rustybuer | c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa

Resubmissions

23-07-2021 19:26

210723-yzn6xtp67e 10

Analysis

max time kernel
15s
max time network
123s
platform
windows10_x64
resource
win10v20210408
submitted
23-07-2021 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

csrsc.exe
Size

2.0MB
MD5

984287b2d5eb06be3bb771f84e3b5ee8
SHA1

c75b5e359169084504a78259fd79f0d1e86a19ef
SHA256

c28abaaad1b7b2c7a37f28e974e8214f07c88feffef986e0a60a44ab0fa575aa
SHA512

412af5359691a2caea5a4e452b9ed2603d31db6306cf1c0b375c5f67400769108bc89c047b080d96e8f647b6fb6a47bfe9d6c6a123a4f27839953cd624e7ff9a

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

https://shipmentofficedepot.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	csrsc.exe
File opened (read-only)	\??\y:	csrsc.exe
File opened (read-only)	\??\b:	csrsc.exe
File opened (read-only)	\??\i:	csrsc.exe
File opened (read-only)	\??\n:	csrsc.exe
File opened (read-only)	\??\D:	csrsc.exe
File opened (read-only)	\??\j:	csrsc.exe
File opened (read-only)	\??\L:	csrsc.exe
File opened (read-only)	\??\M:	csrsc.exe
File opened (read-only)	\??\v:	csrsc.exe
File opened (read-only)	\??\a:	csrsc.exe
File opened (read-only)	\??\A:	csrsc.exe
File opened (read-only)	\??\B:	csrsc.exe
File opened (read-only)	\??\V:	csrsc.exe
File opened (read-only)	\??\z:	csrsc.exe
File opened (read-only)	\??\f:	csrsc.exe
File opened (read-only)	\??\h:	csrsc.exe
File opened (read-only)	\??\W:	csrsc.exe
File opened (read-only)	\??\g:	csrsc.exe
File opened (read-only)	\??\p:	csrsc.exe
File opened (read-only)	\??\U:	csrsc.exe
File opened (read-only)	\??\q:	csrsc.exe
File opened (read-only)	\??\R:	csrsc.exe
File opened (read-only)	\??\s:	csrsc.exe
File opened (read-only)	\??\t:	csrsc.exe
File opened (read-only)	\??\F:	csrsc.exe
File opened (read-only)	\??\H:	csrsc.exe
File opened (read-only)	\??\N:	csrsc.exe
File opened (read-only)	\??\r:	csrsc.exe
File opened (read-only)	\??\Z:	csrsc.exe
File opened (read-only)	\??\J:	csrsc.exe
File opened (read-only)	\??\k:	csrsc.exe
File opened (read-only)	\??\O:	csrsc.exe
File opened (read-only)	\??\m:	csrsc.exe
File opened (read-only)	\??\o:	csrsc.exe
File opened (read-only)	\??\Q:	csrsc.exe
File opened (read-only)	\??\u:	csrsc.exe
File opened (read-only)	\??\w:	csrsc.exe
File opened (read-only)	\??\E:	csrsc.exe
File opened (read-only)	\??\I:	csrsc.exe
File opened (read-only)	\??\K:	csrsc.exe
File opened (read-only)	\??\x:	csrsc.exe
File opened (read-only)	\??\Y:	csrsc.exe
File opened (read-only)	\??\P:	csrsc.exe
File opened (read-only)	\??\T:	csrsc.exe
File opened (read-only)	\??\X:	csrsc.exe
File opened (read-only)	\??\e:	csrsc.exe
File opened (read-only)	\??\G:	csrsc.exe
File opened (read-only)	\??\l:	csrsc.exe

C:\Users\Admin\AppData\Local\Temp\csrsc.exe
"C:\Users\Admin\AppData\Local\Temp\csrsc.exe"
1⤵
- Enumerates connected drives
PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3492-115-0x0000000002750000-0x00000000028B6000-memory.dmp

Filesize
1.4MB

Download
memory/3492-114-0x00000000007A0000-0x00000000008EA000-memory.dmp

Filesize
1.3MB

Download