Analysis
-
max time kernel
154s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:59
General
-
Target
tgee.exe
-
Size
1.9MB
-
MD5
4ce9155d074716d997e7b806312c509b
-
SHA1
5fab284c13bda7a68237d4a130cac05a8abc465a
-
SHA256
61d1d245455ca4edd8e676fc53b3801b0e75d7cd73226947d11b97e18faf880e
-
SHA512
486fa5fc99eae43f1129755b6949cbc8a0a861df0a71985a5b303038857bbf1f3a7efdf6d466a02b1768e43679a8d8bc2da7b90da7e75051165f554e0795c90f
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
suricata: ET MALWARE FatalRAT CnC Activity
suricata: ET MALWARE FatalRAT CnC Activity
-
Fatal Rat Payload 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Sets service image path in registry 2 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tgee.exe"C:\Users\Admin\AppData\Local\Temp\tgee.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"2⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Public\Music\Misnobi\teonwu\AAscit.exe"C:\Users\Public\Music\Misnobi\teonwu\AAscit.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Downloads\Tencente\YYDS\ApplicationFrame.exeC:\Users\Public\Downloads\Tencente\YYDS\ApplicationFrame.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD5cb903aef09fea3eca537ad6414bd7113
SHA1251509cbc25acbc223e2f611eb9ff78eb2a5ae3c
SHA2565592efb670d7ae50ff9d202464435294442aeebb29baea55acf9cd7c9eb08609
SHA512de4a1a816d4fb974999ee7958b9a656cb36e3e88cba63eccf5a0009a73912b60b1255d47aed8b96891837470a76211c28f1fc3258fefdd25d8f4308a8b35e6e4
-
Filesize
44KB
MD58b7741a2ae1664d9f1e45c3db481d896
SHA1e841741c443fab28c4370e1404106c104e0b139b
SHA2563b79bc26d722162b14619636e96efe06f9586da5fad9d7673555be99bf194e82
SHA5124ec159948450af0d2deab7bb9f4ea6e83503b1f61d4322c6dbef90f0fb7a101158886712124862c8f52c73eb9928b6028ea01608b7a19269c28bd7b1876ae5cc
-
Filesize
44KB
MD58b7741a2ae1664d9f1e45c3db481d896
SHA1e841741c443fab28c4370e1404106c104e0b139b
SHA2563b79bc26d722162b14619636e96efe06f9586da5fad9d7673555be99bf194e82
SHA5124ec159948450af0d2deab7bb9f4ea6e83503b1f61d4322c6dbef90f0fb7a101158886712124862c8f52c73eb9928b6028ea01608b7a19269c28bd7b1876ae5cc
-
Filesize
924KB
MD5dbf8b9ab8ae650d5b452240c0e9c90df
SHA11215872c6f7306d6ba14133eb706483f04445885
SHA2569c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
SHA512f9ab16d7946f4dfab4abbe368d6863dbaa1e0c49b6b051ff44eecdf0053ee0d1204272b08ffc925d76335874ca1099ebebc84ba80be3aa9c9bd5e5007a62d3a9
-
Filesize
924KB
MD5dbf8b9ab8ae650d5b452240c0e9c90df
SHA11215872c6f7306d6ba14133eb706483f04445885
SHA2569c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
SHA512f9ab16d7946f4dfab4abbe368d6863dbaa1e0c49b6b051ff44eecdf0053ee0d1204272b08ffc925d76335874ca1099ebebc84ba80be3aa9c9bd5e5007a62d3a9
-
Filesize
236KB
MD56473a6daccbc8da65d95d7ee7980ac6e
SHA185906fd92f4d6b0103f71ae0e4e37c77515b0aea
SHA25638a8a37d4ff5553ebb5101fd5f0a919e96f909702de4f5d989f3e335ca800eca
SHA512c53d254c6e8f74404f2f623dd74c0d2e8d2ad6db5e5d23670cec74a90e197e20eb1da0c444dddefccada15eb51a5760ac3736951266c08304d481f533fe2e6db
-
Filesize
236KB
MD56473a6daccbc8da65d95d7ee7980ac6e
SHA185906fd92f4d6b0103f71ae0e4e37c77515b0aea
SHA25638a8a37d4ff5553ebb5101fd5f0a919e96f909702de4f5d989f3e335ca800eca
SHA512c53d254c6e8f74404f2f623dd74c0d2e8d2ad6db5e5d23670cec74a90e197e20eb1da0c444dddefccada15eb51a5760ac3736951266c08304d481f533fe2e6db
-
Filesize
1.1MB
MD555c32cb9a881b49bcc0d1b36868a3e98
SHA1e0d623b55e5e307540d05a55fadc323d9615d3b2
SHA2568795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
SHA512dba66ec3002d7f08bc17c63b34028775d5d9dde7c0c3cd0778e120aba0a273ed130924954a23fcdbbcac4c10c76c991712895ff971979a9a865632bb659e0414
-
Filesize
1.1MB
MD555c32cb9a881b49bcc0d1b36868a3e98
SHA1e0d623b55e5e307540d05a55fadc323d9615d3b2
SHA2568795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f
SHA512dba66ec3002d7f08bc17c63b34028775d5d9dde7c0c3cd0778e120aba0a273ed130924954a23fcdbbcac4c10c76c991712895ff971979a9a865632bb659e0414
-
Filesize
78KB
MD50a79b529eb9012f65ac4500a7a915ca9
SHA1bdc89773fbfed2edd18371786997d6c57672b096
SHA256e985d4d2da1711289b0a67a2dab4002ef2cda5ec7e27f576b0e026fa6ef224a3
SHA512d80c140566014a556f0da2ca6bf9e0d549670a9fdcb5a5f5d7340cd4733724b116d2335d16e9a4d126c5eee7ccb059f84bcaf0b12379c9abd4a018d4b42fdcdd
-
Filesize
78KB
MD50a79b529eb9012f65ac4500a7a915ca9
SHA1bdc89773fbfed2edd18371786997d6c57672b096
SHA256e985d4d2da1711289b0a67a2dab4002ef2cda5ec7e27f576b0e026fa6ef224a3
SHA512d80c140566014a556f0da2ca6bf9e0d549670a9fdcb5a5f5d7340cd4733724b116d2335d16e9a4d126c5eee7ccb059f84bcaf0b12379c9abd4a018d4b42fdcdd
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
1.6MB
-
Filesize
2.1MB
-
Filesize
1.6MB
-
Filesize
488KB
-
Filesize
116KB