buer | 691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a

General

Target

691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
Size

6.6MB
MD5

98366e6b49a53c7deb39432a8435f157
SHA1

ea7c48a4b4d86c392d418b0d555d1b523ad808f6
SHA256

691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a
SHA512

a6f60b27647cceb56a410c0dde727f87b32a22b683a74461a464fe1bf1029023f8a1cc43c1a8adf976e7d390390e50c930cf756b59b7524456dc617f359defee

Score

10^/10

buer loader

Malware Config

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/4120-130-0x0000000002920000-0x000000000292C000-memory.dmp	buer
behavioral2/memory/4120-134-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral2/memory/4120-137-0x0000000002910000-0x0000000002919000-memory.dmp	buer

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\L:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\N:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\T:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\Z:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\E:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\G:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\H:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\Q:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\Y:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\B:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\F:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\K:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\U:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\V:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\W:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\X:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\O:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\P:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\S:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\R:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\A:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\J:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
File opened (read-only)	\??\M:	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4120	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
4120	691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe

C:\Users\Admin\AppData\Local\Temp\691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe
"C:\Users\Admin\AppData\Local\Temp\691474717b13721b4eb72bbc46d541e942b040e53a6dcfbd5523b17ec148051a.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4120-130-0x0000000002920000-0x000000000292C000-memory.dmp

Filesize
48KB

Download
memory/4120-134-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/4120-137-0x0000000002910000-0x0000000002919000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing