bruteratel | 01b5d099ef6e692c26bc1ba7824f140fa2c6fef4c9e3508fb2c2314bfe2977ac

Analysis

max time kernel
138s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 16:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7d8469e1cbef4exeexeexeex.exe
Size

17.7MB
MD5

b7d8469e1cbef44c4833b58f34e626ac
SHA1

db3e865f89f2375af7ae8ba7fc56ae61c4200ade
SHA256

01b5d099ef6e692c26bc1ba7824f140fa2c6fef4c9e3508fb2c2314bfe2977ac
SHA512

c24bdc3ca18c8fa4f2c74abd2ded284973d7ce47e45839b02edced8c4bae6257ba00c6d55185ff9c76af75c50b9efbcc456783ddc1a2baf6e9d9b8d96e7c5184
SSDEEP

393216:8lHaUqYr/Bm/grjWdwJJsv6tWKFdu9CULiG55:8haUqYrJegrjWdwOOy

Score

10^/10

bruteratel aspackv2 backdoor

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00080000000231ce-136.dat	aspack_v212_v242
behavioral2/files/0x00080000000231ce-135.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\Control Panel\International\Geo\Nation	cJkssRvJ.exe

Executes dropped EXE 2 IoCs

pid	Process
4408	cJkssRvJ.exe
2932	앤틱접속기Full.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	cJkssRvJ.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	cJkssRvJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	2932	WerFault.exe	85

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4408	1516	b7d8469e1cbef4exeexeexeex.exe	84
PID 1516 wrote to memory of 4408	1516	b7d8469e1cbef4exeexeexeex.exe	84
PID 1516 wrote to memory of 4408	1516	b7d8469e1cbef4exeexeexeex.exe	84
PID 1516 wrote to memory of 2932	1516	b7d8469e1cbef4exeexeexeex.exe	85
PID 1516 wrote to memory of 2932	1516	b7d8469e1cbef4exeexeexeex.exe	85
PID 1516 wrote to memory of 2932	1516	b7d8469e1cbef4exeexeexeex.exe	85
PID 1516 wrote to memory of 2932	1516	b7d8469e1cbef4exeexeexeex.exe	85
PID 4408 wrote to memory of 1248	4408	cJkssRvJ.exe	90
PID 4408 wrote to memory of 1248	4408	cJkssRvJ.exe	90
PID 4408 wrote to memory of 1248	4408	cJkssRvJ.exe	90

C:\Users\Admin\AppData\Local\Temp\b7d8469e1cbef4exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b7d8469e1cbef4exeexeexeex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\cJkssRvJ.exe
  C:\Users\Admin\AppData\Local\Temp\cJkssRvJ.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5591036d.bat" "
    3⤵
    PID:1248
- C:\Users\Admin\AppData\Local\Temp\앤틱접속기Full.exe
  앤틱접속기Full.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 152
    3⤵
    - Program crash
    PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2932 -ip 2932
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SUUB7YB2\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D0544A3.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5591036d.bat

Filesize
191B

MD5
7635cc845a7e5b3428b38c53dee06a34

SHA1
fcb420f8befe37e669893b52b4282894f9a66086

SHA256
70cfe6097647b1234f234f154581004a928ef50d5c87ff8f6990c173464eb1af

SHA512
c64703d4159402eba9cd1cc0878c339d8fc2a89f59738d2f7d4c99cad31520471079cf470e923ee22c9bd9ab683124a1e337b3db475c0835716b4d4c602a8f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJkssRvJ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cJkssRvJ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\앤틱접속기Full.exe

Filesize
15.4MB

MD5
57f35cd0ab71a895d1fd41666a24a7ce

SHA1
d86a68ff10a898d71d7122d857d63ad657e13e9a

SHA256
dedb81c4a65232e2c1beb29cb9d894aa999ca88d6e51d0a17ff0250781e4cc07

SHA512
9ee0b3487b54b81772adcd38363d8f6bec3a4a787c45345a7375a0ff49a5647c6e272e4263a234c44bd12a46ded54b0ab9f42e12b0f60c8f642b2f5e1b83ac37

Download Submit
C:\Users\Admin\AppData\Local\Temp\앤틱접속기Full.exe

Filesize
15.4MB

MD5
57f35cd0ab71a895d1fd41666a24a7ce

SHA1
d86a68ff10a898d71d7122d857d63ad657e13e9a

SHA256
dedb81c4a65232e2c1beb29cb9d894aa999ca88d6e51d0a17ff0250781e4cc07

SHA512
9ee0b3487b54b81772adcd38363d8f6bec3a4a787c45345a7375a0ff49a5647c6e272e4263a234c44bd12a46ded54b0ab9f42e12b0f60c8f642b2f5e1b83ac37

Download Submit
memory/1516-142-0x0000000000390000-0x0000000001554000-memory.dmp

Filesize
17.8MB

Download
memory/2932-159-0x0000000000E20000-0x0000000001D92000-memory.dmp

Filesize
15.4MB

Download
memory/4408-143-0x0000000000F80000-0x0000000000F89000-memory.dmp

Filesize
36KB

Download
memory/4408-187-0x0000000000F80000-0x0000000000F89000-memory.dmp

Filesize
36KB

Download