bruteratel | d71bfab9cca5df6a28e12ba51fe5eaf0f9151514b3fd363264513347a8c5cf3a

Analysis

max time kernel
1794s
max time network
1744s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
submitted
27/06/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neuro.msi
Size

1.8MB
MD5

3645512add0c8cb24a88d2ffe3fe7620
SHA1

66dbfe6ffc1918f51b28af1abf55df0d1beaefe6
SHA256

d71bfab9cca5df6a28e12ba51fe5eaf0f9151514b3fd363264513347a8c5cf3a
SHA512

85151258ccb3b590716aed87c4a6a24ba74931aab0b378e279d9ab510fce94dfd26632d8ba44975e8136b1a9cc6c190e64c8b223f5f5e4f5b9cb3c6fb4a9429c
SSDEEP

49152:/YM3YuW8zBQSc0ZnSKYZKumZr7AH6odeQCC:bY90ZniK/AHHdvCC

Score

10^/10

bruteratel backdoor discovery persistence privilege_escalation

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 3 IoCs

resource	yara_rule
behavioral2/memory/3808-47-0x000000033A710000-0x000000033A75A000-memory.dmp	family_bruteratel
behavioral2/memory/3808-48-0x000000033A710000-0x000000033A75A000-memory.dmp	family_bruteratel
behavioral2/memory/3808-58-0x000000033A710000-0x000000033A75A000-memory.dmp	family_bruteratel

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBE02.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bc4b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bc4b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{659E647F-C518-49D5-BEA8-CCE98FBB9612}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF6B.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4180	MSIBF6B.tmp

Loads dropped DLL 9 IoCs

pid	Process
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
4872	MsiExec.exe
1776	MsiExec.exe
1776	MsiExec.exe
3808	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4732	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBF6B.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2588	msiexec.exe
2588	msiexec.exe
4180	MSIBF6B.tmp
4180	MSIBF6B.tmp
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe
3808	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4732	msiexec.exe
Token: SeSecurityPrivilege	2588	msiexec.exe
Token: SeCreateTokenPrivilege	4732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4732	msiexec.exe
Token: SeLockMemoryPrivilege	4732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4732	msiexec.exe
Token: SeMachineAccountPrivilege	4732	msiexec.exe
Token: SeTcbPrivilege	4732	msiexec.exe
Token: SeSecurityPrivilege	4732	msiexec.exe
Token: SeTakeOwnershipPrivilege	4732	msiexec.exe
Token: SeLoadDriverPrivilege	4732	msiexec.exe
Token: SeSystemProfilePrivilege	4732	msiexec.exe
Token: SeSystemtimePrivilege	4732	msiexec.exe
Token: SeProfSingleProcessPrivilege	4732	msiexec.exe
Token: SeIncBasePriorityPrivilege	4732	msiexec.exe
Token: SeCreatePagefilePrivilege	4732	msiexec.exe
Token: SeCreatePermanentPrivilege	4732	msiexec.exe
Token: SeBackupPrivilege	4732	msiexec.exe
Token: SeRestorePrivilege	4732	msiexec.exe
Token: SeShutdownPrivilege	4732	msiexec.exe
Token: SeDebugPrivilege	4732	msiexec.exe
Token: SeAuditPrivilege	4732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4732	msiexec.exe
Token: SeChangeNotifyPrivilege	4732	msiexec.exe
Token: SeRemoteShutdownPrivilege	4732	msiexec.exe
Token: SeUndockPrivilege	4732	msiexec.exe
Token: SeSyncAgentPrivilege	4732	msiexec.exe
Token: SeEnableDelegationPrivilege	4732	msiexec.exe
Token: SeManageVolumePrivilege	4732	msiexec.exe
Token: SeImpersonatePrivilege	4732	msiexec.exe
Token: SeCreateGlobalPrivilege	4732	msiexec.exe
Token: SeCreateTokenPrivilege	4732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4732	msiexec.exe
Token: SeLockMemoryPrivilege	4732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4732	msiexec.exe
Token: SeMachineAccountPrivilege	4732	msiexec.exe
Token: SeTcbPrivilege	4732	msiexec.exe
Token: SeSecurityPrivilege	4732	msiexec.exe
Token: SeTakeOwnershipPrivilege	4732	msiexec.exe
Token: SeLoadDriverPrivilege	4732	msiexec.exe
Token: SeSystemProfilePrivilege	4732	msiexec.exe
Token: SeSystemtimePrivilege	4732	msiexec.exe
Token: SeProfSingleProcessPrivilege	4732	msiexec.exe
Token: SeIncBasePriorityPrivilege	4732	msiexec.exe
Token: SeCreatePagefilePrivilege	4732	msiexec.exe
Token: SeCreatePermanentPrivilege	4732	msiexec.exe
Token: SeBackupPrivilege	4732	msiexec.exe
Token: SeRestorePrivilege	4732	msiexec.exe
Token: SeShutdownPrivilege	4732	msiexec.exe
Token: SeDebugPrivilege	4732	msiexec.exe
Token: SeAuditPrivilege	4732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4732	msiexec.exe
Token: SeChangeNotifyPrivilege	4732	msiexec.exe
Token: SeRemoteShutdownPrivilege	4732	msiexec.exe
Token: SeUndockPrivilege	4732	msiexec.exe
Token: SeSyncAgentPrivilege	4732	msiexec.exe
Token: SeEnableDelegationPrivilege	4732	msiexec.exe
Token: SeManageVolumePrivilege	4732	msiexec.exe
Token: SeImpersonatePrivilege	4732	msiexec.exe
Token: SeCreateGlobalPrivilege	4732	msiexec.exe
Token: SeCreateTokenPrivilege	4732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4732	msiexec.exe
Token: SeLockMemoryPrivilege	4732	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4732	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4872	2588	msiexec.exe	83
PID 2588 wrote to memory of 4872	2588	msiexec.exe	83
PID 2588 wrote to memory of 4872	2588	msiexec.exe	83
PID 2588 wrote to memory of 4348	2588	msiexec.exe	87
PID 2588 wrote to memory of 4348	2588	msiexec.exe	87
PID 2588 wrote to memory of 1776	2588	msiexec.exe	89
PID 2588 wrote to memory of 1776	2588	msiexec.exe	89
PID 2588 wrote to memory of 1776	2588	msiexec.exe	89
PID 2588 wrote to memory of 4180	2588	msiexec.exe	90
PID 2588 wrote to memory of 4180	2588	msiexec.exe	90
PID 2588 wrote to memory of 4180	2588	msiexec.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\neuro.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9FC826BD032F43DDAF4C2B82A3509DF5 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B66386D5FDC0CE4BD566ED18D698A31B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\Installer\MSIBF6B.tmp
  "C:\Windows\Installer\MSIBF6B.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\capisp.dll, remi
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1964

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\capisp.dll, remi
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI8A6D.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\capisp.dll

Filesize
1.2MB

MD5
70b599f67e97cb878ca7be88e069a82d

SHA1
768f8a179fee1f13505c7b772e543b19b29b14c8

SHA256
9b7bdb4cb71e84c5cff0923928bf7777a41cb5e0691810ae948304c151c0c1c5

SHA512
163c8e0b2676a27f1781e9fdec3c9994ba828c0085b9fdff9df4dd0112da122a5d7f6ca597af396f99c2afadbe438e1ab967dfba34451ee4ba3c59cd244b4985

Download Submit
C:\Windows\Installer\MSIBF6B.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
bc525b3f7127738919843c5f5176f38e

SHA1
dba9b3cd5c3e4173741bfbf15c685f33432120d9

SHA256
fc7b90c30e24c2b74dba34e9a3d11ea303cc21236aa7708f90456a44a59388a3

SHA512
3efa71e4c73aaa09b609c0bebd075a9b6aff86584d6c6c60ecca2b23e4ff796005dd55889a83725b61ea24438d1460d002380348e47465bafba2e4dcb35463c8

Download Submit
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{44292ddd-befc-4d96-8e25-087c38c9c89f}_OnDiskSnapshotProp

Filesize
6KB

MD5
6baa24425c4ef74ecf24fb3d96a69445

SHA1
11dd670335ff599e5f2096ed966eafe82580780b

SHA256
e674dae8ba8e409ecfc7572925758ab2a3d602f200a6f551f600603bad0b9af1

SHA512
56dcce72211f595e479f1a012ab7f794b8e24499d55c9f9a972b29e0768b4ed3647a5dda10f02571cf8a6364a50d84511dff99dd1762eaa8870448018fb4754f

Download Submit
memory/3808-47-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/3808-48-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/3808-49-0x00000228CDEE0000-0x00000228CDF2C000-memory.dmp

Filesize
304KB

Download
memory/3808-58-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/3808-61-0x0000000180000000-0x000000018013A000-memory.dmp

Filesize
1.2MB

Download
memory/3808-62-0x00000228CDEE0000-0x00000228CDF2C000-memory.dmp

Filesize
304KB

Download