Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
19/02/2025, 18:01
General
-
Target
Doc171836.js
-
Size
412KB
-
MD5
da7ed43b68df0e3a40b48e1fbb8b539b
-
SHA1
c53936f0811fe54dd3f57e525c1dd31f04bf249d
-
SHA256
eb164525c66c559aec32c119a9e2fa54444caefcd32b944a12c459e80fd568c4
-
SHA512
bcadaf98784a8ef2b5fef711cf2f6402a932e9241220fc337294aeeaa08e3be9d98545b30a286dac4a0fdf51a462b7ca6930e44341f92fdad8a8035015c1ff41
-
SSDEEP
3072:D5RU5Rv5RjiL2wiL2niL2WGyTGyR3d54+e0ekewer:VRkRRRj2T2m23GyTGydXJ5S
Malware Config
Extracted
latrodectus
1.4
https://tynifinilam.com/test/
https://horetimodual.com/test/
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
-
Detects Latrodectus 3 IoCs
Detects Latrodectus v1.4.
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 10 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Doc171836.js2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A8CA35A3098D5A2F9A986014F851B6142⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f3cf643301ab821c7610b0cee130b759
SHA180d70d23d7b90dd2fcd152f6780e07c11ca987ca
SHA25656c10197480461cced425fab2b13cd51a0a949ecdda11c40e33deba68172c961
SHA512de6b734c8fe7e9963ca6db3c642a5129917c8fb9d48c926068f46bf6b4c857c987bbe17181a81c219d74fa56b79e4986d5fac67d4e7b11c57d05b52fe8ce1e76
-
Filesize
3.2MB
MD507459a0b5f524ad62b5b5401133d4d55
SHA1bcaec0c106f7f97c09618870e0d4868a156c93ec
SHA2566c94c9d7e231523e06b41275ab208e42cdd39278f341123b066b05a0a6830e4d
SHA5125133970b743eaa730e97baf9c4f52c05af469b880cd158900e62447daab45445112b41cc31c330fb90ee1e274d85e444ab86cfffc3e4fea7380d4217c446e9b5
-
Filesize
3.2MB
MD5c6bb7631c35b6a8fc21077ca49aa8559
SHA1240d2d8e8da0bba108ee831bcc7a17a92d190db2
SHA2566b3854e74a1ec9a70f14d124c9ae8456129c0b5968f3781b95e430940c64fad4
SHA5121cc5f67413727ea12b0ff0c26ef822fe689b15c674ee4bb03789b949879cfd0f84ad76bd8b93db53ef35160c751344134fc36d8bb3995be658ca7c268bdada72
-
Filesize
4.6MB
MD527708977fc83f3b70177d6cf68900eba
SHA1f679bb77e2876b17da2276017df6cf252aa5bd22
SHA256ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf
SHA512831ccd1e4fdda16ff7cd16096e3291b9fa986f814e56aec9d8d0c6a36ae402002940a9d9aa7c1c5c8cf1b8e65c2d9ee529956f9cae3832e513a37bff3839c8ac
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
355KB
MD5cac65e61b287555ea0e2a7f1aa0645cc
SHA10c93bdbfddd7e00ec30c81dbff8f3a1bfaf62519
SHA25657c0d90010d3a476770c8085d2641cbf234b0ca47ec687ca4aabbf4db92df737
SHA512e80076eb7e632e40f8dcb013b854a5825e7a19dd451505aa121a47a110032a1c571cd6d9e3e5aeacdb8f5897cb17ece4e65846b5d9080605e81176fe0811456a
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
304KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
304KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB