c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

max time kernel
136s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal_nls.exe
Size

658KB
MD5

1ab8dbca5e2bba39723f00907d266de7
SHA1

729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256

c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512

d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
SSDEEP

12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1284	DEFENDERFILESECURITY.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-73.dat	upx
behavioral1/files/0x000c0000000054a8-76.dat	upx
behavioral1/files/0x000c0000000054a8-74.dat	upx
behavioral1/files/0x000c0000000054a8-81.dat	upx
behavioral1/files/0x000c0000000054a8-80.dat	upx
behavioral1/files/0x000c0000000054a8-79.dat	upx
behavioral1/files/0x000c0000000054a8-82.dat	upx
behavioral1/memory/1284-83-0x000000013F6B0000-0x000000013F80F000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
936	RegAsm.exe
936	RegAsm.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 936	1964	RustExternal_nls.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
964	1284	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1964	RustExternal_nls.exe
1964	RustExternal_nls.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	RustExternal_nls.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 1732	1964	RustExternal_nls.exe	28
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 976	1964	RustExternal_nls.exe	29
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 1964 wrote to memory of 936	1964	RustExternal_nls.exe	30
PID 936 wrote to memory of 1284	936	RegAsm.exe	31
PID 936 wrote to memory of 1284	936	RegAsm.exe	31
PID 936 wrote to memory of 1284	936	RegAsm.exe	31
PID 936 wrote to memory of 1284	936	RegAsm.exe	31
PID 1284 wrote to memory of 964	1284	DEFENDERFILESECURITY.EXE	32
PID 1284 wrote to memory of 964	1284	DEFENDERFILESECURITY.EXE	32
PID 1284 wrote to memory of 964	1284	DEFENDERFILESECURITY.EXE	32

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  PID:976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1284 -s 280
      4⤵
      Loads dropped DLL
      Program crash
      PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
memory/936-61-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-62-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-70-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-72-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-64-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-56-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-66-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-57-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-77-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/936-59-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1284-83-0x000000013F6B0000-0x000000013F80F000-memory.dmp

Filesize
1.4MB

Download
memory/1964-54-0x00000000003D0000-0x000000000047A000-memory.dmp

Filesize
680KB

Download
memory/1964-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download