buer | 9d596eb3d5080db81cda994198d5471fdb7a329f92e7a1f76ba7cac445542eec

General

Target

ba900abbccb3863cefc4aac31300eb3d.exe
Size

30KB
MD5

ba900abbccb3863cefc4aac31300eb3d
SHA1

61a6efdeffec38a278640b463fff35e3858e5173
SHA256

9d596eb3d5080db81cda994198d5471fdb7a329f92e7a1f76ba7cac445542eec
SHA512

ec6bfe690d74a919b49ad78fffae782ef07a3363a54260782d715f8b140f327ae637d6aca12cdd80410689450362b5631083789d94ed0e8c86935f3dfb422ce7
SSDEEP

768:ygw75ZtkSZopNi5Q0hILkKF2kPYkrfl6qwINmSTT:ygw1ZopSvhIQKF28v96qwI02

Score

10^/10

buer loader miner

Malware Config

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer

Detectes Phoenix Miner Payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000C30000-0x0000000000C3E000-memory.dmp	miner_phoenix
behavioral1/files/0x000b0000000152bc-9.dat	miner_phoenix
behavioral1/memory/1028-11-0x0000000001150000-0x000000000115E000-memory.dmp	miner_phoenix
behavioral1/memory/1028-13-0x0000000000DF0000-0x0000000000E70000-memory.dmp	miner_phoenix
behavioral1/memory/1044-17-0x0000000000460000-0x00000000004E0000-memory.dmp	miner_phoenix

Executes dropped EXE 2 IoCs

pid	Process
1028	moduleName.exe
1044	moduleName.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2208	ba900abbccb3863cefc4aac31300eb3d.exe
2208	ba900abbccb3863cefc4aac31300eb3d.exe
2208	ba900abbccb3863cefc4aac31300eb3d.exe
2208	ba900abbccb3863cefc4aac31300eb3d.exe
2208	ba900abbccb3863cefc4aac31300eb3d.exe
2208	ba900abbccb3863cefc4aac31300eb3d.exe
2208	ba900abbccb3863cefc4aac31300eb3d.exe
1028	moduleName.exe
1028	moduleName.exe
1028	moduleName.exe
1028	moduleName.exe
1028	moduleName.exe
1028	moduleName.exe
1044	moduleName.exe
1044	moduleName.exe
1044	moduleName.exe
1044	moduleName.exe
1044	moduleName.exe
1044	moduleName.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	ba900abbccb3863cefc4aac31300eb3d.exe
Token: SeDebugPrivilege	1028	moduleName.exe
Token: SeDebugPrivilege	1044	moduleName.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2340	2208	ba900abbccb3863cefc4aac31300eb3d.exe	29
PID 2208 wrote to memory of 2340	2208	ba900abbccb3863cefc4aac31300eb3d.exe	29
PID 2208 wrote to memory of 2340	2208	ba900abbccb3863cefc4aac31300eb3d.exe	29
PID 2588 wrote to memory of 1028	2588	taskeng.exe	33
PID 2588 wrote to memory of 1028	2588	taskeng.exe	33
PID 2588 wrote to memory of 1028	2588	taskeng.exe	33
PID 2588 wrote to memory of 1044	2588	taskeng.exe	34
PID 2588 wrote to memory of 1044	2588	taskeng.exe	34
PID 2588 wrote to memory of 1044	2588	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ba900abbccb3863cefc4aac31300eb3d.exe
"C:\Users\Admin\AppData\Local\Temp\ba900abbccb3863cefc4aac31300eb3d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN Windows\Framework\MicrosoftSecurityEssentials /XML "C:\ProgramData\878214A8CC8CE301258B\task"
  2⤵
  - Creates scheduled task(s)
  PID:2340

C:\Windows\system32\taskeng.exe
taskeng.exe {B3924D1A-05F0-4D9F-83D6-BD132176E3E8} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\ProgramData\878214A8CC8CE301258B\moduleName.exe
  C:\ProgramData\878214A8CC8CE301258B\moduleName.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\ProgramData\878214A8CC8CE301258B\moduleName.exe
  C:\ProgramData\878214A8CC8CE301258B\moduleName.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\878214A8CC8CE301258B\moduleName.exe

Filesize
30KB

MD5
ba900abbccb3863cefc4aac31300eb3d

SHA1
61a6efdeffec38a278640b463fff35e3858e5173

SHA256
9d596eb3d5080db81cda994198d5471fdb7a329f92e7a1f76ba7cac445542eec

SHA512
ec6bfe690d74a919b49ad78fffae782ef07a3363a54260782d715f8b140f327ae637d6aca12cdd80410689450362b5631083789d94ed0e8c86935f3dfb422ce7

Download Submit
C:\ProgramData\878214A8CC8CE301258B\task

Filesize
1KB

MD5
8c8fe247883d3afc3169acd7ca3313b7

SHA1
4c88fceb3b433980d3f67d46335196ce03920e07

SHA256
7c3910fdaa9d7717c05b185193629427250bb6c48523c2621bebb823f2fb72ed

SHA512
8e8d48314bb8d5e5bc2eff00d5558899d5d4986a5c8fb98c19ee751ba37cdc202985ab377ba0cd1bca0b0626c9da393f78396e22d75ec2f0d52003e4c9e75f18

Download Submit
memory/1028-11-0x0000000001150000-0x000000000115E000-memory.dmp

Filesize
56KB

Download
memory/1028-12-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1028-13-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1028-14-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/1044-16-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/1044-17-0x0000000000460000-0x00000000004E0000-memory.dmp

Filesize
512KB

Download
memory/1044-18-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-2-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2208-7-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-1-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-0-0x0000000000C30000-0x0000000000C3E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads