Analysis
-
max time kernel
4s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
01-07-2021 14:19
Static task
static1
Behavioral task
behavioral1
Sample
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe
Score
10/10
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat Payload 1 IoCs
resource yara_rule behavioral1/memory/1096-61-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat -
Executes dropped EXE 2 IoCs
pid Process 2020 Vwxyab.exe 2012 Vwxyab.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Vwxyab.exe 2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe File opened for modification C:\Windows\Vwxyab.exe 2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe File opened for modification C:\Windows\Vwxyab.exe Vwxyab.exe File created C:\Windows\Vwxyab.exe Vwxyab.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vwxyab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Vwxyab.exe -
Modifies data under HKEY_USERS 20 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SYSTEM Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services Vwxyab.exe Set value (str) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk\InstallTime = "2021-07-01 16:16" Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Vwxyab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System Vwxyab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" Vwxyab.exe Set value (str) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Vwxyab Defghijk\Group = "Fatal" Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Vwxyab.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software Vwxyab.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Vwxyab.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe 2012 Vwxyab.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1096 2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe Token: SeDebugPrivilege 2020 Vwxyab.exe Token: SeDebugPrivilege 2012 Vwxyab.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2012 2020 Vwxyab.exe 27 PID 2020 wrote to memory of 2012 2020 Vwxyab.exe 27 PID 2020 wrote to memory of 2012 2020 Vwxyab.exe 27 PID 2020 wrote to memory of 2012 2020 Vwxyab.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe"C:\Users\Admin\AppData\Local\Temp\2d9002135a5b85b3f3962eab45859f1e59d20ded771b94f0e1127c6c162cb0f4.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
C:\Windows\Vwxyab.exeC:\Windows\Vwxyab.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Vwxyab.exeC:\Windows\Vwxyab.exe Win72⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-