buer | 06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746

General

Target

06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
Size

6.6MB
MD5

d9731775fe3eaebd566cc726e6e317c0
SHA1

a65d81edadbd26c5c08c1ed77b90fbebeae02056
SHA256

06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746
SHA512

a247d78ef198e86821a956997e296de73a0acc93ca2d7be3007bf9a22a700e2920c89834d63a71286e1a02f048009ce20a2555a36048256a6be8886006c61f9b

Score

10^/10

buer loader

Malware Config

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/4192-130-0x0000000002A10000-0x0000000002A1C000-memory.dmp	buer
behavioral2/memory/4192-134-0x0000000040000000-0x0000000040009000-memory.dmp	buer
behavioral2/memory/4192-137-0x0000000002A00000-0x0000000002A09000-memory.dmp	buer

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\Z:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\A:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\J:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\L:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\O:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\T:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\V:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\W:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\I:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\B:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\E:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\G:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\H:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\P:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\Q:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\R:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\S:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\F:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\K:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\M:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\N:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\U:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
File opened (read-only)	\??\Y:	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4192	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
4192	06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe

C:\Users\Admin\AppData\Local\Temp\06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe
"C:\Users\Admin\AppData\Local\Temp\06a71ef34edd21f127e0e5f64d5e8d8e17d79b306bbe29df71a1a6ceeae78746.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4192-130-0x0000000002A10000-0x0000000002A1C000-memory.dmp

Filesize
48KB

Download
memory/4192-134-0x0000000040000000-0x0000000040009000-memory.dmp

Filesize
36KB

Download
memory/4192-137-0x0000000002A00000-0x0000000002A09000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing