rustybuer | e81ccda9157a84d16d15cef0418c8ffc0839cea2cfd669bccf08198d5929ff25

Analysis

max time kernel
127s
max time network
139s
platform
windows10_x64
resource
win10v20210408
submitted
10-09-2021 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26944aed6dfc2c25f96bbca49925fcaf.exe
Size

3.9MB
MD5

26944aed6dfc2c25f96bbca49925fcaf
SHA1

b2b7a7a659abf7fd2c5596c119478363e0b7f360
SHA256

64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7
SHA512

ea0a599107acfbca4cc20987d003bd27a3168adea1df56378d4b6a934d1429d543bec91a7216c485ec0167b1d34ed510299e030944c4b8f6c3922b4699a4eabf

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

https://awmelisers.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	secinit.exe
File opened (read-only)	\??\L:	secinit.exe
File opened (read-only)	\??\N:	secinit.exe
File opened (read-only)	\??\O:	secinit.exe
File opened (read-only)	\??\R:	secinit.exe
File opened (read-only)	\??\V:	secinit.exe
File opened (read-only)	\??\x:	secinit.exe
File opened (read-only)	\??\h:	secinit.exe
File opened (read-only)	\??\X:	secinit.exe
File opened (read-only)	\??\e:	secinit.exe
File opened (read-only)	\??\f:	secinit.exe
File opened (read-only)	\??\J:	secinit.exe
File opened (read-only)	\??\S:	secinit.exe
File opened (read-only)	\??\u:	secinit.exe
File opened (read-only)	\??\U:	secinit.exe
File opened (read-only)	\??\y:	secinit.exe
File opened (read-only)	\??\B:	secinit.exe
File opened (read-only)	\??\F:	secinit.exe
File opened (read-only)	\??\P:	secinit.exe
File opened (read-only)	\??\E:	secinit.exe
File opened (read-only)	\??\H:	secinit.exe
File opened (read-only)	\??\k:	secinit.exe
File opened (read-only)	\??\m:	secinit.exe
File opened (read-only)	\??\M:	secinit.exe
File opened (read-only)	\??\T:	secinit.exe
File opened (read-only)	\??\b:	secinit.exe
File opened (read-only)	\??\K:	secinit.exe
File opened (read-only)	\??\l:	secinit.exe
File opened (read-only)	\??\Q:	secinit.exe
File opened (read-only)	\??\r:	secinit.exe
File opened (read-only)	\??\g:	secinit.exe
File opened (read-only)	\??\A:	secinit.exe
File opened (read-only)	\??\G:	secinit.exe
File opened (read-only)	\??\I:	secinit.exe
File opened (read-only)	\??\n:	secinit.exe
File opened (read-only)	\??\p:	secinit.exe
File opened (read-only)	\??\q:	secinit.exe
File opened (read-only)	\??\v:	secinit.exe
File opened (read-only)	\??\a:	secinit.exe
File opened (read-only)	\??\Y:	secinit.exe
File opened (read-only)	\??\s:	secinit.exe
File opened (read-only)	\??\j:	secinit.exe
File opened (read-only)	\??\o:	secinit.exe
File opened (read-only)	\??\t:	secinit.exe
File opened (read-only)	\??\w:	secinit.exe
File opened (read-only)	\??\W:	secinit.exe
File opened (read-only)	\??\z:	secinit.exe
File opened (read-only)	\??\Z:	secinit.exe
File opened (read-only)	\??\D:	secinit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3128 set thread context of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
192	secinit.exe
192	secinit.exe
192	secinit.exe
192	secinit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 196	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	78
PID 3128 wrote to memory of 196	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	78
PID 3128 wrote to memory of 196	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	78
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79
PID 3128 wrote to memory of 192	3128	26944aed6dfc2c25f96bbca49925fcaf.exe	79

C:\Users\Admin\AppData\Local\Temp\26944aed6dfc2c25f96bbca49925fcaf.exe
"C:\Users\Admin\AppData\Local\Temp\26944aed6dfc2c25f96bbca49925fcaf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  PID:196
- C:\Windows\SysWOW64\secinit.exe
  "C:\Windows\System32\secinit.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/192-115-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/192-120-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/3128-117-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download