Overview

overview

10

Static

static

3

RustAnticheat.exe

windows7-x64

10

RustAnticheat.exe

windows10-1703-x64

10

RustAnticheat.exe

windows7-x64

10

RustAnticheat.exe

windows10-2004-x64

10

RustAnticheat.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    128s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-09-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RustAnticheat.exe

  • Size

    1.1MB

  • MD5

    0d0d79a916d356823c4742f3253aa6aa

  • SHA1

    5e267d313557b5dbf6c216e79190b20fb5ab8177

  • SHA256

    20868115f180702553380c551df502535b8aa01c3ef630d408edd849896e631a

  • SHA512

    9bbc72f3b647885dee27a27f5e30e2c845f5eb395bcf545ba7c75d65a0386f9c97dab4348a946fd693a90f4994550fda41a0528072cfeb8106ab603232573365

  • SSDEEP

    24576:drAsHOi4ltSzmSEPGUSa/D3mIaCmo/NE1a1pvRQrhWgJbavyRAh79c0ih:5Lu1tSzmhR/nCo/K0pZQrE2RAh79Lih

Score
10/10
umbralxwormdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

C2

web-amend.gl.at.ply.gg:59501

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe
    "C:\Users\Admin\AppData\Local\Temp\RustAnticheat.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Roaming\Loader (1).exe
      "C:\Users\Admin\AppData\Roaming\Loader (1).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4480
    • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4896
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\RuntimeBroker"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4172
      • C:\Users\Admin\AppData\Local\Temp\zckciv.exe
        "C:\Users\Admin\AppData\Local\Temp\zckciv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1120
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2688
      • C:\Litvin.exe
        "C:\Litvin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:2808
        • C:\Litvin.exe
          C:\Litvin.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3084
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:1496
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start "" "C:\Litvin.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Litvin.exe
              "C:\Litvin.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4528
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                5⤵
                  PID:2288
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"
              3⤵
                PID:3512
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp842A.tmp.bat""
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:568
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  4⤵
                  • Delays execution with timeout.exe
                  PID:1104
            • C:\Users\Admin\AppData\Roaming\Litvin.exe
              "C:\Users\Admin\AppData\Roaming\Litvin.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1848
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" csproduct get uuid
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4584
          • C:\Users\Admin\RuntimeBroker
            C:\Users\Admin\RuntimeBroker
            1⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3396
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
            1⤵
              PID:2020
            • C:\Users\Admin\RuntimeBroker
              C:\Users\Admin\RuntimeBroker
              1⤵
              • Executes dropped EXE
              PID:780

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Litvin.exe.log
              Filesize

              1KB

              MD5

              02df789e3c730b309fc4d9abce5d729b

              SHA1

              4f9da0f0d4cadacfd0f68fb1f7ee73a66dcf1b4e

              SHA256

              4afabcd1723096359d90c8f32df7a6a44cd866e89d5b37c89280bfeab61d7321

              SHA512

              7ac0dd7e3a3e483d07409da793dd2b0915d4369fe41fe743acd82de9aa77b9fa7ea5cd60498034f3fa0674d93d184c9128375d8f7f0796fddecff3845fca8587

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.log
              Filesize

              654B

              MD5

              2cbbb74b7da1f720b48ed31085cbd5b8

              SHA1

              79caa9a3ea8abe1b9c4326c3633da64a5f724964

              SHA256

              e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

              SHA512

              ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              627073ee3ca9676911bee35548eff2b8

              SHA1

              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

              SHA256

              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

              SHA512

              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              d0a4a3b9a52b8fe3b019f6cd0ef3dad6

              SHA1

              fed70ce7834c3b97edbd078eccda1e5effa527cd

              SHA256

              21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

              SHA512

              1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              856900844f6f1c326c89d0bcfb2f0c28

              SHA1

              1caad440d46fa8c0cbed4822b4be2bbdddba97c2

              SHA256

              ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

              SHA512

              ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              5ee18cae28ab3df919b06896b7cac4e5

              SHA1

              43d5a5a2cb5a5788b2ac3829a267356f66ba9485

              SHA256

              bd2b2ac5a3c197e00e53ae3f1f6c3b76870560fec9435a3155270cca38da3313

              SHA512

              ecf04c6ffc37e7b2ef28c58e36cf2f60fdbae859dcda18fb4dc271976dd2b209dda17983e79165c66a39dceb1c7f7f81f9dfcaa5a44c1ca9a9f9c8e6a8adaa80

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bofo533h.55b.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\tmp842A.tmp.bat
              Filesize

              162B

              MD5

              e9a2a3ef64f76b3ef736a5bee1239f3f

              SHA1

              0294bce559582aecae7040b4382bb43e716563b5

              SHA256

              418725db57bf7f7e5465d252266d167fab053cf3a81155e9ed93daa10020613c

              SHA512

              be1da3716cdc10d79a976592674d5f72a88f20b8c59ddfa3bddef6b087b00fe51e3b977bf91ca4ed0a117b192c31410e2c2f392f42c13a3fd4568772f82e0f1c

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Litvin.exe
              Filesize

              229KB

              MD5

              259101ea3a8a1c36a8ebe30f28deb851

              SHA1

              b5302bb4383bfa6e1f8a074182d1eecd79cd0caf

              SHA256

              91fd2cdc10b62a3aa10837c50c9dd2958f58a7c6feb6a5d29f73c5edca033999

              SHA512

              14c266cd69408d3cca1fa8dfeb0e9abedce87985b93bf6190b6436f74f122e06264c49c713d259eaa9f393180e3bef42462cb851686c2f32882cf03942e6dde3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Loader (1).exe
              Filesize

              827KB

              MD5

              eefb801774c5ccb44153268a9357f5f1

              SHA1

              b1906b22e14edd142c52808ab3e5ba9346b85de5

              SHA256

              677aeb1981c58cba41a5d53ccbbf5b471e62dc49dc326570767da940560d840d

              SHA512

              1cf162fe6184d68dca514059d2de1123e80d0faac401765a54224aa5a987c9454bc92263fbec566835aa7b402f1f63ba59bb425ccc139e0a7391e66991f270b7

              Download Submit

            • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
              Filesize

              77KB

              MD5

              7c4f97717ce74232ede2fc0b48956636

              SHA1

              d7dd219805af9fb9251214d598badc3d4d1b7bf8

              SHA256

              f84e5ceb6d0c53993bf5139e7e58dcc06c8cc7d6bc1e5e97171445f6fe01109d

              SHA512

              ad1963a20fc98927239eb1aaa6f881913ac5884c28c00b59637e4fd51dbafd376150e1e6a5cf8634f6a5610bd2286dc185b3f14362c06a613dfe40db528cea26

              Download Submit

            • memory/1848-36-0x00000203187E0000-0x0000020318820000-memory.dmp

              Filesize

              256KB

              Download

            • memory/4000-0-0x00007FFBA39D3000-0x00007FFBA39D5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4000-1-0x0000000000C90000-0x0000000000DB4000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4480-38-0x0000000000C90000-0x0000000000D66000-memory.dmp

              Filesize

              856KB

              Download

            • memory/4480-43-0x0000000008910000-0x000000000891E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4480-42-0x0000000008D10000-0x0000000008D48000-memory.dmp

              Filesize

              224KB

              Download

            • memory/4896-44-0x0000020161F10000-0x0000020161F32000-memory.dmp

              Filesize

              136KB

              Download

            • memory/5096-37-0x00000000005C0000-0x00000000005DA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/5096-108-0x000000001ECB0000-0x000000001F1D8000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/5096-107-0x000000001E170000-0x000000001E220000-memory.dmp

              Filesize

              704KB

              Download

            • memory/5096-89-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5096-130-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/5096-39-0x00007FFBA39D0000-0x00007FFBA4492000-memory.dmp

              Filesize

              10.8MB

              Download