buer | 5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

General

Target

5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe
Size

232KB
MD5

433d6c179b52282f730f84bdf722f0dc
SHA1

9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd
SHA256

5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186
SHA512

0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

http://45.12.32.252:8080/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral1/memory/292-61-0x0000000000230000-0x0000000000239000-memory.dmp	buer
behavioral1/memory/292-62-0x0000000040000000-0x000000004318E000-memory.dmp	buer
behavioral1/memory/1892-72-0x0000000040000000-0x000000004318E000-memory.dmp	buer
behavioral1/memory/1892-84-0x0000000040000000-0x000000004318E000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
1892	manager.exe

Deletes itself 1 IoCs

pid	Process
1892	manager.exe

Loads dropped DLL 2 IoCs

pid	Process
292	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe
292	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	manager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe"	manager.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1892	manager.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 1892	292	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	28
PID 292 wrote to memory of 1892	292	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	28
PID 292 wrote to memory of 1892	292	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	28
PID 292 wrote to memory of 1892	292	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	28
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29
PID 1892 wrote to memory of 1396	1892	manager.exe	29

C:\Users\Admin\AppData\Local\Temp\5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe
"C:\Users\Admin\AppData\Local\Temp\5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292
- C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
  C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\secinit.exe
    C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
    3⤵
    PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
232KB

MD5
433d6c179b52282f730f84bdf722f0dc

SHA1
9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd

SHA256
5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

SHA512
0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Download Submit
C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
232KB

MD5
433d6c179b52282f730f84bdf722f0dc

SHA1
9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd

SHA256
5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

SHA512
0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Download Submit
\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
232KB

MD5
433d6c179b52282f730f84bdf722f0dc

SHA1
9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd

SHA256
5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

SHA512
0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Download Submit
\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
232KB

MD5
433d6c179b52282f730f84bdf722f0dc

SHA1
9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd

SHA256
5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

SHA512
0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Download Submit
memory/292-55-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/292-54-0x00000000005CA000-0x00000000005D1000-memory.dmp

Filesize
28KB

Download
memory/292-60-0x00000000005CA000-0x00000000005D1000-memory.dmp

Filesize
28KB

Download
memory/292-61-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/292-62-0x0000000040000000-0x000000004318E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-67-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-79-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-66-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-83-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-69-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-80-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1396-73-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-75-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1396-77-0x00000000002A0000-0x000000000342E000-memory.dmp

Filesize
49.6MB

Download
memory/1892-63-0x00000000002CA000-0x00000000002D1000-memory.dmp

Filesize
28KB

Download
memory/1892-72-0x0000000040000000-0x000000004318E000-memory.dmp

Filesize
49.6MB

Download
memory/1892-70-0x00000000002CA000-0x00000000002D1000-memory.dmp

Filesize
28KB

Download
memory/1892-84-0x0000000040000000-0x000000004318E000-memory.dmp

Filesize
49.6MB

Download

Analysis

Sharing