buer | 2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

General

Target

2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe
Size

302KB
MD5

1a2546b8cc363618f85ad41532b2506a
SHA1

898b6adc52af010648afa56073f77dd7961837f9
SHA256

2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92
SHA512

45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://gstatiknetiplist.cc/

https://gstatiknetiplist.com/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\responder.exe\""	responder.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral1/memory/1648-57-0x0000000000020000-0x000000000002A000-memory.dmp	buer
behavioral1/memory/1648-58-0x0000000040000000-0x0000000042A02000-memory.dmp	buer
behavioral1/memory/2000-66-0x0000000040000000-0x0000000042A02000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
2000	responder.exe

Deletes itself 1 IoCs

pid	Process
2000	responder.exe

Loads dropped DLL 2 IoCs

pid	Process
1648	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe
1648	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	responder.exe
File opened (read-only)	\??\L:	responder.exe
File opened (read-only)	\??\V:	responder.exe
File opened (read-only)	\??\X:	responder.exe
File opened (read-only)	\??\U:	responder.exe
File opened (read-only)	\??\Y:	responder.exe
File opened (read-only)	\??\A:	responder.exe
File opened (read-only)	\??\E:	responder.exe
File opened (read-only)	\??\F:	responder.exe
File opened (read-only)	\??\J:	responder.exe
File opened (read-only)	\??\N:	responder.exe
File opened (read-only)	\??\S:	responder.exe
File opened (read-only)	\??\Z:	responder.exe
File opened (read-only)	\??\B:	responder.exe
File opened (read-only)	\??\G:	responder.exe
File opened (read-only)	\??\H:	responder.exe
File opened (read-only)	\??\I:	responder.exe
File opened (read-only)	\??\P:	responder.exe
File opened (read-only)	\??\W:	responder.exe
File opened (read-only)	\??\M:	responder.exe
File opened (read-only)	\??\O:	responder.exe
File opened (read-only)	\??\Q:	responder.exe
File opened (read-only)	\??\R:	responder.exe
File opened (read-only)	\??\T:	responder.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2000	responder.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2000	1648	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	27
PID 1648 wrote to memory of 2000	1648	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	27
PID 1648 wrote to memory of 2000	1648	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	27
PID 1648 wrote to memory of 2000	1648	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	27
PID 2000 wrote to memory of 848	2000	responder.exe	28
PID 2000 wrote to memory of 848	2000	responder.exe	28
PID 2000 wrote to memory of 848	2000	responder.exe	28
PID 2000 wrote to memory of 848	2000	responder.exe	28

C:\Users\Admin\AppData\Local\Temp\2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe
"C:\Users\Admin\AppData\Local\Temp\2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648
- C:\ProgramData\ErrorResponder\responder.exe
  C:\ProgramData\ErrorResponder\responder.exe "C:\Users\Admin\AppData\Local\Temp\2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\ErrorResponder\responder.exe
    3⤵
    PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ErrorResponder\responder.exe

Filesize
302KB

MD5
1a2546b8cc363618f85ad41532b2506a

SHA1
898b6adc52af010648afa56073f77dd7961837f9

SHA256
2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

SHA512
45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Download Submit
C:\ProgramData\ErrorResponder\responder.exe

Filesize
302KB

MD5
1a2546b8cc363618f85ad41532b2506a

SHA1
898b6adc52af010648afa56073f77dd7961837f9

SHA256
2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

SHA512
45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Download Submit
\ProgramData\ErrorResponder\responder.exe

Filesize
302KB

MD5
1a2546b8cc363618f85ad41532b2506a

SHA1
898b6adc52af010648afa56073f77dd7961837f9

SHA256
2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

SHA512
45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Download Submit
\ProgramData\ErrorResponder\responder.exe

Filesize
302KB

MD5
1a2546b8cc363618f85ad41532b2506a

SHA1
898b6adc52af010648afa56073f77dd7961837f9

SHA256
2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

SHA512
45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Download Submit
memory/1648-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1648-57-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1648-56-0x0000000000428000-0x0000000000430000-memory.dmp

Filesize
32KB

Download
memory/1648-58-0x0000000040000000-0x0000000042A02000-memory.dmp

Filesize
42.0MB

Download
memory/1648-54-0x0000000000428000-0x0000000000430000-memory.dmp

Filesize
32KB

Download
memory/2000-65-0x0000000000268000-0x0000000000270000-memory.dmp

Filesize
32KB

Download
memory/2000-66-0x0000000040000000-0x0000000042A02000-memory.dmp

Filesize
42.0MB

Download
memory/2000-63-0x0000000000268000-0x0000000000270000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing