Managed XDR

zhenziwei-sichuan-restaurant.lnk.zip (Brute Ratel) — malware analysis report

File info

Filename
zhenziwei-sichuan-restaurant.lnk.zip
File type
Zip archive data, at least v2.0 to extract
File size
4.8 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
5b036c83c0953c61feb0f98a2a6239c4394a7088
SHA256
85d888634c5c2c47eb0b229437a3746d4b534f48bdb9b607830baf71ff9e5921
MD5
89145f9bab2440117c7fce6e2de29f93

Malwares

  • Brute Ratel

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 suspicious_process: Spawns a suspicious process
T1059.003 suspicious_process: Spawns a suspicious process

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1112 creates_largekey: Saves very large data in the registry, can be used to save the configuration or body of the malware
T1027.004 compiles_code: Compiles C# code
T1497 debugs_self: Creates a process and debugs it
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1497 debugs_self: Creates a process and debugs it
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
dead_host: Connects to IP addresses that do not respond to requests
only_exec_in_archive: The archive contains only an executable file
network_powershell: Powershell process network connection detected
creates_suspended_process: Creates suspended process
writes_data: Writes big amount of data to disk
yara_rules: Static rules

Related reports

Managed XDR