Resubmissions

05-02-2021 09:03

210205-vb23bmqh2n 10

05-02-2021 08:52

210205-8n4dfc6e2j 10

05-02-2021 00:36

210205-pj4d5hk8ys 10

Analysis

  • max time kernel
    1743s
  • max time network
    1768s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-02-2021 09:03

General

  • Target

    zrmbk.exe

  • Size

    97KB

  • MD5

    9168378e6849f1547829afc3f0357f6a

  • SHA1

    097d64d174b8243434f026f2fd24e536cc3686bc

  • SHA256

    d333192a262ceaec75b68c0e6082cf868eb77a0e81010f590451814770b6ce31

  • SHA512

    4c69f85af810334506dd1b8d2e409e30ce8c8471073b56bece6312dcda109705720c41255d49e1d7976b847f4ca586113208fdec805aac2398fc890fc230754b

Malware Config

Extracted

Family

buer

C2

officewestunionbank.com

bankcreditsign.com

Extracted

Family

raccoon

Botnet

fbb3ff62285b6085836cfe3d032d817936c927a9

Attributes
  • url4cnc

    https://telete.in/jvadikkamushkin

rc4.plain
rc4.plain

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • Buer Loader 2 IoCs

    Detects Buer loader in memory or disk.

  • Loads dropped DLL 16 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Delays execution with timeout.exe 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zrmbk.exe
    "C:\Users\Admin\AppData\Local\Temp\zrmbk.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 10 /NOBREAK
          4⤵
          • Delays execution with timeout.exe
          PID:992
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Windows\SysWOW64\svchost.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 10 /NOBREAK
          4⤵
          • Delays execution with timeout.exe
          PID:1108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/760-8-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/760-7-0x00000000760C1000-0x00000000760C3000-memory.dmp

    Filesize

    8KB

  • memory/760-5-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/832-23-0x0000000000400000-0x0000000000494000-memory.dmp

    Filesize

    592KB

  • memory/1100-2-0x0000000000650000-0x0000000000661000-memory.dmp

    Filesize

    68KB

  • memory/1100-4-0x0000000040000000-0x0000000040009000-memory.dmp

    Filesize

    36KB

  • memory/1100-3-0x0000000000020000-0x0000000000027000-memory.dmp

    Filesize

    28KB

  • memory/1264-10-0x000007FEF6010000-0x000007FEF628A000-memory.dmp

    Filesize

    2.5MB