Overview

overview

10

Static

static

6f9d943f88...fe.dll

windows7_x64

10

6f9d943f88...fe.dll

windows10_x64

10

Analysis

  • max time kernel
    15s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-07-2021 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll

Score
10/10
rustybuerloader

Malware Config

Extracted

Family

rustybuer

C2

https://shipmentofficedepot.com/

Signatures

  • RustyBuer

    RustyBuer is a new variant of Buer loader written in Rust.

    loaderrustybuer
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 49 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Users\Public\srtherhaeth.eXe
        C:\Users\Public\srtherhaeth.eXe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        PID:496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\srtherhaeth.eXe
    MD5

    984287b2d5eb06be3bb771f84e3b5ee8

    SHA1

    c75b5e359169084504a78259fd79f0d1e86a19ef

    SHA256

    c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa

    SHA512

    412af5359691a2caea5a4e452b9ed2603d31db6306cf1c0b375c5f67400769108bc89c047b080d96e8f647b6fb6a47bfe9d6c6a123a4f27839953cd624e7ff9a

    Download Submit
  • C:\Users\Public\srtherhaeth.eXe
    MD5

    984287b2d5eb06be3bb771f84e3b5ee8

    SHA1

    c75b5e359169084504a78259fd79f0d1e86a19ef

    SHA256

    c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa

    SHA512

    412af5359691a2caea5a4e452b9ed2603d31db6306cf1c0b375c5f67400769108bc89c047b080d96e8f647b6fb6a47bfe9d6c6a123a4f27839953cd624e7ff9a

    Download Submit
  • memory/496-115-0x0000000000000000-mapping.dmp
    Download
  • memory/496-118-0x00000000006E0000-0x000000000082A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/496-119-0x00000000026B0000-0x0000000002816000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1264-114-0x0000000000000000-mapping.dmp
    Download