buer | 2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

General

Target

2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe
Size

302KB
MD5

1a2546b8cc363618f85ad41532b2506a
SHA1

898b6adc52af010648afa56073f77dd7961837f9
SHA256

2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92
SHA512

45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://gstatiknetiplist.cc/

https://gstatiknetiplist.com/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\ErrorResponder\\responder.exe\""	responder.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/2116-131-0x00000000001C0000-0x00000000001CA000-memory.dmp	buer
behavioral2/memory/2116-132-0x0000000040000000-0x0000000042A02000-memory.dmp	buer
behavioral2/memory/312-137-0x0000000040000000-0x0000000042A02000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
312	responder.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3464	2116	WerFault.exe	23

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 312	2116	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	87
PID 2116 wrote to memory of 312	2116	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	87
PID 2116 wrote to memory of 312	2116	2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe	87
PID 312 wrote to memory of 1252	312	responder.exe	90
PID 312 wrote to memory of 1252	312	responder.exe	90
PID 312 wrote to memory of 1252	312	responder.exe	90
PID 312 wrote to memory of 1252	312	responder.exe	90

C:\Users\Admin\AppData\Local\Temp\2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe
"C:\Users\Admin\AppData\Local\Temp\2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\ProgramData\ErrorResponder\responder.exe
  C:\ProgramData\ErrorResponder\responder.exe "C:\Users\Admin\AppData\Local\Temp\2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\ErrorResponder\responder.exe
    3⤵
    PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 472
  2⤵
  - Program crash
  PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2116 -ip 2116
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ErrorResponder\responder.exe

Filesize
302KB

MD5
1a2546b8cc363618f85ad41532b2506a

SHA1
898b6adc52af010648afa56073f77dd7961837f9

SHA256
2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

SHA512
45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Download Submit
C:\ProgramData\ErrorResponder\responder.exe

Filesize
302KB

MD5
1a2546b8cc363618f85ad41532b2506a

SHA1
898b6adc52af010648afa56073f77dd7961837f9

SHA256
2f2c65f9e33f564986f7459b52f61c4855cb9c7768acafa7f7da34b481ddab92

SHA512
45a16da45a553bd98c5f2f152c3dcaea1ce8492e8a1feb44ac572209f923b7c481a876b9d7880b0ff25d7c10c93c3cd56c59668b3459ea240ad673279c787bcb

Download Submit
memory/312-136-0x0000000000443000-0x000000000044B000-memory.dmp

Filesize
32KB

Download
memory/312-137-0x0000000040000000-0x0000000042A02000-memory.dmp

Filesize
42.0MB

Download
memory/2116-130-0x0000000000682000-0x0000000000689000-memory.dmp

Filesize
28KB

Download
memory/2116-131-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2116-132-0x0000000040000000-0x0000000042A02000-memory.dmp

Filesize
42.0MB

Download

Analysis

Sharing