buer | ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0

General

Target

ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe
Size

814KB
MD5

3e3563c9eb5692e5ef8957b5cccc6388
SHA1

741e0d1c224e813fbc77b379ae8cd75f99f05821
SHA256

ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0
SHA512

4fef9a80fcec9464e3023664045a9f7592e2393026e1197545bb6f0a87c2837c7a1c0c2e56eae4b7258136901eb096660463aab7499460c9a1b91037fe273849

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

http://mainserver.host/

http://reservestation.host/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\errorResponder.exe\""	errorResponder.exe

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/760-55-0x000000003F9C0000-0x000000003FA92000-memory.dmp	buer
behavioral1/memory/1384-61-0x000000003F980000-0x000000003FA52000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
1384	errorResponder.exe

Deletes itself 1 IoCs

pid	Process
1384	errorResponder.exe

Loads dropped DLL 1 IoCs

pid	Process
760	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1508	1608	WerFault.exe	30

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	errorResponder.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	errorResponder.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1384	errorResponder.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 1384	760	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe	29
PID 760 wrote to memory of 1384	760	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe	29
PID 760 wrote to memory of 1384	760	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe	29
PID 760 wrote to memory of 1384	760	ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe	29
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1384 wrote to memory of 1608	1384	errorResponder.exe	30
PID 1608 wrote to memory of 1508	1608	secinit.exe	31
PID 1608 wrote to memory of 1508	1608	secinit.exe	31
PID 1608 wrote to memory of 1508	1608	secinit.exe	31
PID 1608 wrote to memory of 1508	1608	secinit.exe	31

C:\Users\Admin\AppData\Local\Temp\ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe
"C:\Users\Admin\AppData\Local\Temp\ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:760
- C:\ProgramData\ErrorResponder\errorResponder.exe
  C:\ProgramData\ErrorResponder\errorResponder.exe "C:\Users\Admin\AppData\Local\Temp\ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\ErrorResponder\errorResponder.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 208
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-55-0x000000003F9C0000-0x000000003FA92000-memory.dmp

Filesize
840KB

Download
memory/760-56-0x00000000001A0000-0x00000000001B8000-memory.dmp

Filesize
96KB

Download
memory/760-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1384-63-0x00000000001E0000-0x00000000001F8000-memory.dmp

Filesize
96KB

Download
memory/1384-61-0x000000003F980000-0x000000003FA52000-memory.dmp

Filesize
840KB

Download
memory/1508-75-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1608-65-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1608-64-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1608-66-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1608-67-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1608-68-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1608-69-0x0000000000080000-0x0000000000152000-memory.dmp

Filesize
840KB

Download
memory/1608-70-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1608-71-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1608-73-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing