Overview

overview

10

Static

static

3

a32e691b7f...0d.exe

windows7-x64

1

a32e691b7f...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2025 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a32e691b7f3886db30fcd3b805a11cad92092528049c2324452fab44aad1db0d.exe

  • Size

    1.9MB

  • MD5

    38acf2870c7eef9d7b5177d176f502ea

  • SHA1

    1bd99cb83780fbbd947d831306c786dc72ff9bd4

  • SHA256

    a32e691b7f3886db30fcd3b805a11cad92092528049c2324452fab44aad1db0d

  • SHA512

    702ab4d06b24480bed839fd47095f8168219b78022c38e98e1b307432a2c085518c4faeceddb2ee82e632ca623b0f600eebccc2fad8cb79cd0906b18d17a0da3

  • SSDEEP

    24576:aa2pDZgkLKpVoXnfW2oNR1EKYSwOQ0Ta7Ocidk9SvToh9YxBtkcD/BSLLyTOXR15:aNq2gDEPXe

Score
10/10
bruteratelbackdoor

Malware Config

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 3 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a32e691b7f3886db30fcd3b805a11cad92092528049c2324452fab44aad1db0d.exe
    "C:\Users\Admin\AppData\Local\Temp\a32e691b7f3886db30fcd3b805a11cad92092528049c2324452fab44aad1db0d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1140
  • \??\c:\windows\temp\Windows10Updater.exe
    c:\windows\temp\Windows10Updater.exe
    1⤵
    • Drops startup file
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Temp\Update.exe
    Filesize

    676KB

    MD5

    4ae2bd344630ae9537b0bc063c46248f

    SHA1

    d44e2fd12d44db7af300b3cfa9ffbf786162ac35

    SHA256

    acd2d168da5b804ac14feefc220e36c505ab4388e99a7a10f155c075f6335da9

    SHA512

    598adaa7e5149dd90533b2c027f4a0d70c3019e8ca17b601d163ef0d6f587bd8588cfc0429f404fe02d6ac0eb4629babf5531bcee6c92beb48262d59250f5438

    Download Submit

  • C:\Windows\Temp\Windows10Updater.exe
    Filesize

    234KB

    MD5

    025bbd36f13584c04d9aec3d44ad6ed0

    SHA1

    9576645ea1feb8cd26dadac0484c65b385ab4509

    SHA256

    5cbd91189460e3a1a9c3dea20b3dd0dff40dfb6d07575eb044b0627503a27698

    SHA512

    47e40b5f767543ef37f7fdb005e8b9df6b1f59dc2e264e3dd43c012045ef0fa8ff919becba4785e73de05b42b06d2a84687eadad696e52c6af02c1cee0d5f132

    Download Submit

  • memory/1112-14-0x0000024062890000-0x00000240628C7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1112-19-0x0000024062A30000-0x0000024062A76000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1112-33-0x00007FF68E430000-0x00007FF68E472000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1112-40-0x0000024062A30000-0x0000024062A76000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3436-0-0x0000000002B10000-0x0000000002B47000-memory.dmp

    Filesize

    220KB

    Download

  • memory/3436-1-0x0000000002C20000-0x0000000002C66000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3436-37-0x0000000002C20000-0x0000000002C66000-memory.dmp

    Filesize

    280KB

    Download