b2b1f374822e760b574cff680d989d0f229bdaf9029acacb2449162b92bbc16b

Analysis

max time kernel
6s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rustyz.exe
Size

120KB
MD5

72bcd7f24413629f6b194c718af7b39e
SHA1

8495ab957722ea594b4a45a8a7522b9a24d23988
SHA256

43a8ced5b270b43b025b166f5069446de5c15479dcb049034f7db073153ebce4
SHA512

d5c9f01857e20fef93a8dc2e854bd3d18cf4c8d712eb6bf416f740c2e17eb14d9afa7eb9afb9241261bbfb07ab066447f6b22c9f78b815416d392329265a5213
SSDEEP

1536:94WHOJOV+P1tMZw1pSqvarF8TfHlo6nu/dhIo7RkSQAVE4Zks:94nzHn1nHllnu/co7aGV3Zks

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	Rustyz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3932	netsh.exe

Deletes itself 1 IoCs

pid	Process
3248	spoolsv.exe

Executes dropped EXE 1 IoCs

pid	Process
3248	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	Rustyz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	Rustyz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe\""	spoolsv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	Rustyz.exe
3248	spoolsv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3932	2212	Rustyz.exe	94
PID 2212 wrote to memory of 3932	2212	Rustyz.exe	94
PID 2212 wrote to memory of 3932	2212	Rustyz.exe	94
PID 2212 wrote to memory of 3248	2212	Rustyz.exe	93
PID 2212 wrote to memory of 3248	2212	Rustyz.exe	93
PID 2212 wrote to memory of 3248	2212	Rustyz.exe	93

C:\Users\Admin\AppData\Local\Temp\Rustyz.exe
"C:\Users\Admin\AppData\Local\Temp\Rustyz.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Roaming\spoolsv.exe
  /d C:\Users\Admin\AppData\Local\Temp\Rustyz.exe
  2⤵
  - Modifies WinLogon for persistence
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:3248
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\spoolsv.exe" CityScape Enable
  2⤵
  - Modifies Windows Firewall
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ptBBMDMV

Filesize
39KB

MD5
297028ab5c72e48a035d43988169b3e9

SHA1
5e2f15be2ed928db836480dc8170b57a7d30bd6d

SHA256
3d792165057b6aed6ab6d0121a36cd56bb252b10f4e5cf107d013a21bf7bcdc9

SHA512
0e80a2edc2c002776dfb56c141829f85bcb4070b3a5a952537f606bb656aab5b55b905178025a6f2a03748e7c51bc16d6ad2d646a9333ce430d5966ec2d01b3e

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
71KB

MD5
855396f6300e559c28eafe859cdda51b

SHA1
7763f8e57f166957a3aa81ce4a3752801ad39b42

SHA256
28900151b1af0375a50137726f7eb8d237b2674a1e82e9cb95902694254c660a

SHA512
f664b64b98c822042b19738ab7fbfc03448f026b6a99726b889e33d7d8a7fe2e55fc8f7e39d553aa8eca523d91db00a9153d20c8fd1d9e9a5acbcc050c141471

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
39KB

MD5
089199b7528400fa3a1734a7b6b11909

SHA1
5a743a5ac23ed1b6b1ab77bb72e81f52cd4ba757

SHA256
491c0b3d721b3aa06bc1ef5e18cc27345d6c8026df8d232e65b67c91e56aed15

SHA512
3319132b2ee0e4a60645010dafd9981fbab58be351147a856ac8823ee2f0867e7b524249064053c4cd4171abf00792df8f815efd985787ab7d15463a66c5bc7b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads