e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1

Analysis

max time kernel
62s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal‮nls..scr
Size

681KB
MD5

0cfa5f7c008e3dc2df275a99aef9cbbb
SHA1

51ebdbc8a8227667b20b5cb40f17ff1bb8550098
SHA256

e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
SHA512

bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e
SSDEEP

12288:C3c6vReZYEe4Wp0ZtExFUH17EjGh1aoNRtwamePvNVtQe:C3c6vAZYd4jKoiIFRmePvNVtn

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 4512	5088	RustExternal‮nls..scr	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3608	4512	WerFault.exe	85

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	RustExternal‮nls..scr
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5088	RustExternal‮nls..scr
5088	RustExternal‮nls..scr
5088	RustExternal‮nls..scr
5088	RustExternal‮nls..scr
5088	RustExternal‮nls..scr
5088	RustExternal‮nls..scr

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	RustExternal‮nls..scr
Token: SeDebugPrivilege	4512	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4292	OpenWith.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2720	5088	RustExternal‮nls..scr	84
PID 5088 wrote to memory of 2720	5088	RustExternal‮nls..scr	84
PID 5088 wrote to memory of 2720	5088	RustExternal‮nls..scr	84
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85
PID 5088 wrote to memory of 4512	5088	RustExternal‮nls..scr	85

C:\Users\Admin\AppData\Local\Temp\RustExternal‮nls..scr
"C:\Users\Admin\AppData\Local\Temp\RustExternal‮nls..scr" /S
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1500
    3⤵
    - Program crash
    PID:3608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4512 -ip 4512
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4512-136-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5088-132-0x0000000000BD0000-0x0000000000C80000-memory.dmp

Filesize
704KB

Download
memory/5088-133-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download