buer | 47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7

General

Target

47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe
Size

160KB
MD5

d8e4d911bd32bc0cec654270a195a86c
SHA1

9f262bd7f6ca033eb3f03c6ce1e82d98005f28ad
SHA256

47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7
SHA512

f61bb004ac75ad3727822782547b0d183c9dc2b68215da867d9ce96257e29beadabc621a3c51f8be7e9538a3347b2723dcfcf9163826d18122525c098be3e61b

Score

10^/10

buer loader persistence suricata

Malware Config

Extracted

Family

buer

C2

frrn8--ddjm_b./,rmn-

frrn8--ddjm_b.0,rmn-

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer
suricata: ET MALWARE Buer Loader Update Request
suricata: ET MALWARE Buer Loader Update Request
suricata

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/files/0x0008000000023146-131.dat	buer
behavioral2/files/0x0008000000023146-132.dat	buer
behavioral2/memory/4544-133-0x0000000000000000-mapping.dmp	buer
behavioral2/memory/4544-134-0x00000000003D0000-0x00000000003FB000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
4216	manager.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	manager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe"	manager.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	secinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ActiveX Component = "C:\\Users\\Admin\\AppData\\Roaming\\ActiveX\\manager.exe"	secinit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	secinit.exe
4544	secinit.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4216	2632	47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe	79
PID 2632 wrote to memory of 4216	2632	47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe	79
PID 2632 wrote to memory of 4216	2632	47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe	79
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80
PID 4216 wrote to memory of 4544	4216	manager.exe	80

C:\Users\Admin\AppData\Local\Temp\47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe
"C:\Users\Admin\AppData\Local\Temp\47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
  C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe "C:\Users\Admin\AppData\Local\Temp\47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\secinit.exe
    C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
160KB

MD5
d8e4d911bd32bc0cec654270a195a86c

SHA1
9f262bd7f6ca033eb3f03c6ce1e82d98005f28ad

SHA256
47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7

SHA512
f61bb004ac75ad3727822782547b0d183c9dc2b68215da867d9ce96257e29beadabc621a3c51f8be7e9538a3347b2723dcfcf9163826d18122525c098be3e61b

Download Submit
C:\Users\Admin\AppData\Roaming\ActiveX\manager.exe

Filesize
160KB

MD5
d8e4d911bd32bc0cec654270a195a86c

SHA1
9f262bd7f6ca033eb3f03c6ce1e82d98005f28ad

SHA256
47f6ca6bad3812abde610a5d9ee7d830a20cff27d16198626027446eaee513a7

SHA512
f61bb004ac75ad3727822782547b0d183c9dc2b68215da867d9ce96257e29beadabc621a3c51f8be7e9538a3347b2723dcfcf9163826d18122525c098be3e61b

Download Submit
memory/4544-134-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing