buer | b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

General

Target

b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe
Size

168KB
MD5

3f703f81f4a4c842cdc0703a72c2b962
SHA1

014c9705a2cb162435ed8f59990414c0d1c8bb68
SHA256

b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e
SHA512

ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://gstatiknetiplist.cc/

https://gstatiknetiplist.com/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\RedTools\\networker.exe\""	networker.exe

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/1944-131-0x0000000000030000-0x000000000003A000-memory.dmp	buer
behavioral2/memory/1944-132-0x0000000040000000-0x00000000429E0000-memory.dmp	buer
behavioral2/memory/2236-138-0x0000000040000000-0x00000000429E0000-memory.dmp	buer
behavioral2/memory/1944-139-0x0000000040000000-0x00000000429E0000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
2236	networker.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	networker.exe
File opened (read-only)	\??\L:	networker.exe
File opened (read-only)	\??\Q:	networker.exe
File opened (read-only)	\??\V:	networker.exe
File opened (read-only)	\??\B:	networker.exe
File opened (read-only)	\??\I:	networker.exe
File opened (read-only)	\??\X:	networker.exe
File opened (read-only)	\??\Z:	networker.exe
File opened (read-only)	\??\J:	networker.exe
File opened (read-only)	\??\M:	networker.exe
File opened (read-only)	\??\N:	networker.exe
File opened (read-only)	\??\O:	networker.exe
File opened (read-only)	\??\A:	networker.exe
File opened (read-only)	\??\F:	networker.exe
File opened (read-only)	\??\G:	networker.exe
File opened (read-only)	\??\H:	networker.exe
File opened (read-only)	\??\W:	networker.exe
File opened (read-only)	\??\Y:	networker.exe
File opened (read-only)	\??\P:	networker.exe
File opened (read-only)	\??\R:	networker.exe
File opened (read-only)	\??\S:	networker.exe
File opened (read-only)	\??\U:	networker.exe
File opened (read-only)	\??\K:	networker.exe
File opened (read-only)	\??\T:	networker.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2292	1944	WerFault.exe	76
1920	4184	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	networker.exe
2236	networker.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2236	1944	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	78
PID 1944 wrote to memory of 2236	1944	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	78
PID 1944 wrote to memory of 2236	1944	b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe	78
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80
PID 2236 wrote to memory of 4184	2236	networker.exe	80

C:\Users\Admin\AppData\Local\Temp\b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe
"C:\Users\Admin\AppData\Local\Temp\b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\ProgramData\RedTools\networker.exe
  C:\ProgramData\RedTools\networker.exe "C:\Users\Admin\AppData\Local\Temp\b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\secinit.exe
    C:\ProgramData\RedTools\networker.exe
    3⤵
    PID:4184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 220
      4⤵
      Program crash
      PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 440
  2⤵
  - Program crash
  PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1944 -ip 1944
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4184 -ip 4184
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RedTools\networker.exe

Filesize
168KB

MD5
3f703f81f4a4c842cdc0703a72c2b962

SHA1
014c9705a2cb162435ed8f59990414c0d1c8bb68

SHA256
b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

SHA512
ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Download Submit
C:\ProgramData\RedTools\networker.exe

Filesize
168KB

MD5
3f703f81f4a4c842cdc0703a72c2b962

SHA1
014c9705a2cb162435ed8f59990414c0d1c8bb68

SHA256
b8214a4193ab2e9ad46cc908789a17bc2c78cd4fa215b5311e7908caabb3ea6e

SHA512
ec266ae10cbbcc86581cb96d0fec1ecb0ef2cb76e13c116efde0adcdb11eb5943eb638f80d5ef39bfb0a070d9a8137bf03855820f758ea033109b9335db6a3ec

Download Submit
memory/1944-133-0x0000000000512000-0x0000000000519000-memory.dmp

Filesize
28KB

Download
memory/1944-131-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/1944-132-0x0000000040000000-0x00000000429E0000-memory.dmp

Filesize
41.9MB

Download
memory/1944-130-0x0000000000512000-0x0000000000519000-memory.dmp

Filesize
28KB

Download
memory/1944-139-0x0000000040000000-0x00000000429E0000-memory.dmp

Filesize
41.9MB

Download
memory/2236-137-0x0000000000553000-0x000000000055A000-memory.dmp

Filesize
28KB

Download
memory/2236-138-0x0000000040000000-0x00000000429E0000-memory.dmp

Filesize
41.9MB

Download
memory/4184-141-0x0000000000C10000-0x00000000035F0000-memory.dmp

Filesize
41.9MB

Download
memory/4184-142-0x0000000000C10000-0x00000000035F0000-memory.dmp

Filesize
41.9MB

Download

Analysis

Sharing