Overview

overview

7

Static

static

1

RustExternal_nls.exe

windows7-x64

7

RustExternal_nls.exe

windows10-2004-x64

7

Resubmissions

10-03-2023 22:01

230310-1xerdshc7x 7

14-02-2023 16:10

230214-tmg1faee72 7

31-01-2023 07:47

230131-jmw49afe54 10

26-12-2022 21:03

221226-zv36jaha4x 10

24-12-2022 19:27

221224-x6gessdf7z 10

13-12-2022 03:51

221213-eenexsgc4v 10

12-12-2022 11:33

221212-npbnjsbc28 10

06-12-2022 06:29

221206-g8658sca54 8

05-12-2022 06:17

221205-g19ldsgh7x 10

Analysis

  • max time kernel
    94s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2023 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RustExternal_nls.exe

  • Size

    658KB

  • MD5

    1ab8dbca5e2bba39723f00907d266de7

  • SHA1

    729cb808637568f20ac886b3fac5f3cf5ff01dee

  • SHA256

    c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

  • SHA512

    d1a31848eb9b683793afd36031ef8078ff962c2526272782cf2fca8db11afb71643a46b9ad6bce3ba8dba1b638672205726f6e96c7dd3e887228a2368ec08081

  • SSDEEP

    12288:3oSO5i2eVUIvybKcEz4MM7S9HdKINesX7j6p9PI8GS0oN2:3ouTVUIvtH4H7aLeO23gRoY

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
    "C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
        PID:4824
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #cmd
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
          "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Windows\system32\cmd.exe
            "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
            4⤵
              PID:1036
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4576

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0.exe
        Filesize

        298B

        MD5

        3861a3795095fe81fcb8382d2b9066bd

        SHA1

        2cef2af9a35d636c3af48902c20891ec49a8e791

        SHA256

        b19463cb9b847bdfc7dbf8133d9702d0a0ecc4175335c4a75db211e0196f84b3

        SHA512

        8e881d7f7a8236d36aef500473a3dbc5a98d46c1596d33ab76e4669f858d86c6b4881c0882c37d2d32b888fcaf6280385932ca5ffc6a5143d625c71b8fc8b294

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
        Filesize

        532KB

        MD5

        84e6aa267c6970d2d777d60840390102

        SHA1

        c97e555e98c5bec69bcad9607cf0153ff827a141

        SHA256

        69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

        SHA512

        47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
        Filesize

        532KB

        MD5

        84e6aa267c6970d2d777d60840390102

        SHA1

        c97e555e98c5bec69bcad9607cf0153ff827a141

        SHA256

        69f7c84e27083e5af30a91c797c6c1d5b694c2926ebb8a9edb7c6ed8e4c3cb3c

        SHA512

        47184ca58f7358bad24acbcfc2038a510a1ae55b90b927d79a98df13c0e911daeaadb1100f0dc112370fe61bf6264fb9ff214d143d17af659e0bd1ba16f0cecc

        Download Submit

      • memory/4580-146-0x00007FF656DE0000-0x00007FF656F3F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4580-144-0x00007FF656DE0000-0x00007FF656F3F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/4764-135-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/4764-139-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/4764-137-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/4764-143-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/4764-136-0x0000000000400000-0x0000000000497000-memory.dmp

        Filesize

        604KB

        Download

      • memory/4872-132-0x0000000000E10000-0x0000000000EBA000-memory.dmp

        Filesize

        680KB

        Download