Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2023 04:13
Static task
static1
Behavioral task
behavioral1
Sample
532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
Resource
win7-20230621-en
General
-
Target
532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
-
Size
1.4MB
-
MD5
59afa5bc60bf7b9adb7dd4a0df84c0d9
-
SHA1
e3aa21d37156ea87d87ccbd011cf84896621b572
-
SHA256
532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911
-
SHA512
4453e05b34f44f2ed9af0a51dfae9e08669812e47cc32699285c617981b1f106d617db308aff60b4da109eb1c35639a89e3e3b4d5d66d568106a5f529639bc98
-
SSDEEP
24576:T4pCbcwQbbC+/bb2GRrILR4IKz/L5uqju6u/kKxmgMfBvOoUSd3GdrwSRHIp:UpAnhalMRLKLhjtu/3xm3GzSdWdVHG
Malware Config
Extracted
rustybuer
https://serevalutinoffice.com/
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\O: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\p: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\P: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\A: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\H: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\J: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\K: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\W: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\q: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\Q: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\s: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\w: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\X: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\E: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\h: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\l: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\U: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\R: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\u: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\b: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\i: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\L: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\o: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\n: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\S: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\t: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\v: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\a: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\B: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\g: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\k: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\V: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\y: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\z: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\G: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\I: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\M: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\Z: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\j: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\r: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\D: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\e: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\Y: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\F: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\N: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\T: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe File opened (read-only) \??\x: 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3416 set thread context of 220 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3416 wrote to memory of 220 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe 84 PID 3416 wrote to memory of 220 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe 84 PID 3416 wrote to memory of 220 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe 84 PID 3416 wrote to memory of 220 3416 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe"C:\Users\Admin\AppData\Local\Temp\532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe"C:\Users\Admin\AppData\Local\Temp\532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe"2⤵
- Enumerates connected drives
PID:220
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0