buer | 5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

General

Target

5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe
Size

232KB
MD5

433d6c179b52282f730f84bdf722f0dc
SHA1

9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd
SHA256

5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186
SHA512

0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

http://45.12.32.252:8080/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 5 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/4056-132-0x0000000000470000-0x0000000000479000-memory.dmp	buer
behavioral2/memory/4056-138-0x0000000040000000-0x000000004318E000-memory.dmp	buer
behavioral2/memory/3080-139-0x0000000000650000-0x0000000000659000-memory.dmp	buer
behavioral2/memory/3080-140-0x0000000040000000-0x000000004318E000-memory.dmp	buer
behavioral2/memory/3080-143-0x0000000040000000-0x000000004318E000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
3080	manager.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	manager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe"	manager.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1908	4056	WerFault.exe	78
1208	736	WerFault.exe	83
2492	736	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3080	manager.exe
3080	manager.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 3080	4056	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	79
PID 4056 wrote to memory of 3080	4056	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	79
PID 4056 wrote to memory of 3080	4056	5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe	79
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83
PID 3080 wrote to memory of 736	3080	manager.exe	83

C:\Users\Admin\AppData\Local\Temp\5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe
"C:\Users\Admin\AppData\Local\Temp\5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
  C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\secinit.exe
    C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
    3⤵
    PID:736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 268
      4⤵
      Program crash
      PID:1208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 288
      4⤵
      Program crash
      PID:2492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 436
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4056 -ip 4056
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 736 -ip 736
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 736 -ip 736
1⤵
PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
232KB

MD5
433d6c179b52282f730f84bdf722f0dc

SHA1
9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd

SHA256
5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

SHA512
0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Download Submit
C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
232KB

MD5
433d6c179b52282f730f84bdf722f0dc

SHA1
9a4aab9d9c9cef5f1ac2c1135e49957e4f85befd

SHA256
5860aa99f2728d1fe095387575f210cea1ca41a4a1c1d12f276ea7784413c186

SHA512
0194168071a278982fb152fd0c63aa30def25db18edf6784163ba41617fab7fec368f391a40337efdbf305905c8d58c3202edcfd4e290c90509ea6a5f7a6de10

Download Submit
memory/736-141-0x0000000000760000-0x00000000038EE000-memory.dmp

Filesize
49.6MB

Download
memory/3080-136-0x0000000000725000-0x000000000072C000-memory.dmp

Filesize
28KB

Download
memory/3080-139-0x0000000000650000-0x0000000000659000-memory.dmp

Filesize
36KB

Download
memory/3080-140-0x0000000040000000-0x000000004318E000-memory.dmp

Filesize
49.6MB

Download
memory/3080-142-0x0000000000725000-0x000000000072C000-memory.dmp

Filesize
28KB

Download
memory/3080-143-0x0000000040000000-0x000000004318E000-memory.dmp

Filesize
49.6MB

Download
memory/4056-130-0x0000000000595000-0x000000000059C000-memory.dmp

Filesize
28KB

Download
memory/4056-132-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/4056-138-0x0000000040000000-0x000000004318E000-memory.dmp

Filesize
49.6MB

Download
memory/4056-131-0x0000000000595000-0x000000000059C000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing