Overview

overview

10

Static

static

1

ec3ca0877e...bf.msi

windows7-x64

6

ec3ca0877e...bf.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2025, 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf.msi

  • Size

    4.6MB

  • MD5

    27708977fc83f3b70177d6cf68900eba

  • SHA1

    f679bb77e2876b17da2276017df6cf252aa5bd22

  • SHA256

    ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf

  • SHA512

    831ccd1e4fdda16ff7cd16096e3291b9fa986f814e56aec9d8d0c6a36ae402002940a9d9aa7c1c5c8cf1b8e65c2d9ee529956f9cae3832e513a37bff3839c8ac

  • SSDEEP

    98304:HYVK/AKIN29ryVzg+Vho+5d67amiFP/0hnJRZuq2sDSq5Fwfp:G29W5jmih/0xXLFm

Score
10/10
bruteratellatrodectusbackdoordiscoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

latrodectus

Version

1.4

C2

https://tynifinilam.com/test/

https://horetimodual.com/test/
aes.hex

Signatures

  • Brute Ratel C4

    A customized command and control framework for red teaming and adversary simulation.

    backdoorbruteratel
  • Bruteratel family
    bruteratel
  • Detect BruteRatel badger 1 IoCs
  • Detects Latrodectus 3 IoCs

    Detects Latrodectus v1.4.

  • Latrodectus family
    latrodectus
  • Latrodectus loader

    Latrodectus is a loader written in C++.

    loaderlatrodectus
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3488
      • C:\Windows\system32\msiexec.exe
        msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ec3ca0877e599ae9c40cbcec51a9a4718114e33d9e2d9d8c72f5f24d7cebdcbf.msi
        2⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Event Triggered Execution: Installer Packages
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:5076
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3908
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 344CC957A796D0DDFD2CCB82AD418662
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3572
      • C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe
        "C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3312
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5816a3.rbs
      Filesize

      2KB

      MD5

      9eb5bd48e750fdcab158634870b8293a

      SHA1

      ee8882c73e68369f92b7534830e77d83cbd7881f

      SHA256

      d46d6d6b0a6f6058eaaec19e64f69269eda61424fdb6969d7890e861993eb537

      SHA512

      0164107ccd785347baf486a476116bd4f9d6f04c73dcbd8531074a61fc0ff4d8f524cbd74d2e81f60b605ff64af54c1c7a3bddde84542c49b30d390834c3cfba

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_FD01465368E204AAEA741CF2D9C1BB6D
      Filesize

      1KB

      MD5

      d4e28861136cd341e971fc33ff4ddf2c

      SHA1

      6ea6a7aaec55b40a1c18b017760a20fd357f3409

      SHA256

      496779f0d4bc7eb2b6a95d323376f5c09e16079a8d92cafd6f3c57a5b58bfed4

      SHA512

      dfa56d40e4eed3318111fbf050724fb0662a2c0e78df7f4c3572c2adaf4a0a2a6f5e32d3875b16d50c82062f5f881d6e835922dc258ca5f27645e5b70684e8bc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
      Filesize

      1KB

      MD5

      e7c17013b064a9ff4c7d1a58a6c29fcd

      SHA1

      12f47be374d0b5d0dcbfab2f7052add863dde4b9

      SHA256

      282b46328fc18064b2113fce2da019792f71ef6fe6fd6462dc753ac83717b8c8

      SHA512

      44f027698911360465dc38209c326f9f49825e375871cd6f91f5324e34f463c7c3814b8ad80293191e67ca5dc5fb93758834ea4987fda4046ccc99679681bf4f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_FD01465368E204AAEA741CF2D9C1BB6D
      Filesize

      536B

      MD5

      1994de3739023e0f82f15e1a65875934

      SHA1

      2fadbec3a83b44aebf72d85886e4fd86b2b1dcc1

      SHA256

      c3a876a9dccfecf2c8b6a4117f838d371a16e19314cee9e2ca33a9f1d869cba2

      SHA512

      9c0f35666667b63af8331cb7ee642ccb07784ab7954fcb68641478169566661c2e318724a04e91c0bc9a95293f5f7d09c87bd2ba7eb0d938cbd0e3410a1c9afe

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
      Filesize

      536B

      MD5

      89fe90da29e7b1ec8d5483a5bbc2defd

      SHA1

      97ae69aeb57388faca27f4b3c3cce5ee06bbdf1d

      SHA256

      c5b05fb08c6ca703d7d2ca0f1e6e1d0c8e6dc3ad171adbb4d36e4fcb4d75047a

      SHA512

      785f9753ae580f78594803a1bff77af5c3fff3261f5ee466ddd20fe37fcf9ad13899fbe418ebf7c3e02347d77bcad4228737d0a62e88ce4e53045f556279348a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\nvidia\NVIDIA Notification.exe
      Filesize

      3.2MB

      MD5

      07459a0b5f524ad62b5b5401133d4d55

      SHA1

      bcaec0c106f7f97c09618870e0d4868a156c93ec

      SHA256

      6c94c9d7e231523e06b41275ab208e42cdd39278f341123b066b05a0a6830e4d

      SHA512

      5133970b743eaa730e97baf9c4f52c05af469b880cd158900e62447daab45445112b41cc31c330fb90ee1e274d85e444ab86cfffc3e4fea7380d4217c446e9b5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\nvidia\libcef.dll
      Filesize

      3.2MB

      MD5

      c6bb7631c35b6a8fc21077ca49aa8559

      SHA1

      240d2d8e8da0bba108ee831bcc7a17a92d190db2

      SHA256

      6b3854e74a1ec9a70f14d124c9ae8456129c0b5968f3781b95e430940c64fad4

      SHA512

      1cc5f67413727ea12b0ff0c26ef822fe689b15c674ee4bb03789b949879cfd0f84ad76bd8b93db53ef35160c751344134fc36d8bb3995be658ca7c268bdada72

      Download Submit

    • C:\Windows\Installer\MSI175B.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI19FE.tmp
      Filesize

      355KB

      MD5

      cac65e61b287555ea0e2a7f1aa0645cc

      SHA1

      0c93bdbfddd7e00ec30c81dbff8f3a1bfaf62519

      SHA256

      57c0d90010d3a476770c8085d2641cbf234b0ca47ec687ca4aabbf4db92df737

      SHA512

      e80076eb7e632e40f8dcb013b854a5825e7a19dd451505aa121a47a110032a1c571cd6d9e3e5aeacdb8f5897cb17ece4e65846b5d9080605e81176fe0811456a

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      7b578d68d7a7e089a5997634faef6fb4

      SHA1

      ee313862704aaf872c240ca525d57b27965a04b4

      SHA256

      1c6c57e6425bbda39563818a5d7437a70f954b25ff2e9fef719bc30452e546aa

      SHA512

      703dc058a16c181cd290f0b74e31ee599a20101e16de076aa77a8edaec4ea3fcbd961c27a0480cee95885de330fbfc9736abcf2199857df44d7d1d72484287ba

      Download Submit

    • \??\Volume{241ef5c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{42bcd1c0-4c15-4b9d-a275-4af93caf138c}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      90e0b0efe9daf78b2b03dea262377a4a

      SHA1

      0b326ea634039f4d88050401015617e5b0e10eb9

      SHA256

      dde14517fba44c3d159dc229e06de85c5250102c897a767bf1507c888bfea7db

      SHA512

      bf694d1c8ef4cf3948cc703b54ed63b64c4d129f1d9882b88b362f63b2f9a46e1597bba1c19ae1a8bcd8fd9c1489490a83d710fb3057e3d40d4be9614326a22f

      Download Submit

    • memory/3312-95-0x0000026DF73D0000-0x0000026DF741B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-75-0x00007FFCE6FA0000-0x00007FFCE6FB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3312-78-0x0000026DF6B20000-0x0000026DF6B6B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-79-0x0000026DF6BC0000-0x0000026DF6C0B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-80-0x0000026DF6C20000-0x0000026DF6C6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3312-89-0x0000026DF6CC0000-0x0000026DF6D0B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-90-0x00000003A6450000-0x00000003A649B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-91-0x0000026DF6D70000-0x0000026DF6DBB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-92-0x0000026DF7150000-0x0000026DF719B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-93-0x0000026DF7220000-0x0000026DF726B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-94-0x0000026DF72D0000-0x0000026DF731B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-77-0x00000003A6450000-0x00000003A649B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-96-0x0000026DF7490000-0x0000026DF74DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-97-0x0000026DF7540000-0x0000026DF758B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-101-0x0000026DF7740000-0x0000026DF778B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-102-0x0000026DF77F0000-0x0000026DF783B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-103-0x0000026DF78A0000-0x0000026DF78EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-76-0x0000026DF66E0000-0x0000026DF671E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3312-73-0x00000003A6450000-0x00000003A649B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-109-0x0000026DF7950000-0x0000026DF799B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-111-0x00007FF44E7E0000-0x00007FF44E7F5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3312-128-0x0000026DF69A0000-0x0000026DF69EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-115-0x00007FF44E7A0000-0x00007FF44E7A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3312-114-0x00007FF44E7B0000-0x00007FF44E7B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3312-113-0x00007FF44E7C0000-0x00007FF44E7C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3312-112-0x00007FF44E7D0000-0x00007FF44E7D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3312-110-0x00007FF44E800000-0x00007FF44E801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3312-127-0x0000026DF68F0000-0x0000026DF693B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-120-0x0000026DF6790000-0x0000026DF67DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3312-122-0x0000026DF6C20000-0x0000026DF6C6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3312-121-0x0000026DF6840000-0x0000026DF688B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3488-117-0x0000000002E00000-0x0000000002E15000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3488-116-0x0000000002E00000-0x0000000002E15000-memory.dmp

      Filesize

      84KB

      Download