buer | ec27d887ecafb4501d41b95382f56fa5f727e463ccae204fd4a8ff2ca0b6bffc

General

Target

logo12.jpg.exe
Size

273KB
MD5

9c6eb9a93726c622ab4c13e324035122
SHA1

9e8ab2e00c8b2858790066c728b48b6c10f4c1e9
SHA256

ec27d887ecafb4501d41b95382f56fa5f727e463ccae204fd4a8ff2ca0b6bffc
SHA512

8658bb1164bab522cb6083d5083fd3a57f7e2e9b2c5edbf1a4c4ebb6481574d88df8ca6ad05110424df58d1a439e2eff1f4554f5665e566ffaf598e50890bbec

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

C2

zeogertabank.com

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/1444-5-0x0000000040000000-0x0000000040009000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
1656	logo12.jpg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	logo12.jpg.exe
File opened (read-only)	\??\O:	logo12.jpg.exe
File opened (read-only)	\??\Q:	logo12.jpg.exe
File opened (read-only)	\??\S:	logo12.jpg.exe
File opened (read-only)	\??\Y:	logo12.jpg.exe
File opened (read-only)	\??\F:	logo12.jpg.exe
File opened (read-only)	\??\G:	logo12.jpg.exe
File opened (read-only)	\??\R:	logo12.jpg.exe
File opened (read-only)	\??\U:	logo12.jpg.exe
File opened (read-only)	\??\B:	logo12.jpg.exe
File opened (read-only)	\??\H:	logo12.jpg.exe
File opened (read-only)	\??\I:	logo12.jpg.exe
File opened (read-only)	\??\M:	logo12.jpg.exe
File opened (read-only)	\??\P:	logo12.jpg.exe
File opened (read-only)	\??\T:	logo12.jpg.exe
File opened (read-only)	\??\A:	logo12.jpg.exe
File opened (read-only)	\??\J:	logo12.jpg.exe
File opened (read-only)	\??\K:	logo12.jpg.exe
File opened (read-only)	\??\L:	logo12.jpg.exe
File opened (read-only)	\??\N:	logo12.jpg.exe
File opened (read-only)	\??\V:	logo12.jpg.exe
File opened (read-only)	\??\W:	logo12.jpg.exe
File opened (read-only)	\??\X:	logo12.jpg.exe
File opened (read-only)	\??\Z:	logo12.jpg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 1444	1656	logo12.jpg.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1656	logo12.jpg.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1444	1656	logo12.jpg.exe	29
PID 1656 wrote to memory of 1444	1656	logo12.jpg.exe	29
PID 1656 wrote to memory of 1444	1656	logo12.jpg.exe	29
PID 1656 wrote to memory of 1444	1656	logo12.jpg.exe	29
PID 1656 wrote to memory of 1444	1656	logo12.jpg.exe	29

C:\Users\Admin\AppData\Local\Temp\logo12.jpg.exe
"C:\Users\Admin\AppData\Local\Temp\logo12.jpg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\logo12.jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\logo12.jpg.exe"
  2⤵
  - Enumerates connected drives
  PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-6-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download
memory/1444-5-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/1656-2-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing