buer | 91d1851a7dfd2133102df6f58b34823726796744e62f61e4181b977026b19d6b

General

Target

Review.exe
Size

326KB
MD5

8330ee5e6df29bdb94e65f2c93e3da24
SHA1

8b5d4da807717806579cc9dc117f8a91f75154ec
SHA256

91d1851a7dfd2133102df6f58b34823726796744e62f61e4181b977026b19d6b
SHA512

1cdad334545c2eec3ab6b1a9ac1e12c4b358bf863eae96ababe6bdc6c6706ce0a20e16b6bb20d94247477c0c6ba93a94572adf5305dd5b7fca09dbcfa6830ed6
SSDEEP

1536:QRhmabwrFnOATLZ+ZlDD4444444444444444444444444444444444444444444x:CupU1Wg8sZ/FXdVi3F6T6qo

Score

10^/10

buer loader persistence

Malware Config

Extracted

Family

buer

C2

https://161.35.192.121/

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\b744b55c2acb642048fb\\gennt.exe\""	gennt.exe

Buer Loader 4 IoCs

Detects Buer loader in memory or disk.

loader

resource	yara_rule
behavioral1/memory/2556-1-0x0000000000340000-0x000000000034F000-memory.dmp	buer
behavioral1/memory/2556-3-0x0000000000330000-0x000000000033D000-memory.dmp	buer
behavioral1/memory/2556-6-0x0000000040000000-0x000000004000C000-memory.dmp	buer
behavioral1/memory/2860-25-0x00000000003D0000-0x00000000003DF000-memory.dmp	buer

Deletes itself 1 IoCs

pid	Process
2860	gennt.exe

Executes dropped EXE 1 IoCs

pid	Process
2860	gennt.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	Review.exe
2556	Review.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2860	2556	Review.exe	30
PID 2556 wrote to memory of 2860	2556	Review.exe	30
PID 2556 wrote to memory of 2860	2556	Review.exe	30
PID 2556 wrote to memory of 2860	2556	Review.exe	30
PID 2860 wrote to memory of 2916	2860	gennt.exe	31
PID 2860 wrote to memory of 2916	2860	gennt.exe	31
PID 2860 wrote to memory of 2916	2860	gennt.exe	31
PID 2860 wrote to memory of 2916	2860	gennt.exe	31

C:\Users\Admin\AppData\Local\Temp\Review.exe
"C:\Users\Admin\AppData\Local\Temp\Review.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556
- C:\ProgramData\b744b55c2acb642048fb\gennt.exe
  C:\ProgramData\b744b55c2acb642048fb\gennt.exe "C:\Users\Admin\AppData\Local\Temp\Review.exe" ensgJJ
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\b744b55c2acb642048fb}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\b744b55c2acb642048fb\gennt.exe

Filesize
326KB

MD5
8330ee5e6df29bdb94e65f2c93e3da24

SHA1
8b5d4da807717806579cc9dc117f8a91f75154ec

SHA256
91d1851a7dfd2133102df6f58b34823726796744e62f61e4181b977026b19d6b

SHA512
1cdad334545c2eec3ab6b1a9ac1e12c4b358bf863eae96ababe6bdc6c6706ce0a20e16b6bb20d94247477c0c6ba93a94572adf5305dd5b7fca09dbcfa6830ed6

Download Submit
C:\ProgramData\b744b55c2acb642048fb\gennt.exe

Filesize
326KB

MD5
8330ee5e6df29bdb94e65f2c93e3da24

SHA1
8b5d4da807717806579cc9dc117f8a91f75154ec

SHA256
91d1851a7dfd2133102df6f58b34823726796744e62f61e4181b977026b19d6b

SHA512
1cdad334545c2eec3ab6b1a9ac1e12c4b358bf863eae96ababe6bdc6c6706ce0a20e16b6bb20d94247477c0c6ba93a94572adf5305dd5b7fca09dbcfa6830ed6

Download Submit
\ProgramData\b744b55c2acb642048fb\gennt.exe

Filesize
326KB

MD5
8330ee5e6df29bdb94e65f2c93e3da24

SHA1
8b5d4da807717806579cc9dc117f8a91f75154ec

SHA256
91d1851a7dfd2133102df6f58b34823726796744e62f61e4181b977026b19d6b

SHA512
1cdad334545c2eec3ab6b1a9ac1e12c4b358bf863eae96ababe6bdc6c6706ce0a20e16b6bb20d94247477c0c6ba93a94572adf5305dd5b7fca09dbcfa6830ed6

Download Submit
\ProgramData\b744b55c2acb642048fb\gennt.exe

Filesize
326KB

MD5
8330ee5e6df29bdb94e65f2c93e3da24

SHA1
8b5d4da807717806579cc9dc117f8a91f75154ec

SHA256
91d1851a7dfd2133102df6f58b34823726796744e62f61e4181b977026b19d6b

SHA512
1cdad334545c2eec3ab6b1a9ac1e12c4b358bf863eae96ababe6bdc6c6706ce0a20e16b6bb20d94247477c0c6ba93a94572adf5305dd5b7fca09dbcfa6830ed6

Download Submit
memory/2556-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2556-9-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2556-6-0x0000000040000000-0x000000004000C000-memory.dmp

Filesize
48KB

Download
memory/2556-3-0x0000000000330000-0x000000000033D000-memory.dmp

Filesize
52KB

Download
memory/2556-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2556-1-0x0000000000340000-0x000000000034F000-memory.dmp

Filesize
60KB

Download
memory/2860-25-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download
memory/2860-32-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2916-37-0x0000000073B80000-0x000000007412B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-38-0x0000000073B80000-0x000000007412B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-39-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2916-40-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2916-41-0x0000000073B80000-0x000000007412B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads