rustybuer | 532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911

General

Target

80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
Size

1.4MB
MD5

59afa5bc60bf7b9adb7dd4a0df84c0d9
SHA1

e3aa21d37156ea87d87ccbd011cf84896621b572
SHA256

532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911
SHA512

4453e05b34f44f2ed9af0a51dfae9e08669812e47cc32699285c617981b1f106d617db308aff60b4da109eb1c35639a89e3e3b4d5d66d568106a5f529639bc98
SSDEEP

24576:T4pCbcwQbbC+/bb2GRrILR4IKz/L5uqju6u/kKxmgMfBvOoUSd3GdrwSRHIp:UpAnhalMRLKLhjtu/3xm3GzSdWdVHG

Score

10^/10

rustybuer loader

Malware Config

Extracted

Family

rustybuer

C2

https://serevalutinoffice.com/

Signatures

RustyBuer
RustyBuer is a new variant of Buer loader written in Rust.
loader rustybuer
Loads dropped DLL 1 IoCs

Processes:

80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

pid process

4792 80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

pid	process
4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

description	ioc	process
File opened (read-only)	\??\p:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\X:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\E:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\l:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\N:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\W:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\Z:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\V:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\b:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\g:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\H:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\m:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\n:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\S:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\t:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\Y:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\z:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\A:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\D:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\I:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\J:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\o:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\P:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\Q:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\x:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\G:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\h:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\i:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\M:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\T:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\U:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\v:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\y:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\B:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\e:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\K:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\L:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\r:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\R:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\u:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\a:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\k:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\O:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\q:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\s:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\w:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\F:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
File opened (read-only)	\??\j:	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

description	pid	process	target process
PID 4792 set thread context of 3376	4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

pid process

4792 80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

pid	process
4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

description	pid	process	target process
PID 4792 wrote to memory of 3376	4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
PID 4792 wrote to memory of 3376	4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
PID 4792 wrote to memory of 3376	4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
PID 4792 wrote to memory of 3376	4792	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe	80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe

C:\Users\Admin\AppData\Local\Temp\80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
"C:\Users\Admin\AppData\Local\Temp\80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Local\Temp\80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe
  "C:\Users\Admin\AppData\Local\Temp\80739_532e97e0ff4498854440784c6e7bcb8ed84ca654fb4acf893e8255b8a8c37911.exe"
  2⤵
  - Enumerates connected drives
  PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst69E6.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/3376-141-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3376-142-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3376-143-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3376-144-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3376-145-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads