c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

max time kernel
110s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-12-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RustExternal_nls.exe
Size

658KB
MD5

1ab8dbca5e2bba39723f00907d266de7
SHA1

729cb808637568f20ac886b3fac5f3cf5ff01dee
SHA256

c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
SHA512

d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081
SSDEEP

12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
960	DEFENDERFILESECURITY.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-72.dat	upx
behavioral1/files/0x00140000000054ab-73.dat	upx
behavioral1/files/0x00140000000054ab-77.dat	upx
behavioral1/files/0x00140000000054ab-81.dat	upx
behavioral1/files/0x00140000000054ab-82.dat	upx
behavioral1/files/0x00140000000054ab-83.dat	upx
behavioral1/memory/960-84-0x000000013FB50000-0x000000013FCAF000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-85.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
844	RegAsm.exe
844	RegAsm.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe
1808	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 844	2000	RustExternal_nls.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1808	960	WerFault.exe	29

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 2000 wrote to memory of 844	2000	RustExternal_nls.exe	28
PID 844 wrote to memory of 960	844	RegAsm.exe	29
PID 844 wrote to memory of 960	844	RegAsm.exe	29
PID 844 wrote to memory of 960	844	RegAsm.exe	29
PID 844 wrote to memory of 960	844	RegAsm.exe	29
PID 960 wrote to memory of 1808	960	DEFENDERFILESECURITY.EXE	30
PID 960 wrote to memory of 1808	960	DEFENDERFILESECURITY.EXE	30
PID 960 wrote to memory of 1808	960	DEFENDERFILESECURITY.EXE	30

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 960 -s 280
      4⤵
      Loads dropped DLL
      Program crash
      PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE

Filesize
532KB

MD5
84e6aa267c6970d2d777d60840390102

SHA1
c97e555e98c5bec69bcad9607cf0153ff827a141

SHA256
69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

SHA512
47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

Download Submit
memory/844-62-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-59-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-67-0x0000000000403248-mapping.dmp

Download
memory/844-70-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-64-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-56-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-57-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-75-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-76-0x00000000027D0000-0x000000000292F000-memory.dmp

Filesize
1.4MB

Download
memory/844-61-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-78-0x00000000027D0000-0x000000000292F000-memory.dmp

Filesize
1.4MB

Download
memory/844-79-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/844-66-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/960-74-0x0000000000000000-mapping.dmp

Download
memory/960-84-0x000000013FB50000-0x000000013FCAF000-memory.dmp

Filesize
1.4MB

Download
memory/1808-80-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000000930000-0x00000000009DA000-memory.dmp

Filesize
680KB

Download
memory/2000-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis