buer | 57b2efd438bf6c7eb64a4a2d454f215361e2f96ac4bd50284b89c64742bc307a

General

Target

SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
Size

188KB
MD5

590459b833a0d6846c570d35e7f3344d
SHA1

b095954830b51651520990b275220bf50cc89a4b
SHA256

57b2efd438bf6c7eb64a4a2d454f215361e2f96ac4bd50284b89c64742bc307a
SHA512

cac850af0eefa7d3aede5556f9b1d9ed0c70aebfd5518ac80a5966f7900cea32a76534ea303e6def62b1ec78a942622359be01562d7dbb9e44a7c74a2bac20c7

Score

10^/10

buer agilenet loader

Malware Config

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Executes dropped EXE 3 IoCs

pid	Process
968	moduleName.exe
1736	moduleName.exe
1596	moduleName.exe

Loads dropped DLL 4 IoCs

pid	Process
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
968	moduleName.exe
1736	moduleName.exe
1596	moduleName.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0001000000012efe-60.dat	agile_net
behavioral1/files/0x0001000000012efe-61.dat	agile_net
behavioral1/files/0x0001000000012efe-69.dat	agile_net
behavioral1/files/0x0001000000012efe-76.dat	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
968	moduleName.exe
968	moduleName.exe
968	moduleName.exe
968	moduleName.exe
968	moduleName.exe
968	moduleName.exe
968	moduleName.exe
1736	moduleName.exe
1736	moduleName.exe
1736	moduleName.exe
1736	moduleName.exe
1736	moduleName.exe
1736	moduleName.exe
1736	moduleName.exe
1596	moduleName.exe
1596	moduleName.exe
1596	moduleName.exe
1596	moduleName.exe
1596	moduleName.exe
1596	moduleName.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
Token: SeDebugPrivilege	968	moduleName.exe
Token: SeDebugPrivilege	1736	moduleName.exe
Token: SeDebugPrivilege	1596	moduleName.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1732	1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe	26
PID 1300 wrote to memory of 1732	1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe	26
PID 1300 wrote to memory of 1732	1300	SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe	26
PID 332 wrote to memory of 968	332	taskeng.exe	33
PID 332 wrote to memory of 968	332	taskeng.exe	33
PID 332 wrote to memory of 968	332	taskeng.exe	33
PID 332 wrote to memory of 1736	332	taskeng.exe	34
PID 332 wrote to memory of 1736	332	taskeng.exe	34
PID 332 wrote to memory of 1736	332	taskeng.exe	34
PID 332 wrote to memory of 1596	332	taskeng.exe	35
PID 332 wrote to memory of 1596	332	taskeng.exe	35
PID 332 wrote to memory of 1596	332	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46929464.6664.11196.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\BC100BA15203137C9F10\task"
  2⤵
  - Creates scheduled task(s)
  PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {1353860B-E06B-4323-A01D-1A329883A97E} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:332
- C:\ProgramData\BC100BA15203137C9F10\moduleName.exe
  C:\ProgramData\BC100BA15203137C9F10\moduleName.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\ProgramData\BC100BA15203137C9F10\moduleName.exe
  C:\ProgramData\BC100BA15203137C9F10\moduleName.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\ProgramData\BC100BA15203137C9F10\moduleName.exe
  C:\ProgramData\BC100BA15203137C9F10\moduleName.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-67-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/968-62-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1300-56-0x000007FEF60A0000-0x000007FEF61CC000-memory.dmp

Filesize
1.2MB

Download
memory/1300-52-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1300-54-0x000000001AF50000-0x000000001AF52000-memory.dmp

Filesize
8KB

Download
memory/1596-77-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1596-81-0x0000000001E90000-0x0000000001E92000-memory.dmp

Filesize
8KB

Download
memory/1736-70-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1736-73-0x000007FEF5160000-0x000007FEF528C000-memory.dmp

Filesize
1.2MB

Download
memory/1736-74-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads