Overview

overview

10

Static

static

3

bac03e7065...e0.exe

windows7-x64

10

bac03e7065...e0.exe

windows10-2004-x64

10

Resubmissions

15/03/2024, 08:35

240315-khfr5scb41 10

08/03/2024, 06:28

240308-g8rqjsac9y 10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bac03e7065835ff2e82f01801740a5e0.exe

  • Size

    1.3MB

  • MD5

    bac03e7065835ff2e82f01801740a5e0

  • SHA1

    2bf512bc4f3d6f1bece40073ddedadad65264166

  • SHA256

    04c031ecbff301c0c7c55c8c9352dea457370b221c314710e2e94575b8caf45b

  • SHA512

    a2ee185a51f1ee7d53a622013ccb9f47c9893f304dce3413d53399ad3d757ed0dd7782f8dbe3f60c8f19c9f69fd40fc8fbb3b59aa09279871a3ee50878f50d97

  • SSDEEP

    24576:r4VrnNUc9BJxetHXQf/R4GdfEzh7B905zfXKkfz+bVILjMxuY:cFNlYXI/R4GduL05zfXdfgVILY1

Score
10/10
bruteratelbackdoor

Malware Config

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe
    "C:\Users\Admin\AppData\Local\Temp\bac03e7065835ff2e82f01801740a5e0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Arquivos de programas\acrobat32.exe
      "C:\Arquivos de programas\acrobat32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Arquivos de programas\acrobat32.exe
    Filesize

    4.7MB

    MD5

    a2dcbb2ea492923bc079572d1af44ceb

    SHA1

    64a06cbcd34b7590f777bb5f999e010079d343ac

    SHA256

    3d0aa495d530afbc829b377a9cc7487edba1ba0e98d814f938427d5d0f7afe2a

    SHA512

    1eddaaaa94f7f3664481ae6092730c0ebffecac70da1d423c8bc98e885be030e2f4d17bc84443e84e1409ec5a09f767570e40660d5a3924af465b9b02cd9b452

    Download Submit

  • C:\Arquivos de programas\acrobat32.exe
    Filesize

    4.5MB

    MD5

    d0a633d0ff389fcfe160a90ceb440801

    SHA1

    0cb7672527b71a82f136e9ed453b68359e96fe37

    SHA256

    10b15f3f2167cce7387bd5daf277f859d72c17c0fa28c5f6f6292340d8798111

    SHA512

    951a52e45f337b9d50d2d84d697965f106a0c2b82be57bdbdf8bb4170332fac5b61ff3ac52e681261fbaf4f84ba000872e4235e315c0382f0479567bc8dadd4e

    Download Submit

  • C:\Arquivos de programas\acrobat32.exe
    Filesize

    8.3MB

    MD5

    07911018bedfc93cfed840716423eabf

    SHA1

    d13f07d03da8820464ff8c4971a7a3a77fd19bcd

    SHA256

    fe2b2d760396438efbf3664b8d92c76d4aa64d2453cb229fa70e465ec5bd6017

    SHA512

    aeeb2b6fd279d98e5401d6f3f0145a8ecc8952233922b9a2892fa4f38dbe01c10251355b387a425144958fb72477ef49c8ef8db2ddb54b3ab92392fede8a74b4

    Download Submit

  • memory/4468-12-0x0000000001800000-0x0000000001801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4468-14-0x0000000000280000-0x0000000001532000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4804-13-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download