Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 16:19
Static task
static1
Behavioral task
behavioral1
Sample
6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
Malware Config
Extracted
Family
rustybuer
C2
https://shipmentofficedepot.com/
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 9 1264 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 496 srtherhaeth.eXe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: srtherhaeth.eXe File opened (read-only) \??\Q: srtherhaeth.eXe File opened (read-only) \??\T: srtherhaeth.eXe File opened (read-only) \??\V: srtherhaeth.eXe File opened (read-only) \??\Y: srtherhaeth.eXe File opened (read-only) \??\A: srtherhaeth.eXe File opened (read-only) \??\B: srtherhaeth.eXe File opened (read-only) \??\o: srtherhaeth.eXe File opened (read-only) \??\I: srtherhaeth.eXe File opened (read-only) \??\O: srtherhaeth.eXe File opened (read-only) \??\a: srtherhaeth.eXe File opened (read-only) \??\D: srtherhaeth.eXe File opened (read-only) \??\h: srtherhaeth.eXe File opened (read-only) \??\K: srtherhaeth.eXe File opened (read-only) \??\s: srtherhaeth.eXe File opened (read-only) \??\y: srtherhaeth.eXe File opened (read-only) \??\p: srtherhaeth.eXe File opened (read-only) \??\z: srtherhaeth.eXe File opened (read-only) \??\Z: srtherhaeth.eXe File opened (read-only) \??\f: srtherhaeth.eXe File opened (read-only) \??\M: srtherhaeth.eXe File opened (read-only) \??\n: srtherhaeth.eXe File opened (read-only) \??\R: srtherhaeth.eXe File opened (read-only) \??\u: srtherhaeth.eXe File opened (read-only) \??\v: srtherhaeth.eXe File opened (read-only) \??\w: srtherhaeth.eXe File opened (read-only) \??\W: srtherhaeth.eXe File opened (read-only) \??\b: srtherhaeth.eXe File opened (read-only) \??\l: srtherhaeth.eXe File opened (read-only) \??\r: srtherhaeth.eXe File opened (read-only) \??\x: srtherhaeth.eXe File opened (read-only) \??\k: srtherhaeth.eXe File opened (read-only) \??\L: srtherhaeth.eXe File opened (read-only) \??\m: srtherhaeth.eXe File opened (read-only) \??\q: srtherhaeth.eXe File opened (read-only) \??\U: srtherhaeth.eXe File opened (read-only) \??\e: srtherhaeth.eXe File opened (read-only) \??\G: srtherhaeth.eXe File opened (read-only) \??\H: srtherhaeth.eXe File opened (read-only) \??\X: srtherhaeth.eXe File opened (read-only) \??\g: srtherhaeth.eXe File opened (read-only) \??\N: srtherhaeth.eXe File opened (read-only) \??\S: srtherhaeth.eXe File opened (read-only) \??\j: srtherhaeth.eXe File opened (read-only) \??\J: srtherhaeth.eXe File opened (read-only) \??\t: srtherhaeth.eXe File opened (read-only) \??\E: srtherhaeth.eXe File opened (read-only) \??\F: srtherhaeth.eXe File opened (read-only) \??\i: srtherhaeth.eXe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 632 wrote to memory of 1264 632 rundll32.exe 70 PID 632 wrote to memory of 1264 632 rundll32.exe 70 PID 632 wrote to memory of 1264 632 rundll32.exe 70 PID 1264 wrote to memory of 496 1264 rundll32.exe 76 PID 1264 wrote to memory of 496 1264 rundll32.exe 76 PID 1264 wrote to memory of 496 1264 rundll32.exe 76
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9d943f88f715ff8a122d7b88af986c1a9f38f4484e48cde768cf22a5935efe.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Public\srtherhaeth.eXeC:\Users\Public\srtherhaeth.eXe3⤵
- Executes dropped EXE
- Enumerates connected drives
PID:496
-
-