Overview

overview

10

Static

static

Sandra

windows10_x64

10

Resubmissions

08/02/2021, 07:39

210208-vk216kedze 10

08/02/2021, 00:35

210208-f8eg4qhlga 10

Analysis

  • max time kernel
    600s
  • max time network
    601s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08/02/2021, 07:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eci7g.bin.exe

Score
10/10
buerraccoonfbb3ff62285b6085836cfe3d032d817936c927a9loaderstealer

Malware Config

Extracted

Family

buer

C2

officewestunionbank.com

bankcreditsign.com

Extracted

Family

raccoon

Botnet

fbb3ff62285b6085836cfe3d032d817936c927a9

Attributes
  • url4cnc

    https://telete.in/jvadikkamushkin

rc4.plain
rc4.plain

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Buer Loader 2 IoCs

    Detects Buer loader in memory or disk.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eci7g.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\eci7g.bin.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
        PID:192
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
          PID:1280

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/192-5-0x0000000000400000-0x0000000000494000-memory.dmp

              Filesize

              592KB

              Download

            • memory/192-7-0x0000000000400000-0x0000000000494000-memory.dmp

              Filesize

              592KB

              Download

            • memory/508-2-0x00000000006C0000-0x00000000006C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/508-3-0x0000000000030000-0x0000000000037000-memory.dmp

              Filesize

              28KB

              Download

            • memory/508-4-0x0000000040000000-0x0000000040009000-memory.dmp

              Filesize

              36KB

              Download

            • memory/1280-10-0x0000000000400000-0x0000000000494000-memory.dmp

              Filesize

              592KB

              Download