buer | 69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a

General

Target

69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe
Size

300KB
MD5

b84cb1bf75e472973bed157bab410f04
SHA1

fe4d97e9fd68677ae1e1b459885b3979eabba445
SHA256

69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a
SHA512

266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://officewestunionbank.com/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\b5aab841835fc04b77f7\\AutoReg.exe\""	AutoReg.exe

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/1800-131-0x0000000000530000-0x000000000058C000-memory.dmp	buer
behavioral2/memory/1800-135-0x0000000040000000-0x0000000040BA8000-memory.dmp	buer
behavioral2/memory/1964-137-0x00000000004D0000-0x000000000052C000-memory.dmp	buer
behavioral2/memory/1964-138-0x0000000040000000-0x0000000040BA8000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
1964	AutoReg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	AutoReg.exe
File opened (read-only)	\??\R:	AutoReg.exe
File opened (read-only)	\??\T:	AutoReg.exe
File opened (read-only)	\??\W:	AutoReg.exe
File opened (read-only)	\??\G:	AutoReg.exe
File opened (read-only)	\??\L:	AutoReg.exe
File opened (read-only)	\??\S:	AutoReg.exe
File opened (read-only)	\??\V:	AutoReg.exe
File opened (read-only)	\??\N:	AutoReg.exe
File opened (read-only)	\??\Q:	AutoReg.exe
File opened (read-only)	\??\U:	AutoReg.exe
File opened (read-only)	\??\Z:	AutoReg.exe
File opened (read-only)	\??\B:	AutoReg.exe
File opened (read-only)	\??\H:	AutoReg.exe
File opened (read-only)	\??\F:	AutoReg.exe
File opened (read-only)	\??\I:	AutoReg.exe
File opened (read-only)	\??\J:	AutoReg.exe
File opened (read-only)	\??\K:	AutoReg.exe
File opened (read-only)	\??\M:	AutoReg.exe
File opened (read-only)	\??\P:	AutoReg.exe
File opened (read-only)	\??\A:	AutoReg.exe
File opened (read-only)	\??\E:	AutoReg.exe
File opened (read-only)	\??\X:	AutoReg.exe
File opened (read-only)	\??\Y:	AutoReg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4248	1800	WerFault.exe	69

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1964	1800	69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe	80
PID 1800 wrote to memory of 1964	1800	69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe	80
PID 1800 wrote to memory of 1964	1800	69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe	80

C:\Users\Admin\AppData\Local\Temp\69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe
"C:\Users\Admin\AppData\Local\Temp\69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\ProgramData\b5aab841835fc04b77f7\AutoReg.exe
  C:\ProgramData\b5aab841835fc04b77f7\AutoReg.exe "C:\Users\Admin\AppData\Local\Temp\69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  PID:1964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 440
  2⤵
  - Program crash
  PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1800 -ip 1800
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\b5aab841835fc04b77f7\AutoReg.exe

Filesize
300KB

MD5
b84cb1bf75e472973bed157bab410f04

SHA1
fe4d97e9fd68677ae1e1b459885b3979eabba445

SHA256
69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a

SHA512
266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8

Download Submit
C:\ProgramData\b5aab841835fc04b77f7\AutoReg.exe

Filesize
300KB

MD5
b84cb1bf75e472973bed157bab410f04

SHA1
fe4d97e9fd68677ae1e1b459885b3979eabba445

SHA256
69377f70dc61fe37d51443a5ce8a312aa7b682c61574b8ff02fef4e9d798133a

SHA512
266128f62ef53d596196bed76ef94c9aef135f248a2c0a9b44a909bdff4613a048875d9a8debf7082e50eea29acb32891fd7edc535d085558a9250a5f402c9a8

Download Submit
memory/1800-130-0x0000000000612000-0x000000000064C000-memory.dmp

Filesize
232KB

Download
memory/1800-131-0x0000000000530000-0x000000000058C000-memory.dmp

Filesize
368KB

Download
memory/1800-135-0x0000000040000000-0x0000000040BA8000-memory.dmp

Filesize
11.7MB

Download
memory/1964-136-0x0000000000722000-0x000000000075C000-memory.dmp

Filesize
232KB

Download
memory/1964-137-0x00000000004D0000-0x000000000052C000-memory.dmp

Filesize
368KB

Download
memory/1964-138-0x0000000040000000-0x0000000040BA8000-memory.dmp

Filesize
11.7MB

Download

Analysis

Sharing