Overview

overview

10

Static

static

Sandra

windows10_x64

10

Resubmissions

08-02-2021 07:39

210208-vk216kedze 10

08-02-2021 00:35

210208-f8eg4qhlga 10

Analysis

  • max time kernel
    600s
  • max time network
    601s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-02-2021 07:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eci7g.bin.exe

Score
10/10
buerraccoonfbb3ff62285b6085836cfe3d032d817936c927a9loaderstealer

Malware Config

Extracted

Family

buer

C2

officewestunionbank.com

bankcreditsign.com

Extracted

Family

raccoon

Botnet

fbb3ff62285b6085836cfe3d032d817936c927a9

Attributes
  • url4cnc

    https://telete.in/jvadikkamushkin

rc4.plain
rc4.plain

Signatures

  • Buer

    Buer is a new modular loader first seen in August 2019.

    loaderbuer
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Buer Loader 2 IoCs

    Detects Buer loader in memory or disk.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eci7g.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\eci7g.bin.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
        PID:192
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
          PID:1280

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/192-5-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

        Download
      • memory/192-6-0x000000000043FEA3-mapping.dmp
        Download
      • memory/192-7-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

        Download
      • memory/508-2-0x00000000006C0000-0x00000000006C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/508-3-0x0000000000030000-0x0000000000037000-memory.dmp
        Filesize

        28KB

        Download
      • memory/508-4-0x0000000040000000-0x0000000040009000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1280-9-0x000000000043FEA3-mapping.dmp
        Download
      • memory/1280-10-0x0000000000400000-0x0000000000494000-memory.dmp
        Filesize

        592KB

        Download