buer | 2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa

General

Target

2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
Size

1.6MB
MD5

f0120868b013fa572bad5ceb3d50798d
SHA1

8ccd636f9852a713e9c0aff7f2cfba667ad95247
SHA256

2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa
SHA512

5c45d2834bfb3a57d98ff85142f4fe9675c8bbcebaf40859cd1e93b81c3a5e429531c71527b9d667ee8a2ad561a98b47980a098c69fbb564fe39b0ef6fda25d6

Score

10^/10

buer evasion loader persistence

Malware Config

Extracted

Family

buer

C2

http://loaadik01.pro/

http://loaadik02.pro/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/2432-131-0x000000003F400000-0x000000003F83F000-memory.dmp	buer
behavioral2/memory/4776-136-0x000000003FE20000-0x000000004025F000-memory.dmp	buer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 1 IoCs

pid	Process
4776	plugin.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	plugin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	plugin.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine	plugin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\UBlock = "C:\\Users\\Admin\\AppData\\Roaming\\UBlockPlugin\\plugin.exe"	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2432	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
4776	plugin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	548	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2432	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
2432	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
4776	plugin.exe
4776	plugin.exe
4776	plugin.exe
4776	plugin.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4776	2432	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe	82
PID 2432 wrote to memory of 4776	2432	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe	82
PID 2432 wrote to memory of 4776	2432	2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe	82
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89
PID 4776 wrote to memory of 548	4776	plugin.exe	89

C:\Users\Admin\AppData\Local\Temp\2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe
"C:\Users\Admin\AppData\Local\Temp\2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe
  C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\2e12043576f00278e8e1207709477d00c5e750fe42ebbae261302df924fb92fa.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\secinit.exe
    C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 220
      4⤵
      Program crash
      PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe

Filesize
569KB

MD5
6af2082ed1e29b5f18e9a35e444da762

SHA1
9972b90aa768554f5a4304f8d351ec102f80d366

SHA256
290dfcde9fcb66cb3f7ed3a9de2ff1165c8128788702af81d13538f6e965b3fc

SHA512
c521191b4ff6f4c2ed5588ae9c62b810d8997ea3d662ccaa64fc5656173dc0222a70af7a06e1b0f25e22a8247ca21344d75d7721cf09b98e1d33ba1b87734bdf

Download Submit
C:\Users\Admin\AppData\Roaming\UBlockPlugin\plugin.exe

Filesize
484KB

MD5
e0dfe8dd5b5444874597462d639efb44

SHA1
2febde13ac23dbc780e8bd4d40643085c244c549

SHA256
e534cc8dc15432c3b5eb3109091527262462a97c68a41c8593960a8085ba0af9

SHA512
571c347b14fef6bfe0b23c6a946786d73eda068d1f7a7d2fd68c767c642f960982a03447d9be223cefbc7b04c91af6d339f83e39d5ffba9d00f2c3b13fdbd57b

Download Submit
memory/2432-130-0x00000000778B0000-0x0000000077A53000-memory.dmp

Filesize
1.6MB

Download
memory/2432-131-0x000000003F400000-0x000000003F83F000-memory.dmp

Filesize
4.2MB

Download
memory/4776-136-0x000000003FE20000-0x000000004025F000-memory.dmp

Filesize
4.2MB

Download
memory/4776-135-0x00000000778B0000-0x0000000077A53000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads