bruteratel | b59a84b168f1524bdd0f0dad450b042e861bba7e90d91514678fdf557ca64356 | Triage

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 14:58

Sharing

Report Analysis Logs

General

Target

wme.dll
Size

1.4MB
MD5

6696bb4cafb96b82037ba3038b206d81
SHA1

6d46de3e9119c49ab86e303f87f9b30a0f164063
SHA256

1921c1e04ba16e71ff38e58efe210a7d9f433cf122eb5f8054dbbea2a381e54d
SHA512

49bcc12bd899c7d7130684233e0ac5ce74a65dd6ca14104e1812293c0619bf76251dff64dd51b627226fdcc76584cf72273398c276a76141934aeb7c173e2a83
SSDEEP

24576:SjPmkfHk7ONT01cDYLSTRrstVey92QOn9Kw1:SjPmkfHk7O5DYLSFrEVeyjOE4

Score

10^/10

bruteratel backdoor

Malware Config

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/memory/4644-1-0x000001C5269C0000-0x000001C5269FE000-memory.dmp	family_bruteratel

Blocklisted process makes network request 13 IoCs

flow	pid	Process
26	4644	rundll32.exe
28	4644	rundll32.exe
30	4644	rundll32.exe
35	4644	rundll32.exe
37	4644	rundll32.exe
39	4644	rundll32.exe
41	4644	rundll32.exe
43	4644	rundll32.exe
73	4644	rundll32.exe
75	4644	rundll32.exe
79	4644	rundll32.exe
80	4644	rundll32.exe
100	4644	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 2028	4356	cmd.exe	118
PID 4356 wrote to memory of 2028	4356	cmd.exe	118

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\wme.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\system32\rundll32.exe
  rundll32.exe wme.dll
  2⤵
  PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4644-0-0x000001C5269C0000-0x000001C5269FE000-memory.dmp

Filesize
248KB

Download
memory/4644-1-0x000001C5269C0000-0x000001C5269FE000-memory.dmp

Filesize
248KB

Download
memory/4644-10-0x000001C526B10000-0x000001C526B5C000-memory.dmp

Filesize
304KB

Download
memory/4644-29-0x000001C526B10000-0x000001C526B5C000-memory.dmp

Filesize
304KB

Download