Overview

overview

10

Static

static

26944aed6d...af.exe

windows7_x64

10

26944aed6d...af.exe

windows7_x64

10

26944aed6d...af.exe

windows10_x64

10

26944aed6d...af.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-jp
  • submitted
    10-09-2021 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26944aed6dfc2c25f96bbca49925fcaf.exe

  • Size

    3.9MB

  • MD5

    26944aed6dfc2c25f96bbca49925fcaf

  • SHA1

    b2b7a7a659abf7fd2c5596c119478363e0b7f360

  • SHA256

    64dd547546394e1d431a25a671892c7aca9cf57ed0733a7435028792ad42f4a7

  • SHA512

    ea0a599107acfbca4cc20987d003bd27a3168adea1df56378d4b6a934d1429d543bec91a7216c485ec0167b1d34ed510299e030944c4b8f6c3922b4699a4eabf

Score
10/10
rustybuerloaderpersistence

Malware Config

Extracted

Family

rustybuer

C2

https://awmelisers.com/

Signatures

  • Modifies system executable filetype association 2 TTPs 3 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs
    persistence
  • RustyBuer

    RustyBuer is a new variant of Buer loader written in Rust.

    loaderrustybuer
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 49 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26944aed6dfc2c25f96bbca49925fcaf.exe
    "C:\Users\Admin\AppData\Local\Temp\26944aed6dfc2c25f96bbca49925fcaf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5012
    • C:\Windows\SysWOW64\secinit.exe
      "C:\Windows\System32\secinit.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      PID:1296
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4596
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe /update /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions
      2⤵
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4424
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1512
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    1⤵
      PID:4284
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2324

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Change Default File Association

    1
    T1042

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\FileSyncConfig.exe
      MD5

      c6d71be1016cf51f7b2d04e2eefbb6e7

      SHA1

      b31d9318e78ec4355412dd1cb70c1bddec004458

      SHA256

      df635c8722e0eb4b85af00b4ee365f005adc11bf999e604141d5f0c36bcf739b

      SHA512

      9d8000b5b4241192cf4d86c66d4186ccb2a49f5e25efd793268b8fb5c2065c4c1c42a6fbf98594563ab09948cbed4abf28ee0de67b9443285c0bde539880593d

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\LoggingPlatform.DLL
      MD5

      7939f580b99f4ab153fc4ea6791e12c5

      SHA1

      3e1446c7f09f7131df177eb81e74787de2278e46

      SHA256

      43d64945b036f774f93ae6cce67bb82fe8062147d98821d173d4861e2f83e18c

      SHA512

      090e57bc7cf321d52b40bc4748e2f4ea1170dae3df96645e003ce2900efbcb840931d572cba163f20b51b83fbd722e95b7ae747ec6dc9c6aa1b55a3cbbd5a215

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\MSVCP140.dll
      MD5

      d4c601e8c1c38954c29855b7016183ac

      SHA1

      dec6d8546d7487c9af671e287415b54e8fff0940

      SHA256

      d59c4953fca6a2bc1957273a18fc94d8b28fd083b84021b7268dff6fc3781fcf

      SHA512

      febd0bd6e412d7276812ed895d51c54b39cca3d646c076e5786cdf935c0ced3d20244a5411013474276d3abc43bc79e1e9e6f8c144651d8f7f75af8f4784c12b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\Telemetry.dll
      MD5

      b4770ab4d34d3c1653d57c44683dfda5

      SHA1

      b5e33187125891427d36cc7c6319d7584793330c

      SHA256

      1e08e3b3f13a3b70d959879fae71091302fbefb1d15ecd5c44e5a858809eafec

      SHA512

      9e5c6a5d4cc6d706e5c2858e5500ed4c1a5f2472c76b03f4845b6951cbe1512aae7431daa225c134d66c77374d74d71f48d6c417f465abfefbe1e364f4b24c16

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\UpdateRingSettings.dll
      MD5

      6eedf5b0ec34ab63ccfba8f9cb3d79bb

      SHA1

      c1b72dcfd33627182b8dea84eb03b21fd78ffb82

      SHA256

      a4f1318343ebfacb0bcc91ef9f5431effb529e276eee29efdff549374dff229a

      SHA512

      ade0a3096324d4de1accf14af584e97247495bc467a92dfc48ef9eeae9a0dbebe63089a97c6f6c4f023451a5bd042eb3fd90ed19673f847aa082b71ba4be318e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\VCRUNTIME140.dll
      MD5

      da4f88df70cfc535782c334bb145bb5e

      SHA1

      95fad296dcf470799fa5f1bf7bf401760da757d1

      SHA256

      bf86ad2fdd2c39ac64776643d74a9257df13b5fb1e1c89ccb793847ba927e6d2

      SHA512

      a626c0c247a0b993487292ca17349ed9a5b32f6d2ecd1f24140c0f86592a81ba32ba6e929ba2a0bd24ea7285e058e1da03df34448140e7ada88824bccfbe5764

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\LoggingPlatform.dll
      MD5

      7939f580b99f4ab153fc4ea6791e12c5

      SHA1

      3e1446c7f09f7131df177eb81e74787de2278e46

      SHA256

      43d64945b036f774f93ae6cce67bb82fe8062147d98821d173d4861e2f83e18c

      SHA512

      090e57bc7cf321d52b40bc4748e2f4ea1170dae3df96645e003ce2900efbcb840931d572cba163f20b51b83fbd722e95b7ae747ec6dc9c6aa1b55a3cbbd5a215

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\Telemetry.dll
      MD5

      b4770ab4d34d3c1653d57c44683dfda5

      SHA1

      b5e33187125891427d36cc7c6319d7584793330c

      SHA256

      1e08e3b3f13a3b70d959879fae71091302fbefb1d15ecd5c44e5a858809eafec

      SHA512

      9e5c6a5d4cc6d706e5c2858e5500ed4c1a5f2472c76b03f4845b6951cbe1512aae7431daa225c134d66c77374d74d71f48d6c417f465abfefbe1e364f4b24c16

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\UpdateRingSettings.dll
      MD5

      6eedf5b0ec34ab63ccfba8f9cb3d79bb

      SHA1

      c1b72dcfd33627182b8dea84eb03b21fd78ffb82

      SHA256

      a4f1318343ebfacb0bcc91ef9f5431effb529e276eee29efdff549374dff229a

      SHA512

      ade0a3096324d4de1accf14af584e97247495bc467a92dfc48ef9eeae9a0dbebe63089a97c6f6c4f023451a5bd042eb3fd90ed19673f847aa082b71ba4be318e

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\msvcp140.dll
      MD5

      d4c601e8c1c38954c29855b7016183ac

      SHA1

      dec6d8546d7487c9af671e287415b54e8fff0940

      SHA256

      d59c4953fca6a2bc1957273a18fc94d8b28fd083b84021b7268dff6fc3781fcf

      SHA512

      febd0bd6e412d7276812ed895d51c54b39cca3d646c076e5786cdf935c0ced3d20244a5411013474276d3abc43bc79e1e9e6f8c144651d8f7f75af8f4784c12b

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\vcruntime140.dll
      MD5

      da4f88df70cfc535782c334bb145bb5e

      SHA1

      95fad296dcf470799fa5f1bf7bf401760da757d1

      SHA256

      bf86ad2fdd2c39ac64776643d74a9257df13b5fb1e1c89ccb793847ba927e6d2

      SHA512

      a626c0c247a0b993487292ca17349ed9a5b32f6d2ecd1f24140c0f86592a81ba32ba6e929ba2a0bd24ea7285e058e1da03df34448140e7ada88824bccfbe5764

      Download Submit
    • \Users\Admin\AppData\Local\Microsoft\OneDrive\21.150.0725.0001\vcruntime140.dll
      MD5

      da4f88df70cfc535782c334bb145bb5e

      SHA1

      95fad296dcf470799fa5f1bf7bf401760da757d1

      SHA256

      bf86ad2fdd2c39ac64776643d74a9257df13b5fb1e1c89ccb793847ba927e6d2

      SHA512

      a626c0c247a0b993487292ca17349ed9a5b32f6d2ecd1f24140c0f86592a81ba32ba6e929ba2a0bd24ea7285e058e1da03df34448140e7ada88824bccfbe5764

      Download Submit
    • memory/1296-130-0x00000000004893A7-mapping.dmp
      Download
    • memory/1296-129-0x0000000000400000-0x0000000000535000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1296-134-0x0000000000400000-0x0000000000535000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1812-115-0x0000000000000000-mapping.dmp
      Download
    • memory/4424-116-0x0000000000000000-mapping.dmp
      Download
    • memory/5012-133-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
      Filesize

      4KB

      Download