Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-01-2023 21:06
Behavioral task
behavioral1
Sample
b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074.dll
Resource
win10v2004-20220812-en
General
-
Target
b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074.dll
-
Size
46KB
-
MD5
20a1b981278554db005802d4d8e82596
-
SHA1
eaa9172c1cd7f38b17a5e8e952cfff6f5fe6a741
-
SHA256
b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074
-
SHA512
63f8d3dae6ba43068962c02a54d560281aa4caf46b1c22b977ba89be975c744c1ea00b67d8e35cbcd8afbf01829e6033b536479d332c6acbc8ed0159ee6a70d1
-
SSDEEP
768:YMWqDAZLIY2vSDNBDHtsM+/KC9FY1XPEWFXJzuxUknWJbe57xUMvmPPBKPPELYaN:YFqDAZLIY2vShBDHts/99FY1XnQtncbK
Malware Config
Extracted
bruteratel
45.43.2.62:443
-
c2_auth
ransomness12345
-
uri
/blog
/view
/register
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 1 368 rundll32.exe 3 368 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
gets.exepid process 304 gets.exe -
Loads dropped DLL 2 IoCs
Processes:
taskeng.exepid process 940 taskeng.exe 940 taskeng.exe -
Drops file in System32 directory 1 IoCs
Processes:
gets.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat gets.exe -
Drops file in Windows directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\Tasks\irbtihtnduonhbtnhbt.job rundll32.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
gets.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections gets.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings gets.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadDecisionReason = "1" gets.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadDecision = "0" gets.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36 gets.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36\WpadDecisionTime = b0a08e315221d901 gets.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36\WpadDecision = "0" gets.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings gets.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" gets.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadNetworkName = "Network 3" gets.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix gets.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-6c-ae-48-c1-36\WpadDecisionReason = "1" gets.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gets.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" gets.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" gets.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad gets.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gets.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5} gets.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\WpadDecisionTime = b0a08e315221d901 gets.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B3D965A-12AD-41FF-9B63-AD9FA062CEA5}\c6-6c-ae-48-c1-36 gets.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 gets.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
taskeng.exedescription pid process target process PID 940 wrote to memory of 304 940 taskeng.exe gets.exe PID 940 wrote to memory of 304 940 taskeng.exe gets.exe PID 940 wrote to memory of 304 940 taskeng.exe gets.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b369ed704c293b76452ee1bdd99a69bbb76b393a4a9d404e0b5df59a00cff074.dll,#11⤵
- Blocklisted process makes network request
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE539FAB-5E49-4331-805A-32C4B5412352} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gets.exeC:\Users\Admin\AppData\Local\Temp\gets.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gets.exeFilesize
287KB
MD5e7978edb4b553918e4222d8457c23aeb
SHA13d1ac508e9efa8777eb78ea12e90f1adaeabaa0e
SHA256c6c02a4e5dc5d830d9d16cb51e6e4ef3e640385648d0ec09627032757704eaa3
SHA5120863911083e059f16a2cd3503418d086b47d9ec9b3dcd54e5883c49a6a1163f56e42c6f3306cb3bb51b5ea89dcd7c1097c9356257377245ba552d3e38a9b4700
-
C:\Users\Admin\AppData\Local\Temp\gets.exeFilesize
287KB
MD5e7978edb4b553918e4222d8457c23aeb
SHA13d1ac508e9efa8777eb78ea12e90f1adaeabaa0e
SHA256c6c02a4e5dc5d830d9d16cb51e6e4ef3e640385648d0ec09627032757704eaa3
SHA5120863911083e059f16a2cd3503418d086b47d9ec9b3dcd54e5883c49a6a1163f56e42c6f3306cb3bb51b5ea89dcd7c1097c9356257377245ba552d3e38a9b4700
-
\Users\Admin\AppData\Local\Temp\gets.exeFilesize
287KB
MD5e7978edb4b553918e4222d8457c23aeb
SHA13d1ac508e9efa8777eb78ea12e90f1adaeabaa0e
SHA256c6c02a4e5dc5d830d9d16cb51e6e4ef3e640385648d0ec09627032757704eaa3
SHA5120863911083e059f16a2cd3503418d086b47d9ec9b3dcd54e5883c49a6a1163f56e42c6f3306cb3bb51b5ea89dcd7c1097c9356257377245ba552d3e38a9b4700
-
\Users\Admin\AppData\Local\Temp\gets.exeFilesize
287KB
MD5e7978edb4b553918e4222d8457c23aeb
SHA13d1ac508e9efa8777eb78ea12e90f1adaeabaa0e
SHA256c6c02a4e5dc5d830d9d16cb51e6e4ef3e640385648d0ec09627032757704eaa3
SHA5120863911083e059f16a2cd3503418d086b47d9ec9b3dcd54e5883c49a6a1163f56e42c6f3306cb3bb51b5ea89dcd7c1097c9356257377245ba552d3e38a9b4700
-
memory/304-58-0x0000000000000000-mapping.dmp
-
memory/304-60-0x0000000000660000-0x000000000069F000-memory.dmpFilesize
252KB
-
memory/368-54-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmpFilesize
8KB