buer | b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

General

Target

b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe
Size

168KB
MD5

3f703f81f4a4c842cdc0703a72c2b962
SHA1

014c9705a2cb162435ed8f59990414c0d1c8bb68
SHA256

b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e
SHA512

ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://gstatiknetiplist.cc/

https://gstatiknetiplist.com/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\""	networker.exe

Buer Loader 3 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral1/memory/548-57-0x0000000000020000-0x000000000002A000-memory.dmp	buer
behavioral1/memory/548-58-0x0000000040000000-0x00000000429E0000-memory.dmp	buer
behavioral1/memory/1508-68-0x0000000040000000-0x00000000429E0000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
1508	networker.exe

Deletes itself 1 IoCs

pid	Process
1508	networker.exe

Loads dropped DLL 2 IoCs

pid	Process
548	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe
548	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	networker.exe
File opened (read-only)	\??\R:	networker.exe
File opened (read-only)	\??\H:	networker.exe
File opened (read-only)	\??\J:	networker.exe
File opened (read-only)	\??\N:	networker.exe
File opened (read-only)	\??\Q:	networker.exe
File opened (read-only)	\??\E:	networker.exe
File opened (read-only)	\??\F:	networker.exe
File opened (read-only)	\??\I:	networker.exe
File opened (read-only)	\??\L:	networker.exe
File opened (read-only)	\??\S:	networker.exe
File opened (read-only)	\??\U:	networker.exe
File opened (read-only)	\??\V:	networker.exe
File opened (read-only)	\??\W:	networker.exe
File opened (read-only)	\??\A:	networker.exe
File opened (read-only)	\??\X:	networker.exe
File opened (read-only)	\??\G:	networker.exe
File opened (read-only)	\??\M:	networker.exe
File opened (read-only)	\??\O:	networker.exe
File opened (read-only)	\??\P:	networker.exe
File opened (read-only)	\??\T:	networker.exe
File opened (read-only)	\??\Y:	networker.exe
File opened (read-only)	\??\Z:	networker.exe
File opened (read-only)	\??\B:	networker.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	1420	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1508	networker.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1508	548	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	27
PID 548 wrote to memory of 1508	548	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	27
PID 548 wrote to memory of 1508	548	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	27
PID 548 wrote to memory of 1508	548	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	27
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1508 wrote to memory of 1420	1508	networker.exe	28
PID 1420 wrote to memory of 1268	1420	secinit.exe	29
PID 1420 wrote to memory of 1268	1420	secinit.exe	29
PID 1420 wrote to memory of 1268	1420	secinit.exe	29
PID 1420 wrote to memory of 1268	1420	secinit.exe	29

C:\Users\Admin\AppData\Local\Temp\b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe
"C:\Users\Admin\AppData\Local\Temp\b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548
- C:\ProgramData\RedTools\networker.exe
  C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Deletes itself
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\RedTools\networker.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 136
      4⤵
      Program crash
      PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RedTools\networker.exe

Filesize
168KB

MD5
3f703f81f4a4c842cdc0703a72c2b962

SHA1
014c9705a2cb162435ed8f59990414c0d1c8bb68

SHA256
b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

SHA512
ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Download Submit
C:\ProgramData\RedTools\networker.exe

Filesize
168KB

MD5
3f703f81f4a4c842cdc0703a72c2b962

SHA1
014c9705a2cb162435ed8f59990414c0d1c8bb68

SHA256
b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

SHA512
ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Download Submit
\ProgramData\RedTools\networker.exe

Filesize
168KB

MD5
3f703f81f4a4c842cdc0703a72c2b962

SHA1
014c9705a2cb162435ed8f59990414c0d1c8bb68

SHA256
b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

SHA512
ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Download Submit
\ProgramData\RedTools\networker.exe

Filesize
168KB

MD5
3f703f81f4a4c842cdc0703a72c2b962

SHA1
014c9705a2cb162435ed8f59990414c0d1c8bb68

SHA256
b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

SHA512
ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Download Submit
memory/548-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/548-56-0x0000000000488000-0x0000000000490000-memory.dmp

Filesize
32KB

Download
memory/548-57-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/548-58-0x0000000040000000-0x00000000429E0000-memory.dmp

Filesize
41.9MB

Download
memory/548-63-0x0000000000488000-0x0000000000490000-memory.dmp

Filesize
32KB

Download
memory/548-54-0x0000000000488000-0x0000000000490000-memory.dmp

Filesize
32KB

Download
memory/1420-70-0x00000000002C0000-0x0000000002CA0000-memory.dmp

Filesize
41.9MB

Download
memory/1420-69-0x00000000002C0000-0x0000000002CA0000-memory.dmp

Filesize
41.9MB

Download
memory/1420-72-0x00000000002C0000-0x0000000002CA0000-memory.dmp

Filesize
41.9MB

Download
memory/1420-74-0x00000000002C0000-0x0000000002CA0000-memory.dmp

Filesize
41.9MB

Download
memory/1420-76-0x00000000002C0000-0x0000000002CA0000-memory.dmp

Filesize
41.9MB

Download
memory/1420-78-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1420-82-0x00000000002C0000-0x0000000002CA0000-memory.dmp

Filesize
41.9MB

Download
memory/1508-67-0x0000000000588000-0x0000000000590000-memory.dmp

Filesize
32KB

Download
memory/1508-68-0x0000000040000000-0x00000000429E0000-memory.dmp

Filesize
41.9MB

Download
memory/1508-64-0x0000000000588000-0x0000000000590000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing