Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 16:19
Static task
static1
Behavioral task
behavioral1
Sample
6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll
Resource
win7v20210408
General
Malware Config
Extracted
rustybuer
https://shipmentofficedepot.com/
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 9 1264 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
srtherhaeth.eXepid process 496 srtherhaeth.eXe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
srtherhaeth.eXedescription ioc process File opened (read-only) \??\P: srtherhaeth.eXe File opened (read-only) \??\Q: srtherhaeth.eXe File opened (read-only) \??\T: srtherhaeth.eXe File opened (read-only) \??\V: srtherhaeth.eXe File opened (read-only) \??\Y: srtherhaeth.eXe File opened (read-only) \??\A: srtherhaeth.eXe File opened (read-only) \??\B: srtherhaeth.eXe File opened (read-only) \??\o: srtherhaeth.eXe File opened (read-only) \??\I: srtherhaeth.eXe File opened (read-only) \??\O: srtherhaeth.eXe File opened (read-only) \??\a: srtherhaeth.eXe File opened (read-only) \??\D: srtherhaeth.eXe File opened (read-only) \??\h: srtherhaeth.eXe File opened (read-only) \??\K: srtherhaeth.eXe File opened (read-only) \??\s: srtherhaeth.eXe File opened (read-only) \??\y: srtherhaeth.eXe File opened (read-only) \??\p: srtherhaeth.eXe File opened (read-only) \??\z: srtherhaeth.eXe File opened (read-only) \??\Z: srtherhaeth.eXe File opened (read-only) \??\f: srtherhaeth.eXe File opened (read-only) \??\M: srtherhaeth.eXe File opened (read-only) \??\n: srtherhaeth.eXe File opened (read-only) \??\R: srtherhaeth.eXe File opened (read-only) \??\u: srtherhaeth.eXe File opened (read-only) \??\v: srtherhaeth.eXe File opened (read-only) \??\w: srtherhaeth.eXe File opened (read-only) \??\W: srtherhaeth.eXe File opened (read-only) \??\b: srtherhaeth.eXe File opened (read-only) \??\l: srtherhaeth.eXe File opened (read-only) \??\r: srtherhaeth.eXe File opened (read-only) \??\x: srtherhaeth.eXe File opened (read-only) \??\k: srtherhaeth.eXe File opened (read-only) \??\L: srtherhaeth.eXe File opened (read-only) \??\m: srtherhaeth.eXe File opened (read-only) \??\q: srtherhaeth.eXe File opened (read-only) \??\U: srtherhaeth.eXe File opened (read-only) \??\e: srtherhaeth.eXe File opened (read-only) \??\G: srtherhaeth.eXe File opened (read-only) \??\H: srtherhaeth.eXe File opened (read-only) \??\X: srtherhaeth.eXe File opened (read-only) \??\g: srtherhaeth.eXe File opened (read-only) \??\N: srtherhaeth.eXe File opened (read-only) \??\S: srtherhaeth.eXe File opened (read-only) \??\j: srtherhaeth.eXe File opened (read-only) \??\J: srtherhaeth.eXe File opened (read-only) \??\t: srtherhaeth.eXe File opened (read-only) \??\E: srtherhaeth.eXe File opened (read-only) \??\F: srtherhaeth.eXe File opened (read-only) \??\i: srtherhaeth.eXe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 632 wrote to memory of 1264 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1264 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1264 632 rundll32.exe rundll32.exe PID 1264 wrote to memory of 496 1264 rundll32.exe srtherhaeth.eXe PID 1264 wrote to memory of 496 1264 rundll32.exe srtherhaeth.eXe PID 1264 wrote to memory of 496 1264 rundll32.exe srtherhaeth.eXe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\srtherhaeth.eXeC:\Users\Public\srtherhaeth.eXe3⤵
- Executes dropped EXE
- Enumerates connected drives
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\srtherhaeth.eXeMD5
984287b2d5eb06be3bb771f84e3b5ee8
SHA1c75b5e359169084504a78259fd79f0d1e86a19ef
SHA256c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa
SHA512412af5359691a2caea5a4e452b9ed2603d31db6306cf1c0b375c5f67400769108bc89c047b080d96e8f647b6fb6a47bfe9d6c6a123a4f27839953cd624e7ff9a
-
C:\Users\Public\srtherhaeth.eXeMD5
984287b2d5eb06be3bb771f84e3b5ee8
SHA1c75b5e359169084504a78259fd79f0d1e86a19ef
SHA256c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa
SHA512412af5359691a2caea5a4e452b9ed2603d31db6306cf1c0b375c5f67400769108bc89c047b080d96e8f647b6fb6a47bfe9d6c6a123a4f27839953cd624e7ff9a
-
memory/496-115-0x0000000000000000-mapping.dmp
-
memory/496-118-0x00000000006E0000-0x000000000082A000-memory.dmpFilesize
1.3MB
-
memory/496-119-0x00000000026B0000-0x0000000002816000-memory.dmpFilesize
1.4MB
-
memory/1264-114-0x0000000000000000-mapping.dmp