buer | 9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464

General

Target

9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
Size

6.6MB
MD5

c48fda7e84beb1a767122453558de272
SHA1

063d8217a32d1e6491ed94abcd6ffafd15808bc2
SHA256

9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464
SHA512

1cf5a50fce028bcc0b4baa5f79b7e6785573ea7b2049b40c4962da3a785f28398f5ae2883f42b332cc2f6e4390a2ccbee2106b29c5f771a9f72e4d0bb7bcdc93

Score

10^/10

buer loader

Malware Config

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/2916-130-0x0000000003100000-0x000000000310C000-memory.dmp	buer
behavioral2/memory/2916-134-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral2/memory/2916-137-0x0000000002A10000-0x0000000002A19000-memory.dmp	buer

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\F:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\H:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\S:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\T:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\Z:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\A:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\G:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\I:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\L:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\M:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\N:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\P:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\Q:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\U:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\J:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\K:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\O:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\R:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\W:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\Y:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\E:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\V:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
File opened (read-only)	\??\X:	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2916	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
2916	9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe

C:\Users\Admin\AppData\Local\Temp\9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe
"C:\Users\Admin\AppData\Local\Temp\9609f76c0d687ac6eae37ff4765c944cf9354eb03ea7afbd537f9871f6fd4464.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:2916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2916-130-0x0000000003100000-0x000000000310C000-memory.dmp

Filesize
48KB

Download
memory/2916-134-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/2916-137-0x0000000002A10000-0x0000000002A19000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing