Overview

overview

8

Static

static

RustExternal_nls.exe

windows7-x64

8

RustExternal_nls.exe

windows10-2004-x64

8

Resubmissions

10-03-2023 22:01

230310-1xerdshc7x 7

14-02-2023 16:10

230214-tmg1faee72 7

31-01-2023 07:47

230131-jmw49afe54 10

26-12-2022 21:03

221226-zv36jaha4x 10

24-12-2022 19:27

221224-x6gessdf7z 10

13-12-2022 03:51

221213-eenexsgc4v 10

12-12-2022 11:33

221212-npbnjsbc28 10

06-12-2022 06:29

221206-g8658sca54 8

05-12-2022 06:17

221205-g19ldsgh7x 10

Analysis

  • max time kernel
    143s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 06:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RustExternal_nls.exe

  • Size

    658KB

  • MD5

    1ab8dbca5e2bba39723f00907d266de7

  • SHA1

    729cb808637568f20ac886b3fac5f3cf5ff01dee

  • SHA256

    c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

  • SHA512

    d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081

  • SSDEEP

    12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score
8/10
upx

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
    "C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
        PID:524
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
          "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\system32\cmd.exe
            "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4840
            • C:\Users\Admin\AppData\Local\Temp\0.exe
              C:\Users\Admin\AppData\Local\Temp\0.exe
              5⤵
              • Executes dropped EXE
              PID:1868
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 1868 -s 440
                6⤵
                • Program crash
                PID:208
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4212
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 460 -p 1868 -ip 1868
      1⤵
        PID:4084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        537KB

        MD5

        2ce459cbd15f96b92c6b411b9eaeb24c

        SHA1

        d4ef5e179d1e4510141537bd59dca1d6fdb83a6a

        SHA256

        bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31

        SHA512

        f5385c52c7945cfb2196edbda6aebd7007d383fc837712585c501387704709f9882f36559736b0804455a5c9eb09015d4f6e88135339c340c643554b0d4cb53c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        537KB

        MD5

        2ce459cbd15f96b92c6b411b9eaeb24c

        SHA1

        d4ef5e179d1e4510141537bd59dca1d6fdb83a6a

        SHA256

        bb57c20116377a50473e83604488f1935311dbf93a419cdeb41cf051ffd22b31

        SHA512

        f5385c52c7945cfb2196edbda6aebd7007d383fc837712585c501387704709f9882f36559736b0804455a5c9eb09015d4f6e88135339c340c643554b0d4cb53c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
        Filesize

        532KB

        MD5

        84e6aa267c6970d2d777d60840390102

        SHA1

        c97e555e98c5bec69bcad9607cf0153ff827a141

        SHA256

        69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

        SHA512

        47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
        Filesize

        532KB

        MD5

        84e6aa267c6970d2d777d60840390102

        SHA1

        c97e555e98c5bec69bcad9607cf0153ff827a141

        SHA256

        69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

        SHA512

        47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

        Download Submit

      • memory/1016-136-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1016-135-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1016-137-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1016-139-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1016-143-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/1308-132-0x00000000005D0000-0x000000000067A000-memory.dmp

        Filesize

        680KB

        Download

      • memory/1716-146-0x00007FF758220000-0x00007FF75837F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1716-144-0x00007FF758220000-0x00007FF75837F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1868-150-0x00007FF7CB820000-0x00007FF7CB983000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1868-151-0x00007FF7CB820000-0x00007FF7CB983000-memory.dmp

        Filesize

        1.4MB

        Download