bruteratel | 0d9d65a1f9c447584a022a866fed2399bf8b42e2a0087a786e87087bba1e18f1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
03/10/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document-20-18-07.js
Size

339KB
MD5

75e64bec47916e4860cb6b151fcbaed6
SHA1

0102db540317b48d319cfb5b3538e364ff2bac6b
SHA256

0d9d65a1f9c447584a022a866fed2399bf8b42e2a0087a786e87087bba1e18f1
SHA512

208d0b1239c531d34f3bba59a950cf0b791e85870c6cc4512327733010e02fb4b932d98ff13d40cb758636453ad3bdc84509a1c0778facf47a56ecb79a8daee7
SSDEEP

6144:TnOwLgNJEXMI/ptQxobwi+a0xPr4fTpJ2Ll29NOzWC22hFMPPr6wWHclWErffr+:q6gNJEXhBtmobwi+bMT2LlKOztPFmGHd

Score

10^/10

bruteratel backdoor discovery execution

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 3 IoCs

resource	yara_rule
behavioral2/memory/2476-58-0x0000000273F40000-0x0000000273F8A000-memory.dmp	family_bruteratel
behavioral2/memory/2476-59-0x0000000273F40000-0x0000000273F8A000-memory.dmp	family_bruteratel
behavioral2/memory/2476-75-0x0000000273F40000-0x0000000273F8A000-memory.dmp	family_bruteratel

Blocklisted process makes network request 64 IoCs

flow	pid	Process
4	3616	wscript.exe
6	3616	wscript.exe
8	3616	wscript.exe
13	452	msiexec.exe
29	2476	rundll32.exe
33	2476	rundll32.exe
35	2476	rundll32.exe
37	2476	rundll32.exe
38	2476	rundll32.exe
42	2476	rundll32.exe
43	2476	rundll32.exe
44	2476	rundll32.exe
45	2476	rundll32.exe
49	2476	rundll32.exe
50	2476	rundll32.exe
51	2476	rundll32.exe
52	2476	rundll32.exe
53	2476	rundll32.exe
54	2476	rundll32.exe
55	2476	rundll32.exe
56	2476	rundll32.exe
57	2476	rundll32.exe
58	2476	rundll32.exe
61	2476	rundll32.exe
62	2476	rundll32.exe
66	2476	rundll32.exe
68	2476	rundll32.exe
69	2476	rundll32.exe
70	2476	rundll32.exe
71	2476	rundll32.exe
74	2476	rundll32.exe
75	2476	rundll32.exe
79	2476	rundll32.exe
84	2476	rundll32.exe
87	2476	rundll32.exe
88	2476	rundll32.exe
91	2476	rundll32.exe
92	2476	rundll32.exe
93	2476	rundll32.exe
94	2476	rundll32.exe
95	2476	rundll32.exe
96	2476	rundll32.exe
97	2476	rundll32.exe
98	2476	rundll32.exe
99	2476	rundll32.exe
100	2476	rundll32.exe
101	2476	rundll32.exe
102	2476	rundll32.exe
103	2476	rundll32.exe
104	2476	rundll32.exe
105	2476	rundll32.exe
106	2476	rundll32.exe
107	2476	rundll32.exe
108	2476	rundll32.exe
109	2476	rundll32.exe
110	2476	rundll32.exe
111	2476	rundll32.exe
112	2476	rundll32.exe
113	2476	rundll32.exe
114	2476	rundll32.exe
115	2476	rundll32.exe
116	2476	rundll32.exe
117	2476	rundll32.exe
121	2476	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
1868	MSI9522.tmp

Loads dropped DLL 6 IoCs

pid	Process
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
1864	MsiExec.exe
4616	rundll32.exe
2476	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9472.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94B2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9522.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FBD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9348.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI9522.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
452	msiexec.exe
452	msiexec.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe
2476	rundll32.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3616	wscript.exe
Token: SeIncreaseQuotaPrivilege	3616	wscript.exe
Token: SeSecurityPrivilege	452	msiexec.exe
Token: SeCreateTokenPrivilege	3616	wscript.exe
Token: SeAssignPrimaryTokenPrivilege	3616	wscript.exe
Token: SeLockMemoryPrivilege	3616	wscript.exe
Token: SeIncreaseQuotaPrivilege	3616	wscript.exe
Token: SeMachineAccountPrivilege	3616	wscript.exe
Token: SeTcbPrivilege	3616	wscript.exe
Token: SeSecurityPrivilege	3616	wscript.exe
Token: SeTakeOwnershipPrivilege	3616	wscript.exe
Token: SeLoadDriverPrivilege	3616	wscript.exe
Token: SeSystemProfilePrivilege	3616	wscript.exe
Token: SeSystemtimePrivilege	3616	wscript.exe
Token: SeProfSingleProcessPrivilege	3616	wscript.exe
Token: SeIncBasePriorityPrivilege	3616	wscript.exe
Token: SeCreatePagefilePrivilege	3616	wscript.exe
Token: SeCreatePermanentPrivilege	3616	wscript.exe
Token: SeBackupPrivilege	3616	wscript.exe
Token: SeRestorePrivilege	3616	wscript.exe
Token: SeShutdownPrivilege	3616	wscript.exe
Token: SeDebugPrivilege	3616	wscript.exe
Token: SeAuditPrivilege	3616	wscript.exe
Token: SeSystemEnvironmentPrivilege	3616	wscript.exe
Token: SeChangeNotifyPrivilege	3616	wscript.exe
Token: SeRemoteShutdownPrivilege	3616	wscript.exe
Token: SeUndockPrivilege	3616	wscript.exe
Token: SeSyncAgentPrivilege	3616	wscript.exe
Token: SeEnableDelegationPrivilege	3616	wscript.exe
Token: SeManageVolumePrivilege	3616	wscript.exe
Token: SeImpersonatePrivilege	3616	wscript.exe
Token: SeCreateGlobalPrivilege	3616	wscript.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe
Token: SeRestorePrivilege	452	msiexec.exe
Token: SeTakeOwnershipPrivilege	452	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 1864	452	msiexec.exe	84
PID 452 wrote to memory of 1864	452	msiexec.exe	84
PID 452 wrote to memory of 1864	452	msiexec.exe	84
PID 452 wrote to memory of 1868	452	msiexec.exe	85
PID 452 wrote to memory of 1868	452	msiexec.exe	85
PID 452 wrote to memory of 1868	452	msiexec.exe	85
PID 4616 wrote to memory of 2476	4616	rundll32.exe	87
PID 4616 wrote to memory of 2476	4616	rundll32.exe	87

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Document-20-18-07.js
1⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 75DD54CC9E6A825B522C618AA73F84BC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\Installer\MSI9522.tmp
  "C:\Windows\Installer\MSI9522.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1868

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll, GetDeepDVCState
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5794c0.rbs

Filesize
1KB

MD5
7341a04b4468513d78d91c5690891459

SHA1
8ad0cd6e45feaabda06a80ec85b6993946584727

SHA256
bc7d953100beda5b29e78d14eaf58e7b51fc58533062b0054526a214f166405d

SHA512
ab865312b9e13a74467d67bebca64a1a59f75b8103792bd249482bb1ae72d0b9f4650d2e2dcaeb58868ce024380037f6c52d821741ebd90b23a0e37c88c199d7

Download Submit
C:\Users\Admin\AppData\Roaming\vierm_soft_x64.dll

Filesize
749KB

MD5
b1ca25f5bb4edd293b3711c77eb99a6f

SHA1
178bba8686ea329b884a652fe0f8a0ae0c53d367

SHA256
97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a

SHA512
d5a282a8f81e117b79616c44a260d89c7fee06f4ac1387675bc79c3bd7599a5d49fbe3d8fb3d4d42eea81a17564abc2d42288bc2dc468d1b16ed633ba421b32d

Download Submit
C:\Windows\Installer\MSI8FBD.tmp

Filesize
1.6MB

MD5
3cb6b99b20930ac0dbadc10899dc511e

SHA1
570c4ab78cf4bb22b78aac215a4a79189d4fa9ed

SHA256
ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991

SHA512
aedf58ea01d59cce191cb9c0f83dbdbf7e3e8f049c764b577d6a957cb5229c50dda7ec6760ca43ad4dbdb085ae02b07bc818f69ca08373243019af6683e4931c

Download Submit
C:\Windows\Installer\MSI9348.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI9522.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
memory/2476-59-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/2476-58-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/2476-60-0x00007FFB62390000-0x00007FFB62585000-memory.dmp

Filesize
2.0MB

Download
memory/2476-62-0x00007FFB60590000-0x00007FFB6064E000-memory.dmp

Filesize
760KB

Download
memory/2476-64-0x00007FFB5FE20000-0x00007FFB600E9000-memory.dmp

Filesize
2.8MB

Download
memory/2476-66-0x00000254E67D0000-0x00000254E681C000-memory.dmp

Filesize
304KB

Download
memory/2476-75-0x0000000273F40000-0x0000000273F8A000-memory.dmp

Filesize
296KB

Download
memory/2476-82-0x00000254E67D0000-0x00000254E681C000-memory.dmp

Filesize
304KB

Download