buer | 7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b

General

Target

7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe
Size

297KB
MD5

93635db616729ba0c3b625e46e91df4c
SHA1

452e4f91c12052852bb20649734a917f4360a810
SHA256

7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b
SHA512

c3bd159c1a4cce8e6ff3190453cebea30e24579738403ed17c1f3984df7c6502f66f14901df7ac5767f8aa61b42a2f7d60fbc22eeb4912e55ceb6c727ad7f309

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

http://koralak.hk/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 6 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/4068-131-0x0000000000030000-0x0000000000039000-memory.dmp	buer
behavioral2/memory/4068-132-0x0000000040000000-0x0000000040533000-memory.dmp	buer
behavioral2/memory/4068-133-0x0000000040000000-0x0000000040533000-memory.dmp	buer
behavioral2/memory/2100-138-0x0000000040000000-0x0000000040533000-memory.dmp	buer
behavioral2/memory/4068-140-0x0000000040000000-0x0000000040533000-memory.dmp	buer
behavioral2/memory/2100-141-0x0000000040000000-0x0000000040533000-memory.dmp	buer

Executes dropped EXE 1 IoCs

pid	Process
2100	debugger.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RailSoftComany = "C:\\Users\\Admin\\AppData\\Roaming\\RailSoft\\debugger.exe耀"	7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4804	4068	WerFault.exe	81
440	2380	WerFault.exe	96
3736	2380	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	debugger.exe
2100	debugger.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2100	4068	7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe	91
PID 4068 wrote to memory of 2100	4068	7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe	91
PID 4068 wrote to memory of 2100	4068	7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe	91
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96
PID 2100 wrote to memory of 2380	2100	debugger.exe	96

C:\Users\Admin\AppData\Local\Temp\7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe
"C:\Users\Admin\AppData\Local\Temp\7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Roaming\RailSoft\debugger.exe
  C:\Users\Admin\AppData\Roaming\RailSoft\debugger.exe "C:\Users\Admin\AppData\Local\Temp\7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b.exe" ensgJJ
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\secinit.exe
    C:\Users\Admin\AppData\Roaming\RailSoft\debugger.exe
    3⤵
    PID:2380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 216
      4⤵
      Program crash
      PID:440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 224
      4⤵
      Program crash
      PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 444
  2⤵
  - Program crash
  PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4068 -ip 4068
1⤵
PID:3272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2380 -ip 2380
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2380 -ip 2380
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RailSoft\debugger.exe

Filesize
297KB

MD5
93635db616729ba0c3b625e46e91df4c

SHA1
452e4f91c12052852bb20649734a917f4360a810

SHA256
7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b

SHA512
c3bd159c1a4cce8e6ff3190453cebea30e24579738403ed17c1f3984df7c6502f66f14901df7ac5767f8aa61b42a2f7d60fbc22eeb4912e55ceb6c727ad7f309

Download Submit
C:\Users\Admin\AppData\Roaming\RailSoft\debugger.exe

Filesize
297KB

MD5
93635db616729ba0c3b625e46e91df4c

SHA1
452e4f91c12052852bb20649734a917f4360a810

SHA256
7cf42b86ce5e7da39da70e7a4ec975cb6c3688201cf4160033c3ead411114b3b

SHA512
c3bd159c1a4cce8e6ff3190453cebea30e24579738403ed17c1f3984df7c6502f66f14901df7ac5767f8aa61b42a2f7d60fbc22eeb4912e55ceb6c727ad7f309

Download Submit
memory/2100-138-0x0000000040000000-0x0000000040533000-memory.dmp

Filesize
5.2MB

Download
memory/2100-141-0x0000000040000000-0x0000000040533000-memory.dmp

Filesize
5.2MB

Download
memory/2100-137-0x00000000006B3000-0x00000000006BA000-memory.dmp

Filesize
28KB

Download
memory/2380-143-0x0000000000A90000-0x0000000000FC3000-memory.dmp

Filesize
5.2MB

Download
memory/4068-133-0x0000000040000000-0x0000000040533000-memory.dmp

Filesize
5.2MB

Download
memory/4068-139-0x00000000006A3000-0x00000000006AA000-memory.dmp

Filesize
28KB

Download
memory/4068-140-0x0000000040000000-0x0000000040533000-memory.dmp

Filesize
5.2MB

Download
memory/4068-130-0x00000000006A3000-0x00000000006AA000-memory.dmp

Filesize
28KB

Download
memory/4068-132-0x0000000040000000-0x0000000040533000-memory.dmp

Filesize
5.2MB

Download
memory/4068-131-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing