b66762f4ebf

Analysis

max time kernel
15s
max time network
112s
platform
windows10_x64
resource
win10v20201028
submitted
04-03-2021 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OfficeDocument.exe
Size

279KB
MD5

b04e5c4ad1bc75a4a0cd5686e869acdb
SHA1

8a8fadeb752362fb265baa83f690bc4250556d33
SHA256

0e735a5773b8aa36e2a596ea6e468d75038db7dd644236b4eb745b66762f4ebf
SHA512

c06212a009af916a8dd707eca6d1e24cf28ce6b8726b51663562cbf1598138aef5d02b13c3ba2ad5c56940ddb47558224d6d7aa752347e0321267791e7141cfa

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

grandbanking-api.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

Processes:

resource	yara_rule
behavioral2/memory/3308-4-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

Processes:

OfficeDocument.exe

pid process

4652 OfficeDocument.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

OfficeDocument.exe

description pid process target process

PID 4652 set thread context of 3308 4652 OfficeDocument.exe OfficeDocument.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

OfficeDocument.exe

pid process

4652 OfficeDocument.exe

pid	process
4652	OfficeDocument.exe

description	pid	process	target process
PID 4652 set thread context of 3308	4652	OfficeDocument.exe	OfficeDocument.exe

pid	process
4652	OfficeDocument.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

OfficeDocument.exe

description	pid	process	target process
PID 4652 wrote to memory of 3308	4652	OfficeDocument.exe	OfficeDocument.exe
PID 4652 wrote to memory of 3308	4652	OfficeDocument.exe	OfficeDocument.exe
PID 4652 wrote to memory of 3308	4652	OfficeDocument.exe	OfficeDocument.exe
PID 4652 wrote to memory of 3308	4652	OfficeDocument.exe	OfficeDocument.exe

C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeDocument.exe"
2⤵
PID:3308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsj3688.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/3308-3-0x0000000040005EFA-mapping.dmp

Download
memory/3308-4-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download