Analysis
-
max time kernel
124s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-04-2021 16:20
Static task
static1
General
-
Target
Document_Opener.exe.14.dr.exe
-
Size
1.4MB
-
MD5
4d182167da3f24bfb9e80469b0d7d62a
-
SHA1
1bb377017690bd7066bb98658a8bb90d91feeb93
-
SHA256
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
-
SHA512
1ea73e9857320cf1571ffef0ec8ce042ff708c2ab8b8cde890f6afe3f82ac2e8106a2539d729f7e018ae0e82eb364eca3a0bea5f6acc919855574cbac2784302
Malware Config
Extracted
Family
rustybuer
C2
https://gestahibanking.com/
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1716 Document_Opener.exe.14.dr.exe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Document_Opener.exe.14.dr.exe File opened (read-only) \??\l: Document_Opener.exe.14.dr.exe File opened (read-only) \??\Q: Document_Opener.exe.14.dr.exe File opened (read-only) \??\s: Document_Opener.exe.14.dr.exe File opened (read-only) \??\V: Document_Opener.exe.14.dr.exe File opened (read-only) \??\b: Document_Opener.exe.14.dr.exe File opened (read-only) \??\E: Document_Opener.exe.14.dr.exe File opened (read-only) \??\G: Document_Opener.exe.14.dr.exe File opened (read-only) \??\j: Document_Opener.exe.14.dr.exe File opened (read-only) \??\k: Document_Opener.exe.14.dr.exe File opened (read-only) \??\o: Document_Opener.exe.14.dr.exe File opened (read-only) \??\w: Document_Opener.exe.14.dr.exe File opened (read-only) \??\z: Document_Opener.exe.14.dr.exe File opened (read-only) \??\F: Document_Opener.exe.14.dr.exe File opened (read-only) \??\g: Document_Opener.exe.14.dr.exe File opened (read-only) \??\S: Document_Opener.exe.14.dr.exe File opened (read-only) \??\i: Document_Opener.exe.14.dr.exe File opened (read-only) \??\L: Document_Opener.exe.14.dr.exe File opened (read-only) \??\n: Document_Opener.exe.14.dr.exe File opened (read-only) \??\v: Document_Opener.exe.14.dr.exe File opened (read-only) \??\y: Document_Opener.exe.14.dr.exe File opened (read-only) \??\B: Document_Opener.exe.14.dr.exe File opened (read-only) \??\D: Document_Opener.exe.14.dr.exe File opened (read-only) \??\e: Document_Opener.exe.14.dr.exe File opened (read-only) \??\W: Document_Opener.exe.14.dr.exe File opened (read-only) \??\f: Document_Opener.exe.14.dr.exe File opened (read-only) \??\P: Document_Opener.exe.14.dr.exe File opened (read-only) \??\T: Document_Opener.exe.14.dr.exe File opened (read-only) \??\h: Document_Opener.exe.14.dr.exe File opened (read-only) \??\p: Document_Opener.exe.14.dr.exe File opened (read-only) \??\x: Document_Opener.exe.14.dr.exe File opened (read-only) \??\q: Document_Opener.exe.14.dr.exe File opened (read-only) \??\R: Document_Opener.exe.14.dr.exe File opened (read-only) \??\U: Document_Opener.exe.14.dr.exe File opened (read-only) \??\X: Document_Opener.exe.14.dr.exe File opened (read-only) \??\Z: Document_Opener.exe.14.dr.exe File opened (read-only) \??\I: Document_Opener.exe.14.dr.exe File opened (read-only) \??\J: Document_Opener.exe.14.dr.exe File opened (read-only) \??\O: Document_Opener.exe.14.dr.exe File opened (read-only) \??\m: Document_Opener.exe.14.dr.exe File opened (read-only) \??\M: Document_Opener.exe.14.dr.exe File opened (read-only) \??\N: Document_Opener.exe.14.dr.exe File opened (read-only) \??\r: Document_Opener.exe.14.dr.exe File opened (read-only) \??\t: Document_Opener.exe.14.dr.exe File opened (read-only) \??\a: Document_Opener.exe.14.dr.exe File opened (read-only) \??\A: Document_Opener.exe.14.dr.exe File opened (read-only) \??\H: Document_Opener.exe.14.dr.exe File opened (read-only) \??\u: Document_Opener.exe.14.dr.exe File opened (read-only) \??\Y: Document_Opener.exe.14.dr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 1156 1716 Document_Opener.exe.14.dr.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1668 1156 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe 1668 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1668 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1716 Document_Opener.exe.14.dr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1668 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1156 1716 Document_Opener.exe.14.dr.exe 29 PID 1716 wrote to memory of 1156 1716 Document_Opener.exe.14.dr.exe 29 PID 1716 wrote to memory of 1156 1716 Document_Opener.exe.14.dr.exe 29 PID 1716 wrote to memory of 1156 1716 Document_Opener.exe.14.dr.exe 29 PID 1716 wrote to memory of 1156 1716 Document_Opener.exe.14.dr.exe 29 PID 1156 wrote to memory of 1668 1156 Document_Opener.exe.14.dr.exe 30 PID 1156 wrote to memory of 1668 1156 Document_Opener.exe.14.dr.exe 30 PID 1156 wrote to memory of 1668 1156 Document_Opener.exe.14.dr.exe 30 PID 1156 wrote to memory of 1668 1156 Document_Opener.exe.14.dr.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document_Opener.exe.14.dr.exe"C:\Users\Admin\AppData\Local\Temp\Document_Opener.exe.14.dr.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\Document_Opener.exe.14.dr.exe"C:\Users\Admin\AppData\Local\Temp\Document_Opener.exe.14.dr.exe"2⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 4403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-