Analysis
-
max time kernel
144s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
20-02-2025 17:47
General
-
Target
calma.msi
-
Size
4.6MB
-
MD5
27708977fc83f3b70177d6cf68900eba
-
SHA1
f679bb77e2876b17da2276017df6cf252aa5bd22
-
SHA256
ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf
-
SHA512
831ccd1e4fdda16ff7cd16096e3291b9fa986f814e56aec9d8d0c6a36ae402002940a9d9aa7c1c5c8cf1b8e65c2d9ee529956f9cae3832e513a37bff3839c8ac
-
SSDEEP
98304:HYVK/AKIN29ryVzg+Vho+5d67amiFP/0hnJRZuq2sDSq5Fwfp:G29W5jmih/0xXLFm
Malware Config
Extracted
latrodectus
1.4
https://tynifinilam.com/test/
https://horetimodual.com/test/
Signatures
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
-
Detects Latrodectus 3 IoCs
Detects Latrodectus v1.4.
-
Latrodectus family
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Blocklisted process makes network request 5 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 12 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 63 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\calma.msi2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4EF8B0B98B306149E74373A103C2EFE92⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54e7b2fa963f2649ce5056a588c78a406
SHA194735bbc107796d49f04f0cd503d66f1aaa4117c
SHA2566545dd7dd6ad23f4ff12dea9ca56b79cd20a91cfdd2f3d675e503c39fd6820c7
SHA5124e655856ed3ead92ee4f27db3533968b7e41cbb9bfc3b2e0a3ab93e58cf6189bd3798bcab202710fd4421c342ad614ce58c803d98e6ecd948ea66591c8c1d704
-
Filesize
1KB
MD52448a7a546dd3b47eb8e7452e78020e5
SHA11b919a8a76bedf23b8f99fd60afef6556e1a34ef
SHA2564ae10bde30cf8761c5559719556e34b47f3f2315a681b9c21723c5cebebecf66
SHA512cac35235cbadc10ca1166cd362e64355b95f77c0552e31bf6915b07c4908c6a715ebda23b7fc7168093cc74cfbccbc62a82c8f3be6d37a2a3a6d12b14a233547
-
Filesize
1KB
MD55b135ca33a24494246272c8aabd2ea11
SHA1f1b9f1817c5df9565991da201ca68a4b433ca023
SHA25648caa23e7677b2e96ca11c1f7e3234c535b94e73040eae698337c4400022c28d
SHA5125377d1960c655ad9bfdbcbd4134f9bc46127e9c77b66417288bc324c515f5c3e79e431cb11d062f999b29e517263dde5d75c4ea2a1177de70123959faa8ed795
-
Filesize
536B
MD54309d71f67a5c094472eb2d3f1ad5c6d
SHA1d6dc226c27d15321e8a693a4ab295ac072f178fb
SHA256aa699868ad7d7bfe7ef7661becb7a443cc4284e16f6422405e75f908b665a80b
SHA512c6d346761f2210d5b733d2e3a2471a8b5a33e14ebbf3a9c8c1259523ea40ea646386703bab6da6d553a41f3acd85ba2cd8623f0b08910049965bbec424060484
-
Filesize
536B
MD5aded92a00bd5521bed3bd1ebc4b88796
SHA1015aeb733e6f535f4d8bc903b18925edb55cf60c
SHA25629605d84f5dbb9f191459ac65af3525c52580481885e98c1c4bdbb8c2848ee55
SHA5123b5bfe295790e68c81262fca2f7d6d8c189ae4e261374aaa45a88a2045b3e8d1e3932876abdbacba2186528df1e97a00674fad3616e2c233cba4bf140e772401
-
Filesize
3.2MB
MD507459a0b5f524ad62b5b5401133d4d55
SHA1bcaec0c106f7f97c09618870e0d4868a156c93ec
SHA2566c94c9d7e231523e06b41275ab208e42cdd39278f341123b066b05a0a6830e4d
SHA5125133970b743eaa730e97baf9c4f52c05af469b880cd158900e62447daab45445112b41cc31c330fb90ee1e274d85e444ab86cfffc3e4fea7380d4217c446e9b5
-
Filesize
3.2MB
MD5c6bb7631c35b6a8fc21077ca49aa8559
SHA1240d2d8e8da0bba108ee831bcc7a17a92d190db2
SHA2566b3854e74a1ec9a70f14d124c9ae8456129c0b5968f3781b95e430940c64fad4
SHA5121cc5f67413727ea12b0ff0c26ef822fe689b15c674ee4bb03789b949879cfd0f84ad76bd8b93db53ef35160c751344134fc36d8bb3995be658ca7c268bdada72
-
Filesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
Filesize
355KB
MD5cac65e61b287555ea0e2a7f1aa0645cc
SHA10c93bdbfddd7e00ec30c81dbff8f3a1bfaf62519
SHA25657c0d90010d3a476770c8085d2641cbf234b0ca47ec687ca4aabbf4db92df737
SHA512e80076eb7e632e40f8dcb013b854a5825e7a19dd451505aa121a47a110032a1c571cd6d9e3e5aeacdb8f5897cb17ece4e65846b5d9080605e81176fe0811456a
-
Filesize
24.1MB
MD53156e63ebf08a086ce6f2c374a06a40b
SHA1d273c57f643f2f8b41ad0af3d2dc7f9220475622
SHA256b14c0b55bf1fb38e77f620a9e24e39c70a10a7e20bfaf35ffde9b45621360224
SHA512e4fb54dbfb48e68b5a5f032b6eae8b92f0456bd3fb10715a655c0ed6055ea383627414c6093a1cc09351bf95a83ca0c9df071b27df5b0ecbf7f95a90866e8fc9
-
Filesize
6KB
MD544bf1a208699787f3872ad500fe52da5
SHA19b31f72972fda1c818e68a882e6add82a26bcca0
SHA256587df0013b7f135bc740b1e092d1ece1a8aa3066f9c0491a6795ddeb51bb96af
SHA5129331be44021aa242b5ca737d296ab6a7735682060d1845f848a822c583fef565b76ef9a5321bb3693308fa3a79f44eb827e8148dbcf4638f53d66b0dba50f41e
-
Filesize
300KB
-
Filesize
96KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
304KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
304KB
-
Filesize
300KB
-
Filesize
300KB
-
Filesize
84KB
-
Filesize
84KB