Analysis Overview
SHA256
f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c
Threat Level: Known bad
The file f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-08 19:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-08 19:15
Reported
2023-06-08 19:17
Platform
win7-20230220-en
Max time kernel
29s
Max time network
139s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe
"C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe"
Network
| Country | Destination | Domain | Proto |
| CN | 211.101.234.178:25331 | 211.101.234.178 | tcp |
| HK | 103.239.103.143:11356 | 103.239.103.143 | tcp |
| HK | 103.239.103.143:11554 | tcp |
Files
memory/1584-58-0x0000000010000000-0x0000000010020000-memory.dmp
memory/1584-62-0x0000000002B60000-0x0000000002B7E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-08 19:15
Reported
2023-06-08 19:17
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
147s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | N/A |
| N/A | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Micsoft Windoews\Win Soft.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\ProgramData\Micsoft Windoews\Win Soft.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | N/A |
| N/A | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | N/A |
| N/A | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3800 wrote to memory of 796 | N/A | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | C:\ProgramData\Micsoft Windoews\Win Soft.exe |
| PID 3800 wrote to memory of 796 | N/A | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | C:\ProgramData\Micsoft Windoews\Win Soft.exe |
| PID 3800 wrote to memory of 796 | N/A | C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe | C:\ProgramData\Micsoft Windoews\Win Soft.exe |
| PID 796 wrote to memory of 4456 | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | C:\ProgramData\Micsoft Windoews\Win Soft.exe |
| PID 796 wrote to memory of 4456 | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | C:\ProgramData\Micsoft Windoews\Win Soft.exe |
| PID 796 wrote to memory of 4456 | N/A | C:\ProgramData\Micsoft Windoews\Win Soft.exe | C:\ProgramData\Micsoft Windoews\Win Soft.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe
"C:\Users\Admin\AppData\Local\Temp\f80f4efbba8fd17b87fa5f672340a64beb532fcd10a5ea4a913bc350aadda15c.exe"
C:\ProgramData\Micsoft Windoews\Win Soft.exe
"C:\ProgramData\Micsoft Windoews\Win Soft.exe"
C:\ProgramData\Micsoft Windoews\Win Soft.exe
"C:\ProgramData\Micsoft Windoews\Win Soft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| CN | 211.101.234.178:25331 | 211.101.234.178 | tcp |
| US | 8.8.8.8:53 | 178.234.101.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| HK | 103.239.103.143:11356 | 103.239.103.143 | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.103.239.103.in-addr.arpa | udp |
| CN | 211.101.234.178:25331 | 211.101.234.178 | tcp |
| US | 40.125.122.176:443 | tcp | |
| HK | 103.239.103.143:11554 | tcp | |
| CN | 211.101.234.178:30360 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 52.168.112.67:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| NL | 8.253.208.113:80 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
Files
C:\ProgramData\Micsoft Windoews\Win Soft.exe
| MD5 | 9068a3d8251716410e5baa7c95db8755 |
| SHA1 | d92d985a74a27591718ea4fe50eee965823b0ea1 |
| SHA256 | 64b2695097ec03c0c7538389dc46641e0db93cf91f8cc6055dcc8d76637e28e5 |
| SHA512 | 5d56f33340b2ee7bbb39be857d5d4c51e1e0baa460c3941406ec67b473e7556d81fd79ea0730db8abe267a74361a74c84945a8ff6ab891bab20084144167dc80 |
C:\ProgramData\Micsoft Windoews\Win Soft.exe
| MD5 | 9068a3d8251716410e5baa7c95db8755 |
| SHA1 | d92d985a74a27591718ea4fe50eee965823b0ea1 |
| SHA256 | 64b2695097ec03c0c7538389dc46641e0db93cf91f8cc6055dcc8d76637e28e5 |
| SHA512 | 5d56f33340b2ee7bbb39be857d5d4c51e1e0baa460c3941406ec67b473e7556d81fd79ea0730db8abe267a74361a74c84945a8ff6ab891bab20084144167dc80 |
C:\ProgramData\Micsoft Windoews\Win Soft.exe
| MD5 | 9068a3d8251716410e5baa7c95db8755 |
| SHA1 | d92d985a74a27591718ea4fe50eee965823b0ea1 |
| SHA256 | 64b2695097ec03c0c7538389dc46641e0db93cf91f8cc6055dcc8d76637e28e5 |
| SHA512 | 5d56f33340b2ee7bbb39be857d5d4c51e1e0baa460c3941406ec67b473e7556d81fd79ea0730db8abe267a74361a74c84945a8ff6ab891bab20084144167dc80 |
C:\ProgramData\Micsoft Windoews\Win Soft.exe
| MD5 | 9068a3d8251716410e5baa7c95db8755 |
| SHA1 | d92d985a74a27591718ea4fe50eee965823b0ea1 |
| SHA256 | 64b2695097ec03c0c7538389dc46641e0db93cf91f8cc6055dcc8d76637e28e5 |
| SHA512 | 5d56f33340b2ee7bbb39be857d5d4c51e1e0baa460c3941406ec67b473e7556d81fd79ea0730db8abe267a74361a74c84945a8ff6ab891bab20084144167dc80 |
memory/3800-152-0x0000000010000000-0x0000000010020000-memory.dmp
memory/3800-156-0x0000000003160000-0x000000000317E000-memory.dmp
memory/796-161-0x0000000010000000-0x0000000010020000-memory.dmp
memory/796-165-0x0000000004C50000-0x0000000004C6E000-memory.dmp