Analysis
-
max time kernel
151s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12-10-2023 17:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
mal.exe
Resource
win7-20230831-en
windows7-x64
5 signatures
150 seconds
General
-
Target
mal.exe
-
Size
3.2MB
-
MD5
cd2eb880ecbad847cb6205a42708e5e4
-
SHA1
aadaba5e4d887136cbcb3df0a4dc0eb94f391585
-
SHA256
001405ded84e227092bafe165117888d423719d7d75554025ec410d1d6558925
-
SHA512
b0591d6e4181275001fdefb70e04bdeb1b241dc696a887f36375826904bc164714bfe5d0b86e39952f877309571b9a0212ca5e5f122c6393cb17a797b0c2f8b2
-
SSDEEP
49152:Ww/9l48pPUbkSv5TCcLhAKFEl3In1bnkpisogrpu4r+3qwsi:WcfUbZGcLMIn1Lkp3lrpuh8i
Malware Config
Extracted
Family
rustybuer
C2
https://vesupyny.com/
Signatures
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
secinit.exedescription ioc process File opened (read-only) \??\n: secinit.exe File opened (read-only) \??\q: secinit.exe File opened (read-only) \??\r: secinit.exe File opened (read-only) \??\Z: secinit.exe File opened (read-only) \??\D: secinit.exe File opened (read-only) \??\G: secinit.exe File opened (read-only) \??\k: secinit.exe File opened (read-only) \??\i: secinit.exe File opened (read-only) \??\j: secinit.exe File opened (read-only) \??\K: secinit.exe File opened (read-only) \??\M: secinit.exe File opened (read-only) \??\u: secinit.exe File opened (read-only) \??\A: secinit.exe File opened (read-only) \??\B: secinit.exe File opened (read-only) \??\F: secinit.exe File opened (read-only) \??\w: secinit.exe File opened (read-only) \??\W: secinit.exe File opened (read-only) \??\t: secinit.exe File opened (read-only) \??\x: secinit.exe File opened (read-only) \??\a: secinit.exe File opened (read-only) \??\b: secinit.exe File opened (read-only) \??\E: secinit.exe File opened (read-only) \??\U: secinit.exe File opened (read-only) \??\V: secinit.exe File opened (read-only) \??\y: secinit.exe File opened (read-only) \??\L: secinit.exe File opened (read-only) \??\p: secinit.exe File opened (read-only) \??\T: secinit.exe File opened (read-only) \??\O: secinit.exe File opened (read-only) \??\H: secinit.exe File opened (read-only) \??\m: secinit.exe File opened (read-only) \??\N: secinit.exe File opened (read-only) \??\z: secinit.exe File opened (read-only) \??\Q: secinit.exe File opened (read-only) \??\S: secinit.exe File opened (read-only) \??\X: secinit.exe File opened (read-only) \??\v: secinit.exe File opened (read-only) \??\Y: secinit.exe File opened (read-only) \??\g: secinit.exe File opened (read-only) \??\h: secinit.exe File opened (read-only) \??\s: secinit.exe File opened (read-only) \??\l: secinit.exe File opened (read-only) \??\o: secinit.exe File opened (read-only) \??\P: secinit.exe File opened (read-only) \??\R: secinit.exe File opened (read-only) \??\e: secinit.exe File opened (read-only) \??\I: secinit.exe File opened (read-only) \??\J: secinit.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mal.exedescription pid process target process PID 1252 set thread context of 1916 1252 mal.exe secinit.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
secinit.exepid process 1916 secinit.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
mal.exedescription pid process target process PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe PID 1252 wrote to memory of 1916 1252 mal.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mal.exe"C:\Users\Admin\AppData\Local\Temp\mal.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\secinit.exe"C:\Windows\System32\secinit.exe"2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1916
-