Analysis
-
max time kernel
121s -
max time network
176s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-08-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
Kylepono.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
Kylepono.exe
-
Size
3.2MB
-
MD5
cd2eb880ecbad847cb6205a42708e5e4
-
SHA1
aadaba5e4d887136cbcb3df0a4dc0eb94f391585
-
SHA256
001405ded84e227092bafe165117888d423719d7d75554025ec410d1d6558925
-
SHA512
b0591d6e4181275001fdefb70e04bdeb1b241dc696a887f36375826904bc164714bfe5d0b86e39952f877309571b9a0212ca5e5f122c6393cb17a797b0c2f8b2
Malware Config
Extracted
Family
rustybuer
C2
https://vesupyny.com/
Signatures
-
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
secinit.exedescription ioc process File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\g: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\J: secinit.exe File opened (read-only) \??\m: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\D: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\t: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\v: secinit.exe File opened (read-only) \??\j: secinit.exe File opened (read-only) \??\M: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\q: secinit.exe File opened (read-only) \??\z: secinit.exe File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\a: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\S: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\x: secinit.exe File opened (read-only) \??\y: secinit.exe File opened (read-only) \??\b: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\h: secinit.exe File opened (read-only) \??\i: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\o: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\l: secinit.exe File opened (read-only) \??\p: secinit.exe File opened (read-only) \??\r: secinit.exe File opened (read-only) \??\s: secinit.exe File opened (read-only) \??\w: secinit.exe File opened (read-only) \??\X: secinit.exe File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\u: secinit.exe File opened (read-only) \??\e: secinit.exe File opened (read-only) \??\f: secinit.exe File opened (read-only) \??\k: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\n: secinit.exe File opened (read-only) \??\R: secinit.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Kylepono.exedescription pid process target process PID 1984 set thread context of 532 1984 Kylepono.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
secinit.exepid process 532 secinit.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Kylepono.exedescription pid process target process PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe PID 1984 wrote to memory of 532 1984 Kylepono.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kylepono.exe"C:\Users\Admin\AppData\Local\Temp\Kylepono.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\secinit.exe"C:\Windows\System32\secinit.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:532
-