Analysis Overview
SHA256
a612d2c168b2935ce9b0018ca3bcd9fde5bfcfca1bdd35722ccc57f2232bf92f
Threat Level: Known bad
The file 667aca3b0011aebd3ac1eb04a929e79b.bin was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-06 01:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-06 01:37
Reported
2023-07-06 01:40
Platform
win7-20230703-en
Max time kernel
35s
Max time network
151s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Jklmno.exe | N/A |
| N/A | N/A | C:\Windows\Jklmno.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Jklmno.exe | C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe | N/A |
| File opened for modification | C:\Windows\Jklmno.exe | C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe | N/A |
| File opened for modification | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe | N/A |
| File created | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Jklmno.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Jklmno.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\Jklmno.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet | C:\Windows\Jklmno.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx\Group = "Fatal" | C:\Windows\Jklmno.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx\InstallTime = "2023-07-06 01:38" | C:\Windows\Jklmno.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Jklmno.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Jklmno.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2704 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
| PID 3024 wrote to memory of 2704 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
| PID 3024 wrote to memory of 2704 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
| PID 3024 wrote to memory of 2704 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe
"C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe"
C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe Win7
Network
| Country | Destination | Domain | Proto |
| CN | 120.79.43.38:8085 | tcp |
Files
memory/2336-54-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Windows\Jklmno.exe
| MD5 | 667aca3b0011aebd3ac1eb04a929e79b |
| SHA1 | 7489d2101aaa8057fdfe8c22cca54df999f9bd7b |
| SHA256 | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3 |
| SHA512 | ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45 |
C:\Windows\Jklmno.exe
| MD5 | 667aca3b0011aebd3ac1eb04a929e79b |
| SHA1 | 7489d2101aaa8057fdfe8c22cca54df999f9bd7b |
| SHA256 | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3 |
| SHA512 | ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45 |
C:\Windows\Jklmno.exe
| MD5 | 667aca3b0011aebd3ac1eb04a929e79b |
| SHA1 | 7489d2101aaa8057fdfe8c22cca54df999f9bd7b |
| SHA256 | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3 |
| SHA512 | ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-06 01:37
Reported
2023-07-06 01:40
Platform
win10v2004-20230703-en
Max time kernel
34s
Max time network
153s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Jklmno.exe | N/A |
| N/A | N/A | C:\Windows\Jklmno.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Jklmno.exe | C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe | N/A |
| File opened for modification | C:\Windows\Jklmno.exe | C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe | N/A |
| File opened for modification | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe | N/A |
| File created | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Jklmno.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Jklmno.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services | C:\Windows\Jklmno.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx\InstallTime = "2023-07-06 01:38" | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\Jklmno.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx | C:\Windows\Jklmno.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx\Group = "Fatal" | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum | C:\Windows\Jklmno.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\Jklmno.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Jklmno.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Jklmno.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 1568 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
| PID 2620 wrote to memory of 1568 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
| PID 2620 wrote to memory of 1568 | N/A | C:\Windows\Jklmno.exe | C:\Windows\Jklmno.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe
"C:\Users\Admin\AppData\Local\Temp\f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3.exe"
C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe
C:\Windows\Jklmno.exe Win7
Network
| Country | Destination | Domain | Proto |
| CN | 120.79.43.38:8085 | tcp | |
| US | 8.8.8.8:53 | 38.43.79.120.in-addr.arpa | udp |
Files
memory/1740-133-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Windows\Jklmno.exe
| MD5 | 667aca3b0011aebd3ac1eb04a929e79b |
| SHA1 | 7489d2101aaa8057fdfe8c22cca54df999f9bd7b |
| SHA256 | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3 |
| SHA512 | ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45 |
C:\Windows\Jklmno.exe
| MD5 | 667aca3b0011aebd3ac1eb04a929e79b |
| SHA1 | 7489d2101aaa8057fdfe8c22cca54df999f9bd7b |
| SHA256 | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3 |
| SHA512 | ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45 |
memory/2620-141-0x0000000010000000-0x000000001001C000-memory.dmp
C:\Windows\Jklmno.exe
| MD5 | 667aca3b0011aebd3ac1eb04a929e79b |
| SHA1 | 7489d2101aaa8057fdfe8c22cca54df999f9bd7b |
| SHA256 | f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3 |
| SHA512 | ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45 |