Overview

overview

10

Static

static

1

calma.msi

windows7-x64

6

calma.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2025 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    calma.msi

  • Size

    4.6MB

  • MD5

    27708977fc83f3b70177d6cf68900eba

  • SHA1

    f679bb77e2876b17da2276017df6cf252aa5bd22

  • SHA256

    ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf

  • SHA512

    831ccd1e4fdda16ff7cd16096e3291b9fa986f814e56aec9d8d0c6a36ae402002940a9d9aa7c1c5c8cf1b8e65c2d9ee529956f9cae3832e513a37bff3839c8ac

  • SSDEEP

    98304:HYVK/AKIN29ryVzg+Vho+5d67amiFP/0hnJRZuq2sDSq5Fwfp:G29W5jmih/0xXLFm

Score
10/10
bruteratellatrodectusbackdoordiscoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://tynifinilam.com/test/

https://horetimodual.com/test/
aes.hex

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 1 IoCs
  • Detects Latrodectus 3 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3536
      • C:\Windows\system32\msiexec.exe
        msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\calma.msi
        2⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Event Triggered Execution: Installer Packages
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1164
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4020
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 28DD7143543AD16C736D94417036D552
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:5032
      • C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe
        "C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5088
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bab8.rbs
      Filesize

      2KB

      MD5

      0aa0f0045438737b335becc2a54b1964

      SHA1

      67a440da7e6d1d7e45ecc6bcdcb54daf4b07ad84

      SHA256

      a9e53b16eef00b7c019007321a9934f26660711f8b22c9b6d331e724cfd633eb

      SHA512

      ea1a66166a1c312c1b2b99ffe900a6adeb932f67ca0bee9621fb5ab394e34fd6e879760dd0ef5c710da99b0ac7f4835532875d8e9eb89586aaf3e02b00669b6a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_FD01465368E204AAEA741CF2D9C1BB6D
      Filesize

      1KB

      MD5

      9f05ec1fbec27e9fed4ecad4677934a4

      SHA1

      f1d485a56e09066bda64ff76ff78637f55cec879

      SHA256

      643458b407c6a9aa2c906aa9207c01196d0305abf6aaeab8d957a6f253b90a5f

      SHA512

      f4e3fe97e6dd3ff914a604a61d8c03dacd6d9b5c2aa4dab8447ef2bb8159f99342d2760a57e7a825e3845dddc0832bb88f42646401733cc02a449aefe3a38921

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
      Filesize

      1KB

      MD5

      cc691b47a4eab9634fd2ea760545cd49

      SHA1

      afb31d60a33b4803766c91c93305d3c3f9f80f97

      SHA256

      40b1935be63883779c5272263cc9801f1aa6e0fbe87d0bc6812edbff0dc22a0a

      SHA512

      1c80c1a6ec9931bc5ff52de64ad13e4cc7d57ed5e6b0fc30d54c16f2bf05605c9b4c92679df5a4fb700c777079839210a258fb437331c38a741c864659226f67

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_FD01465368E204AAEA741CF2D9C1BB6D
      Filesize

      536B

      MD5

      9513aa9797c22d5bae9e00aa49de9aac

      SHA1

      3ce757c323fc0417c96de986ff32657570a2411e

      SHA256

      18911ef1b69ec88809d7e901d1826fc5b24fdf84cb2b8c41c71149279727aeb4

      SHA512

      169c0dc0cc904f46fc178f9a427d531c9893e716227ad37d700bc063309b64f82e39a1ce49913a2afffcfe16d329815a8001e74856df69a5ffeddae57684ec64

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
      Filesize

      536B

      MD5

      5d0e55157ae6ad4b8a42cd081566517c

      SHA1

      57abc68f522c0b3974a98a15f8e6a63a865f2098

      SHA256

      ac2a11f6b468608ec11a76ad734a1e2c10171328a7f69caa07d47e9d97bc3e04

      SHA512

      1209780cced8b9b5d1d074690452e3cbd42e602a0e9fbf90505261ade645d12b3fdce54035e62e7c94bc1c7aa58e20d322d4c0b680d7ef5220a570ddd7f20208

      Download Submit

    • C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe
      Filesize

      3.2MB

      MD5

      07459a0b5f524ad62b5b5401133d4d55

      SHA1

      bcaec0c106f7f97c09618870e0d4868a156c93ec

      SHA256

      6c94c9d7e231523e06b41275ab208e42cdd39278f341123b066b05a0a6830e4d

      SHA512

      5133970b743eaa730e97baf9c4f52c05af469b880cd158900e62447daab45445112b41cc31c330fb90ee1e274d85e444ab86cfffc3e4fea7380d4217c446e9b5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\nvidia\libcef.dll
      Filesize

      3.2MB

      MD5

      c6bb7631c35b6a8fc21077ca49aa8559

      SHA1

      240d2d8e8da0bba108ee831bcc7a17a92d190db2

      SHA256

      6b3854e74a1ec9a70f14d124c9ae8456129c0b5968f3781b95e430940c64fad4

      SHA512

      1cc5f67413727ea12b0ff0c26ef822fe689b15c674ee4bb03789b949879cfd0f84ad76bd8b93db53ef35160c751344134fc36d8bb3995be658ca7c268bdada72

      Download Submit

    • C:\Windows\Installer\MSIBB51.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSIBCDB.tmp
      Filesize

      355KB

      MD5

      cac65e61b287555ea0e2a7f1aa0645cc

      SHA1

      0c93bdbfddd7e00ec30c81dbff8f3a1bfaf62519

      SHA256

      57c0d90010d3a476770c8085d2641cbf234b0ca47ec687ca4aabbf4db92df737

      SHA512

      e80076eb7e632e40f8dcb013b854a5825e7a19dd451505aa121a47a110032a1c571cd6d9e3e5aeacdb8f5897cb17ece4e65846b5d9080605e81176fe0811456a

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      4ec0ae9d1cb0fa5c1e95f87b59af5ef8

      SHA1

      0fc94f3ff1cf3d5c528ae6a007687b231f4ea836

      SHA256

      e63bbea94a2c2cb88bfcba34d656f80940b45171079deb5a30bf46524720d7b2

      SHA512

      79d0ec407cba1db252bad57feab158b5338abad452ef5eac2994862b1d3c484b156d0cd7f2c6e7abef19dedab50516390f37d9b5ad92d4514bb3b9ef3820578e

      Download Submit

    • \??\Volume{241e48af-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f8ea9307-808a-45a0-a6d9-09f6d7cbfaf5}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      f5daed06138273b8de694e9204c6e853

      SHA1

      1684a8a636c8d500c641d85f45a322614f1f0bff

      SHA256

      61a50e7339d470c36cbed9fd956810c5451a306288194971875c7843fbf6b0ed

      SHA512

      11448aa063c015c89ff3bfec92c51a68eebd0276def688515fd8f9891f9c1d4698eaed1bc59353ab0340b5556e863397b4211330feece212c273b00dcc34e97c

      Download Submit

    • memory/3536-121-0x00000000029F0000-0x0000000002A05000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3536-120-0x00000000029F0000-0x0000000002A05000-memory.dmp

      Filesize

      84KB

      Download

    • memory/5088-95-0x000001C3D7770000-0x000001C3D77BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-76-0x000001C3D6E20000-0x000001C3D6E5E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/5088-80-0x000001C3D6FC0000-0x000001C3D700C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5088-89-0x000001C3D7060000-0x000001C3D70AB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-90-0x00000003A6450000-0x00000003A649B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-91-0x000001C3D7110000-0x000001C3D715B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-92-0x000001C3D74F0000-0x000001C3D753B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-93-0x000001C3D75C0000-0x000001C3D760B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-94-0x000001C3D7670000-0x000001C3D76BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-78-0x000001C3D6EB0000-0x000001C3D6EFB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-96-0x000001C3D7830000-0x000001C3D787B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-97-0x000001C3D78E0000-0x000001C3D792B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-101-0x000001C3D7AE0000-0x000001C3D7B2B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-102-0x000001C3D7B90000-0x000001C3D7BDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-103-0x000001C3D7C40000-0x000001C3D7C8B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-107-0x000001C3D7CF0000-0x000001C3D7D3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-77-0x00000003A6450000-0x00000003A649B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-79-0x000001C3D6F60000-0x000001C3D6FAB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-113-0x000001C3D7DA0000-0x000001C3D7DEB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-114-0x00007FF4608A0000-0x00007FF4608A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5088-119-0x00007FF460840000-0x00007FF460841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5088-118-0x00007FF460850000-0x00007FF460851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5088-117-0x00007FF460860000-0x00007FF460861000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5088-116-0x00007FF460870000-0x00007FF460871000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5088-115-0x00007FF460880000-0x00007FF460895000-memory.dmp

      Filesize

      84KB

      Download

    • memory/5088-75-0x00007FFBE15D0000-0x00007FFBE15E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5088-73-0x00000003A6450000-0x00000003A649B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-124-0x000001C3D8450000-0x000001C3D849B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-125-0x000001C3D8500000-0x000001C3D854B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-126-0x000001C3D6FC0000-0x000001C3D700C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5088-131-0x000001C3D6A90000-0x000001C3D6ADB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-132-0x000001C3D6B40000-0x000001C3D6B8B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5088-134-0x000001C3D6BF0000-0x000001C3D6C3B000-memory.dmp

      Filesize

      300KB

      Download