Overview

overview

10

Static

static

1

20022025_0...on.msi

windows7-x64

6

20022025_0...on.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    284s
  • max time network
    278s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2025 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20022025_0249_NVIDIANotification.msi

  • Size

    4.6MB

  • MD5

    27708977fc83f3b70177d6cf68900eba

  • SHA1

    f679bb77e2876b17da2276017df6cf252aa5bd22

  • SHA256

    ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf

  • SHA512

    831ccd1e4fdda16ff7cd16096e3291b9fa986f814e56aec9d8d0c6a36ae402002940a9d9aa7c1c5c8cf1b8e65c2d9ee529956f9cae3832e513a37bff3839c8ac

  • SSDEEP

    98304:HYVK/AKIN29ryVzg+Vho+5d67amiFP/0hnJRZuq2sDSq5Fwfp:G29W5jmih/0xXLFm

Score
10/10
bruteratellatrodectusbackdoordiscoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://tynifinilam.com/test/

https://horetimodual.com/test/
aes.hex

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 1 IoCs
  • Detects Latrodectus 3 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3504
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20022025_0249_NVIDIANotification.msi
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4960
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A524500DB21B72D66926ED11E6D90FCD
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2952
    • C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe
      "C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2836
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e580434.rbs
    Filesize

    2KB

    MD5

    f87e69cc0d88a94eac78069e52d330c6

    SHA1

    a07650c17d6cf4583aeabe7755828e00e9a9ffa5

    SHA256

    6735d3733b6b2d9dfcc5a858d9a80bb7a86629b7534e25280cd3a07205976e6f

    SHA512

    191e4c1147750d57843e70b0e30b726fe359da380eeed2a0a2530a57c61f8c04ee70fbb025590588061018a632597bde2f910fa3bc4e5ce78b04dd977e3e1111

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_FD01465368E204AAEA741CF2D9C1BB6D
    Filesize

    1KB

    MD5

    a1d072f509a8af40357cc0a9531a75e9

    SHA1

    28efdcc4dbc1ac4597ba0517aca9be9c2c38a74c

    SHA256

    c6e42e7c90d1d518fff007594d5429c501d619b3c3c2a2de2e3c5e3808d29f5f

    SHA512

    3b71a8dc0e0f4a8f37dcee3c9f1cad04230c986ed1af43e990e49ae3e30e244620d524f8f029757d291e25aa521fe6dd6eefa4d70b83f5f91b208552be0165d6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
    Filesize

    1KB

    MD5

    38cea1ea4e8a79f35dc03a504994684a

    SHA1

    ece3bd5c2c370a4555ec4704d552ff6946bda779

    SHA256

    f37c446cafba2e6ba67c4db9d3b9e02bc754ad346bf5c32640ee7bb731240511

    SHA512

    ca14198cfa388f6052b4af8f1f9ef9d478abb14462f875aa4980a38b4cb18c4847707544086b78d0d876dcc05e05d7e25c23e99554c8da30a93ef71916d2ff22

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_FD01465368E204AAEA741CF2D9C1BB6D
    Filesize

    536B

    MD5

    904ba8be77be54a25cc22d792d573440

    SHA1

    1ee0533ca0f3eff2416c02565476028542c540c4

    SHA256

    22522914948cbd87b980866a027bce53368a855a70e1ede7de2ed2688f1c954b

    SHA512

    329a4a6f14bf4ecfaa47810379c3af99f968e1fa908c65e2ac63dd6a188c79acb930e93f9c39cdd7a3885ae42c4f51b14b5cfe293f772e0166f4fc96c2932028

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
    Filesize

    536B

    MD5

    f6fbef6ffd128568409b80b8dcc6194b

    SHA1

    2e0adbfcd77d2c041f3f8673be8032993e6d2f9b

    SHA256

    ec3e19d030a7984bdf9a004f8e5f010bae5495965e36c075ec7bb1e2c4d31f71

    SHA512

    68444639943c9348e02a9abb62d3fc79caf6cae64d1002bcb80f9cb9460e72ff999c660c1b9b6d1aac71d88589046c88f21f4fb4dab05b5af43db002f07c1ada

    Download Submit

  • C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe
    Filesize

    3.2MB

    MD5

    07459a0b5f524ad62b5b5401133d4d55

    SHA1

    bcaec0c106f7f97c09618870e0d4868a156c93ec

    SHA256

    6c94c9d7e231523e06b41275ab208e42cdd39278f341123b066b05a0a6830e4d

    SHA512

    5133970b743eaa730e97baf9c4f52c05af469b880cd158900e62447daab45445112b41cc31c330fb90ee1e274d85e444ab86cfffc3e4fea7380d4217c446e9b5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\nvidia\libcef.dll
    Filesize

    3.2MB

    MD5

    c6bb7631c35b6a8fc21077ca49aa8559

    SHA1

    240d2d8e8da0bba108ee831bcc7a17a92d190db2

    SHA256

    6b3854e74a1ec9a70f14d124c9ae8456129c0b5968f3781b95e430940c64fad4

    SHA512

    1cc5f67413727ea12b0ff0c26ef822fe689b15c674ee4bb03789b949879cfd0f84ad76bd8b93db53ef35160c751344134fc36d8bb3995be658ca7c268bdada72

    Download Submit

  • C:\Windows\Installer\MSI4FC.tmp
    Filesize

    436KB

    MD5

    475d20c0ea477a35660e3f67ecf0a1df

    SHA1

    67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

    SHA256

    426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

    SHA512

    99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

    Download Submit

  • C:\Windows\Installer\MSI7FD.tmp
    Filesize

    355KB

    MD5

    cac65e61b287555ea0e2a7f1aa0645cc

    SHA1

    0c93bdbfddd7e00ec30c81dbff8f3a1bfaf62519

    SHA256

    57c0d90010d3a476770c8085d2641cbf234b0ca47ec687ca4aabbf4db92df737

    SHA512

    e80076eb7e632e40f8dcb013b854a5825e7a19dd451505aa121a47a110032a1c571cd6d9e3e5aeacdb8f5897cb17ece4e65846b5d9080605e81176fe0811456a

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    b025bb60470a747f50c6d47673eac1db

    SHA1

    72030c345f56d242b1eacf2b5279bf37242d6459

    SHA256

    6f4ea69244499119201cc6f9b622c978fe382a60c977d7dc9c173d4982182654

    SHA512

    a08f06e889eb4ada8e25bef9f656d9f52be3ec2817bfd7fe7dffab351a1349401d1774f25c7fb030b1d8c0a144c3f7f4476d8a65a6bbba6e9f4bdf0a597d28fb

    Download Submit

  • \??\Volume{25f6f61f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7cbccc34-0b6b-4184-b671-7b7f28509adc}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    2f97b79bc6479e3fbfad7920837727a6

    SHA1

    bf4595cd95f5c3e3a8452548cc01917dcd9fe813

    SHA256

    11ebb14341c739ec3b9ff868737cc4f8e081e1ae32a36a95dac608783fe0885f

    SHA512

    b2f788cb251decdbcf8a44bd13a3ae110920775195aacab93b750ab7527bf42da5e69163906f2d8e0108a4653ef2a39ae8dc1f0a9334f59e0e1428269b93c8b2

    Download Submit

  • memory/2836-101-0x000001D90A250000-0x000001D90A29B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-114-0x00007FF425910000-0x00007FF425911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-78-0x000001D909280000-0x000001D9092CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-79-0x000001D9096D0000-0x000001D90971B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-80-0x000001D909730000-0x000001D90977C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2836-89-0x000001D9097D0000-0x000001D90981B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-90-0x00000003A6450000-0x00000003A649B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-91-0x000001D909880000-0x000001D9098CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-92-0x000001D909C60000-0x000001D909CAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-93-0x000001D909D30000-0x000001D909D7B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-94-0x000001D909DE0000-0x000001D909E2B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-95-0x000001D909EE0000-0x000001D909F2B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-96-0x000001D90A0A0000-0x000001D90A0EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-97-0x000001D90A150000-0x000001D90A19B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-77-0x00000003A6450000-0x00000003A649B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-102-0x000001D90A300000-0x000001D90A34B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-75-0x00007FFFEF750000-0x00007FFFEF768000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2836-73-0x00000003A6450000-0x00000003A649B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-108-0x000001D90A3B0000-0x000001D90A3FB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-112-0x000001D90A460000-0x000001D90A4AB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-113-0x000001D90A510000-0x000001D90A55B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-76-0x000001D9091F0000-0x000001D90922E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2836-119-0x00007FF4258B0000-0x00007FF4258B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-118-0x00007FF4258C0000-0x00007FF4258C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-117-0x00007FF4258D0000-0x00007FF4258D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-116-0x00007FF4258E0000-0x00007FF4258E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-115-0x00007FF4258F0000-0x00007FF425905000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2836-142-0x000001D90AF10000-0x000001D90AF5B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-141-0x000001D90AE60000-0x000001D90AEAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-127-0x000001D909390000-0x000001D9093DB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-128-0x000001D909440000-0x000001D90948B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-129-0x000001D909730000-0x000001D90977C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2836-131-0x000001D9094F0000-0x000001D90953B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-132-0x000001D9095A0000-0x000001D9095EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-134-0x000001D909650000-0x000001D90969B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-135-0x000001D90ABC0000-0x000001D90AC0B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-136-0x000001D90AC60000-0x000001D90ACAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-138-0x000001D90AD00000-0x000001D90AD4B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2836-139-0x000001D90ADB0000-0x000001D90ADFB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3504-121-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3504-120-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

    Filesize

    84KB

    Download