bruteratel | a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
submitted
03/10/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document-18-33-08.js
Size

340KB
MD5

c05645ed2ec3ff5c541b99d20011a488
SHA1

6822c03f0781ac932c31747610f1fe1039f6861f
SHA256

a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d
SHA512

5c931e2c1c677bf2f9945b71d59f2b561d16fc43fcc3a51347e4787b2c16c0818356b0d77f889d6eacc0a3c549f1ae99f3ee145427ef13cfd94ce6175b4a7478
SSDEEP

6144:jkrTzZUnqgeguE0Hz5q9viFrdTCSaJPFVQTo6AP99eZ4krLBsxHfn5:8XSn7uEMzU9viFrtbap+52I4KLBsP

Score

10^/10

bruteratel backdoor discovery execution

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 3 IoCs

resource	yara_rule
behavioral1/memory/1048-126-0x0000000273F40000-0x0000000273F8A000-memory.dmp	family_bruteratel
behavioral1/memory/1048-129-0x0000000273F40000-0x0000000273F8A000-memory.dmp	family_bruteratel
behavioral1/memory/1048-145-0x0000000273F40000-0x0000000273F8A000-memory.dmp	family_bruteratel

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	3024	wscript.exe
5	3024	wscript.exe
8	1972	msiexec.exe
12	1048	rundll32.exe
13	1048	rundll32.exe
14	1048	rundll32.exe
15	1048	rundll32.exe
16	1048	rundll32.exe
17	1048	rundll32.exe
18	1048	rundll32.exe
19	1048	rundll32.exe
20	1048	rundll32.exe
21	1048	rundll32.exe
22	1048	rundll32.exe
23	1048	rundll32.exe
26	1048	rundll32.exe
28	1048	rundll32.exe
30	1048	rundll32.exe
32	1048	rundll32.exe
33	1048	rundll32.exe
34	1048	rundll32.exe
35	1048	rundll32.exe
36	1048	rundll32.exe
37	1048	rundll32.exe
38	1048	rundll32.exe
39	1048	rundll32.exe
40	1048	rundll32.exe
41	1048	rundll32.exe
42	1048	rundll32.exe
43	1048	rundll32.exe
44	1048	rundll32.exe
45	1048	rundll32.exe
46	1048	rundll32.exe
47	1048	rundll32.exe
48	1048	rundll32.exe
49	1048	rundll32.exe
50	1048	rundll32.exe
51	1048	rundll32.exe
52	1048	rundll32.exe
53	1048	rundll32.exe
54	1048	rundll32.exe
55	1048	rundll32.exe
61	1048	rundll32.exe
62	1048	rundll32.exe
63	1048	rundll32.exe
64	1048	rundll32.exe
65	1048	rundll32.exe
66	1048	rundll32.exe
67	1048	rundll32.exe
68	1048	rundll32.exe
69	1048	rundll32.exe
70	1048	rundll32.exe
71	1048	rundll32.exe
72	1048	rundll32.exe
73	1048	rundll32.exe
74	1048	rundll32.exe
75	1048	rundll32.exe
76	1048	rundll32.exe
77	1048	rundll32.exe
78	1048	rundll32.exe
80	1048	rundll32.exe
81	1048	rundll32.exe
82	1048	rundll32.exe
83	1048	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1300	MSI40C.tmp

Loads dropped DLL 11 IoCs

pid	Process
1400	MsiExec.exe
1400	MsiExec.exe
1400	MsiExec.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFD81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F7.tmp	msiexec.exe
File created	C:\Windows\Installer\f770273.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770273.ipi	msiexec.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI40C.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	wscript.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1972	msiexec.exe
1972	msiexec.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe
1048	rundll32.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3024	wscript.exe
Token: SeIncreaseQuotaPrivilege	3024	wscript.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeSecurityPrivilege	1972	msiexec.exe
Token: SeCreateTokenPrivilege	3024	wscript.exe
Token: SeAssignPrimaryTokenPrivilege	3024	wscript.exe
Token: SeLockMemoryPrivilege	3024	wscript.exe
Token: SeIncreaseQuotaPrivilege	3024	wscript.exe
Token: SeMachineAccountPrivilege	3024	wscript.exe
Token: SeTcbPrivilege	3024	wscript.exe
Token: SeSecurityPrivilege	3024	wscript.exe
Token: SeTakeOwnershipPrivilege	3024	wscript.exe
Token: SeLoadDriverPrivilege	3024	wscript.exe
Token: SeSystemProfilePrivilege	3024	wscript.exe
Token: SeSystemtimePrivilege	3024	wscript.exe
Token: SeProfSingleProcessPrivilege	3024	wscript.exe
Token: SeIncBasePriorityPrivilege	3024	wscript.exe
Token: SeCreatePagefilePrivilege	3024	wscript.exe
Token: SeCreatePermanentPrivilege	3024	wscript.exe
Token: SeBackupPrivilege	3024	wscript.exe
Token: SeRestorePrivilege	3024	wscript.exe
Token: SeShutdownPrivilege	3024	wscript.exe
Token: SeDebugPrivilege	3024	wscript.exe
Token: SeAuditPrivilege	3024	wscript.exe
Token: SeSystemEnvironmentPrivilege	3024	wscript.exe
Token: SeChangeNotifyPrivilege	3024	wscript.exe
Token: SeRemoteShutdownPrivilege	3024	wscript.exe
Token: SeUndockPrivilege	3024	wscript.exe
Token: SeSyncAgentPrivilege	3024	wscript.exe
Token: SeEnableDelegationPrivilege	3024	wscript.exe
Token: SeManageVolumePrivilege	3024	wscript.exe
Token: SeImpersonatePrivilege	3024	wscript.exe
Token: SeCreateGlobalPrivilege	3024	wscript.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1400	1972	msiexec.exe	32
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1972 wrote to memory of 1300	1972	msiexec.exe	33
PID 1624 wrote to memory of 1048	1624	rundll32.exe	35
PID 1624 wrote to memory of 1048	1624	rundll32.exe	35
PID 1624 wrote to memory of 1048	1624	rundll32.exe	35
PID 1624 wrote to memory of 1048	1624	rundll32.exe	35

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Document-18-33-08.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B63831C00E71D0ADB124A0D0F80F1B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Windows\Installer\MSI40C.tmp
  "C:\Windows\Installer\MSI40C.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1300

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\system32\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770274.rbs

Filesize
1KB

MD5
dc3d57362fd6a896d170b73e17f1dd36

SHA1
a8859de154d7336bb0ea731684b24cd3f0527010

SHA256
6e26a98e795641a8faa3a1e1c3e282a4891b71b2e548fbdc40890f595129ad2f

SHA512
7182f4b7b302346aa6af545dd253556ea1f03cb936cce9ddea4db639190cf135f50e60341d532571a310858e018c0a193fee7d794d18a0805fa3a0fddaf9c80d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b65f5b1534edff80798342df6678a749

SHA1
f632dc75d66767b4d7500ad04aa2db8d3f628e1c

SHA256
d3e4d2bd0ed47e89533b72fd9890a4b464794f5b536d21b6e56b2b64e161e89e

SHA512
aeb0ab4ec784e7ba8616c2655e3d089c13168a8ce9254be617208e25731070a8392ec323d86da002a48a3b21a867bf3af2c97f8ec736624fa16d350e93c9af6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF0D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF156.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll

Filesize
749KB

MD5
b1ca25f5bb4edd293b3711c77eb99a6f

SHA1
178bba8686ea329b884a652fe0f8a0ae0c53d367

SHA256
97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a

SHA512
d5a282a8f81e117b79616c44a260d89c7fee06f4ac1387675bc79c3bd7599a5d49fbe3d8fb3d4d42eea81a17564abc2d42288bc2dc468d1b16ed633ba421b32d

Download Submit
C:\Windows\Installer\MSI40C.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
C:\Windows\Installer\MSIAD.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIFD81.tmp

Filesize
1.6MB

MD5
3cb6b99b20930ac0dbadc10899dc511e

SHA1
570c4ab78cf4bb22b78aac215a4a79189d4fa9ed

SHA256
ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991

SHA512
aedf58ea01d59cce191cb9c0f83dbdbf7e3e8f049c764b577d6a957cb5229c50dda7ec6760ca43ad4dbdb085ae02b07bc818f69ca08373243019af6683e4931c

Download Submit
memory/1048-126-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/1048-127-0x0000000001F20000-0x0000000001F5E000-memory.dmp

Filesize
248KB

Download
memory/1048-134-0x000007FEFD670000-0x000007FEFD6DC000-memory.dmp

Filesize
432KB

Download
memory/1048-136-0x00000000020F0000-0x000000000213C000-memory.dmp

Filesize
304KB

Download
memory/1048-132-0x0000000077690000-0x00000000777AF000-memory.dmp

Filesize
1.1MB

Download
memory/1048-130-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/1048-129-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/1048-145-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/1048-146-0x00000000020F0000-0x000000000213C000-memory.dmp

Filesize
304KB

Download
memory/1300-114-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download