buer | 1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
Size

90KB
MD5

b3290148681f8218ecb80ca430f9fdba
SHA1

a661541c4cbeb1db859f6cec6c53979b5633c75e
SHA256

1e37cf52cafb1f3e6eea67caa620379f37e5bd271fa21786ee33ad000164da83
SHA512

327abbb1b2a12cd6f1298d40c7ba115dfeeffd17e309aad50e20c4ba2af95263aec208a1a32e9c3fa6d1a8f184df539cc89d9dce12f04837789b22b40472302d
SSDEEP

1536:DHYMiClDhdyA5x5Z0Dvyecobn6RN4vr3d6TJsGmGYWAPgnMNQ:DYjClDhQlDvrcob6H4DXnOmQ

Score

10^/10

buer loader

Malware Config

Extracted

Family

buer

https://kkjjhhdff.site/

https://oderstrg.site/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral2/memory/4864-134-0x0000000040000000-0x000000004000B000-memory.dmp	buer

Loads dropped DLL 1 IoCs

pid	Process
632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 4864	632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 4864	632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	80
PID 632 wrote to memory of 4864	632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	80
PID 632 wrote to memory of 4864	632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	80
PID 632 wrote to memory of 4864	632	a661541c4cbeb1db859f6cec6c53979b5633c75e.exe	80

C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
"C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe
  "C:\Users\Admin\AppData\Local\Temp\a661541c4cbeb1db859f6cec6c53979b5633c75e.exe"
  2⤵
  PID:4864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl7D06.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/4864-134-0x0000000040000000-0x000000004000B000-memory.dmp

Filesize
44KB

Download