Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-08-2021 08:45
Static task
static1
Behavioral task
behavioral1
Sample
britannic.db_infected.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
britannic.db_infected.exe
-
Size
3.9MB
-
MD5
26944aed6dfc2c25f96bbca49925fcaf
-
SHA1
b2b7a7a659abf7fd2c5596c119478363e0b7f360
-
SHA256
64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7
-
SHA512
ea0a599107acfbca4cc20987d003bd27a3168adea1df56378d4b6a934d1429d543bec91a7216c485ec0167b1d34ed510299e030944c4b8f6c3922b4699a4eabf
Malware Config
Extracted
Family
rustybuer
C2
https://awmelisers.com/
Signatures
-
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: secinit.exe File opened (read-only) \??\b: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\y: secinit.exe File opened (read-only) \??\z: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\i: secinit.exe File opened (read-only) \??\p: secinit.exe File opened (read-only) \??\R: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\x: secinit.exe File opened (read-only) \??\s: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\j: secinit.exe File opened (read-only) \??\l: secinit.exe File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\h: secinit.exe File opened (read-only) \??\J: secinit.exe File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\u: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\w: secinit.exe File opened (read-only) \??\e: secinit.exe File opened (read-only) \??\f: secinit.exe File opened (read-only) \??\M: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\o: secinit.exe File opened (read-only) \??\v: secinit.exe File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\D: secinit.exe File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\k: secinit.exe File opened (read-only) \??\q: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\n: secinit.exe File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\t: secinit.exe File opened (read-only) \??\X: secinit.exe File opened (read-only) \??\g: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\m: secinit.exe File opened (read-only) \??\r: secinit.exe File opened (read-only) \??\S: secinit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 652 set thread context of 2208 652 britannic.db_infected.exe 78 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2208 secinit.exe 2208 secinit.exe 2208 secinit.exe 2208 secinit.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78 PID 652 wrote to memory of 2208 652 britannic.db_infected.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\britannic.db_infected.exe"C:\Users\Admin\AppData\Local\Temp\britannic.db_infected.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\secinit.exe"C:\Windows\System32\secinit.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2208
-