buer | 1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
Size

90KB
MD5

b3290148681f8218ecb80ca430f9fdba
SHA1

a661541c4cbeb1db859f6cec6c53979b5633c75e
SHA256

1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83
SHA512

327abbb1b2a12cd6f1298d40c7ba115dfeeffd17e309aad50e20c4ba2af95263aec208a1a32e9c3fa6d1a8f184df539cc89d9dce12f04837789b22b40472302d
SSDEEP

1536:DHYMiClDhdyA5x5Z0Dvyecobn6RN4vr3d6TJsGmGYWAPgnMNQ:DYjClDhQlDvrcob6H4DXnOmQ

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

https://kkjjhhdff.site/

https://oderstrg.site/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\UBlockPlugin\\plugin.exe\""	plugin.exe

Buer Loader 2 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral1/memory/1700-59-0x0000000040000000-0x000000004000B000-memory.dmp	buer
behavioral1/memory/1656-81-0x0000000040000000-0x000000004000B000-memory.dmp	buer

Executes dropped EXE 2 IoCs

pid	Process
660	plugin.exe
1656	plugin.exe

Deletes itself 1 IoCs

pid	Process
1656	plugin.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
1700	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
660	plugin.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1700	1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	28
PID 660 set thread context of 1656	660	plugin.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	1916	WerFault.exe	31

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000001231b-58.dat	nsis_installer_1
behavioral1/files/0x000800000001231b-58.dat	nsis_installer_2
behavioral1/files/0x000800000001231b-61.dat	nsis_installer_1
behavioral1/files/0x000800000001231b-61.dat	nsis_installer_2
behavioral1/files/0x000800000001231b-63.dat	nsis_installer_1
behavioral1/files/0x000800000001231b-63.dat	nsis_installer_2
behavioral1/files/0x000800000001231b-67.dat	nsis_installer_1
behavioral1/files/0x000800000001231b-67.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1656	plugin.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
660	plugin.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1700	1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	28
PID 1540 wrote to memory of 1700	1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	28
PID 1540 wrote to memory of 1700	1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	28
PID 1540 wrote to memory of 1700	1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	28
PID 1540 wrote to memory of 1700	1540	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	28
PID 1700 wrote to memory of 660	1700	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	29
PID 1700 wrote to memory of 660	1700	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	29
PID 1700 wrote to memory of 660	1700	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	29
PID 1700 wrote to memory of 660	1700	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	29
PID 660 wrote to memory of 1656	660	plugin.exe	30
PID 660 wrote to memory of 1656	660	plugin.exe	30
PID 660 wrote to memory of 1656	660	plugin.exe	30
PID 660 wrote to memory of 1656	660	plugin.exe	30
PID 660 wrote to memory of 1656	660	plugin.exe	30
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1656 wrote to memory of 1916	1656	plugin.exe	31
PID 1916 wrote to memory of 1696	1916	secinit.exe	32
PID 1916 wrote to memory of 1696	1916	secinit.exe	32
PID 1916 wrote to memory of 1696	1916	secinit.exe	32
PID 1916 wrote to memory of 1696	1916	secinit.exe	32

C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
"C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
  "C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\ProgramData\UBlockPlugin\plugin.exe
    C:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe" ensgJJ
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\ProgramData\UBlockPlugin\plugin.exe
      C:\ProgramData\UBlockPlugin\plugin.exe "C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe" ensgJJ
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Deletes itself
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\secinit.exe
        
        C:\ProgramData\UBlockPlugin\plugin.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 168
        6⤵
        Program crash
        
        PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UBlockPlugin\plugin.exe

Filesize
90KB

MD5
b3290148681f8218ecb80ca430f9fdba

SHA1
a661541c4cbeb1db859f6cec6c53979b5633c75e

SHA256
1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83

SHA512
327abbb1b2a12cd6f1298d40c7ba115dfeeffd17e309aad50e20c4ba2af95263aec208a1a32e9c3fa6d1a8f184df539cc89d9dce12f04837789b22b40472302d

Download Submit
C:\ProgramData\UBlockPlugin\plugin.exe

Filesize
90KB

MD5
b3290148681f8218ecb80ca430f9fdba

SHA1
a661541c4cbeb1db859f6cec6c53979b5633c75e

SHA256
1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83

SHA512
327abbb1b2a12cd6f1298d40c7ba115dfeeffd17e309aad50e20c4ba2af95263aec208a1a32e9c3fa6d1a8f184df539cc89d9dce12f04837789b22b40472302d

Download Submit
C:\ProgramData\UBlockPlugin\plugin.exe

Filesize
90KB

MD5
b3290148681f8218ecb80ca430f9fdba

SHA1
a661541c4cbeb1db859f6cec6c53979b5633c75e

SHA256
1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83

SHA512
327abbb1b2a12cd6f1298d40c7ba115dfeeffd17e309aad50e20c4ba2af95263aec208a1a32e9c3fa6d1a8f184df539cc89d9dce12f04837789b22b40472302d

Download Submit
C:\Users\Admin\AppData\Local\Temp\398656834

Filesize
48KB

MD5
467794fbc079ca77852b9a902b50f675

SHA1
8b4ec6f3525b2028c34b88fe25768c525996cba4

SHA256
f1c29890dc184bdbf49a3955eb97635dcdc97addcc9f5010b9f1edf0f54fa757

SHA512
f098c5d552368b62b5354fc4d2948397fe3f67b755a81a8a2281c6ab55b8889dd097c15fc5d7082186724ad6a1521f43648f6069e28809454ffa58be95f20a66

Download Submit
\ProgramData\UBlockPlugin\plugin.exe

Filesize
90KB

MD5
b3290148681f8218ecb80ca430f9fdba

SHA1
a661541c4cbeb1db859f6cec6c53979b5633c75e

SHA256
1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83

SHA512
327abbb1b2a12cd6f1298d40c7ba115dfeeffd17e309aad50e20c4ba2af95263aec208a1a32e9c3fa6d1a8f184df539cc89d9dce12f04837789b22b40472302d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy119F.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy43E5.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/1540-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1656-81-0x0000000040000000-0x000000004000B000-memory.dmp

Filesize
44KB

Download
memory/1700-59-0x0000000040000000-0x000000004000B000-memory.dmp

Filesize
44KB

Download
memory/1916-72-0x00000000000D0000-0x0000000000109000-memory.dmp

Filesize
228KB

Download
memory/1916-69-0x00000000000D0000-0x0000000000109000-memory.dmp

Filesize
228KB

Download
memory/1916-76-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1916-75-0x00000000000D0000-0x0000000000109000-memory.dmp

Filesize
228KB

Download
memory/1916-74-0x00000000000D0000-0x0000000000109000-memory.dmp

Filesize
228KB

Download
memory/1916-70-0x00000000000D0000-0x0000000000109000-memory.dmp

Filesize
228KB

Download