Analysis
-
max time kernel
1624s -
max time network
1627s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-07-2021 23:51
Static task
static1
Behavioral task
behavioral1
Sample
Key.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
Key.exe
-
Size
6.8MB
-
MD5
963a91ca9da30098c75ecd5ab275f76c
-
SHA1
aff6c60c43a8900f9a9c2d11a604270c035c543c
-
SHA256
578dc62dfa0203080da262676f28c679114d6b1c90a4ab6c07b736d9ce64e43e
-
SHA512
9fc6603359f80b9e5db7a02a91ce7b22765871fff98310c0679e7f970807534cd8645dde948dc58b2ca079f8ca3b209ac675599d8f9b3edfb7c35230e674449e
Malware Config
Extracted
Family
rustybuer
C2
https://lebatyo.com/
Signatures
-
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
secinit.exedescription ioc process File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\l: secinit.exe File opened (read-only) \??\o: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\z: secinit.exe File opened (read-only) \??\D: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\R: secinit.exe File opened (read-only) \??\X: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\r: secinit.exe File opened (read-only) \??\S: secinit.exe File opened (read-only) \??\x: secinit.exe File opened (read-only) \??\g: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\f: secinit.exe File opened (read-only) \??\i: secinit.exe File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\b: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\n: secinit.exe File opened (read-only) \??\p: secinit.exe File opened (read-only) \??\s: secinit.exe File opened (read-only) \??\y: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\e: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\h: secinit.exe File opened (read-only) \??\j: secinit.exe File opened (read-only) \??\J: secinit.exe File opened (read-only) \??\m: secinit.exe File opened (read-only) \??\a: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\t: secinit.exe File opened (read-only) \??\v: secinit.exe File opened (read-only) \??\w: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\M: secinit.exe File opened (read-only) \??\q: secinit.exe File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\u: secinit.exe File opened (read-only) \??\k: secinit.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Key.exedescription pid process target process PID 3200 set thread context of 3404 3200 Key.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
secinit.exepid process 3404 secinit.exe 3404 secinit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Key.exedescription pid process target process PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe PID 3200 wrote to memory of 3404 3200 Key.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Key.exe"C:\Users\Admin\AppData\Local\Temp\Key.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\secinit.exe"C:\Windows\System32\secinit.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:3404
-