Analysis Overview
SHA256
4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f
Threat Level: Known bad
The file 4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Executes dropped EXE
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-12 06:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-12 06:54
Reported
2023-08-12 06:56
Platform
win7-20230712-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2532 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2532 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2532 wrote to memory of 2264 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe
"C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 116
Network
| Country | Destination | Domain | Proto |
| HK | 39.109.115.130:16553 | tcp |
Files
memory/2532-54-0x0000000002370000-0x00000000023B0000-memory.dmp
memory/2532-55-0x0000000002370000-0x00000000023B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-12 06:54
Reported
2023-08-12 06:56
Platform
win10v2004-20230703-en
Max time kernel
124s
Max time network
148s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1860 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe |
| PID 1860 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe |
| PID 1860 wrote to memory of 1204 | N/A | C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe | C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe
"C:\Users\Admin\AppData\Local\Temp\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe"
C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe
"C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe"
Network
| Country | Destination | Domain | Proto |
| HK | 39.109.115.130:16553 | tcp | |
| US | 8.8.8.8:53 | 130.115.109.39.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.135.241.8.in-addr.arpa | udp |
| HK | 39.109.115.130:16553 | tcp | |
| HK | 39.109.115.130:5858 | tcp | |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
memory/1860-136-0x0000000000B90000-0x0000000000C90000-memory.dmp
memory/1860-137-0x0000000000510000-0x0000000000511000-memory.dmp
memory/1860-138-0x00000000009A0000-0x00000000009D8000-memory.dmp
memory/1860-139-0x0000000010000000-0x0000000010031000-memory.dmp
memory/1860-142-0x00000000009F0000-0x0000000000A1A000-memory.dmp
C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe
| MD5 | eaccfe1c67a0935d24b6f270a669d1a4 |
| SHA1 | cac944d39c6fb98a088726ced806f1259e36e95d |
| SHA256 | 4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f |
| SHA512 | 5ba4ba0713285b4c1051ca5df5496c73c2c58d0f74617203808b98bf5f23db77b762dc3b8056c12b1c0e571f8c78a184e74605faf1414743a7ece194f1af1972 |
C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe
| MD5 | eaccfe1c67a0935d24b6f270a669d1a4 |
| SHA1 | cac944d39c6fb98a088726ced806f1259e36e95d |
| SHA256 | 4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f |
| SHA512 | 5ba4ba0713285b4c1051ca5df5496c73c2c58d0f74617203808b98bf5f23db77b762dc3b8056c12b1c0e571f8c78a184e74605faf1414743a7ece194f1af1972 |
C:\Users\Admin\AppData\Local\4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f.exe
| MD5 | eaccfe1c67a0935d24b6f270a669d1a4 |
| SHA1 | cac944d39c6fb98a088726ced806f1259e36e95d |
| SHA256 | 4c736ac4776ecc45e3f33f3adffb8e876e523889425c08fd88ec4ba21374734f |
| SHA512 | 5ba4ba0713285b4c1051ca5df5496c73c2c58d0f74617203808b98bf5f23db77b762dc3b8056c12b1c0e571f8c78a184e74605faf1414743a7ece194f1af1972 |
memory/1204-157-0x0000000000C00000-0x0000000000D00000-memory.dmp
memory/1204-159-0x00000000009A0000-0x00000000009D8000-memory.dmp
memory/1204-161-0x0000000000A00000-0x0000000000A2A000-memory.dmp
memory/1204-166-0x0000000000C00000-0x0000000000D00000-memory.dmp