Analysis Overview
SHA256
e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2
Threat Level: Known bad
The file e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2 was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-27 14:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-27 14:17
Reported
2023-08-27 14:20
Platform
win7-20230712-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVP7 = "C:\\Users\\Admin\\AppData\\Local\\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe" | C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
"C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe"
C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
"C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe"
C:\Windows\SysWOW64\notepad.exe
notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 38.181.24.204:80 | 38.181.24.204 | tcp |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp |
Files
memory/2512-4-0x0000000010000000-0x0000000010031000-memory.dmp
memory/2512-5-0x00000000003B0000-0x00000000003E2000-memory.dmp
memory/2512-9-0x0000000000CA0000-0x0000000000CCA000-memory.dmp
\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
| MD5 | 67c9e0be21e76cda00064f80ee0013cf |
| SHA1 | 11deeb006e6011a9cd85930e6a7995e1aa872ce8 |
| SHA256 | e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2 |
| SHA512 | ac63d4af26aceb003450670de47ad48c591919357a92554df08ae89d5b6e67a01dc937ccd2b97dd80c4825714255a557ea791b08e9ea7f35d8539535d42c903c |
C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
| MD5 | 67c9e0be21e76cda00064f80ee0013cf |
| SHA1 | 11deeb006e6011a9cd85930e6a7995e1aa872ce8 |
| SHA256 | e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2 |
| SHA512 | ac63d4af26aceb003450670de47ad48c591919357a92554df08ae89d5b6e67a01dc937ccd2b97dd80c4825714255a557ea791b08e9ea7f35d8539535d42c903c |
C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
| MD5 | 67c9e0be21e76cda00064f80ee0013cf |
| SHA1 | 11deeb006e6011a9cd85930e6a7995e1aa872ce8 |
| SHA256 | e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2 |
| SHA512 | ac63d4af26aceb003450670de47ad48c591919357a92554df08ae89d5b6e67a01dc937ccd2b97dd80c4825714255a557ea791b08e9ea7f35d8539535d42c903c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WEWWZC8O\ceshijiqimao[1].bin
| MD5 | 6fd1cdf4c712ee59bf684ae7e18c5142 |
| SHA1 | b04b90abfb4f5c87000244b66842d1dfcfc5b63d |
| SHA256 | 50a7d092025b2e62728e33655d13ad28ff10b0863be7f9aef419efff660083dc |
| SHA512 | 2a8eaf3a5e25255e747b2600bbc6afd1d42a88260a446c3dd197cbe62eec1117a512e6d3f24fb8649c02bfdd44c1b05c2ecc36177309a13f9aec1391d12fecd5 |
C:\Users\Admin\AppData\Local\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
| MD5 | 67c9e0be21e76cda00064f80ee0013cf |
| SHA1 | 11deeb006e6011a9cd85930e6a7995e1aa872ce8 |
| SHA256 | e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2 |
| SHA512 | ac63d4af26aceb003450670de47ad48c591919357a92554df08ae89d5b6e67a01dc937ccd2b97dd80c4825714255a557ea791b08e9ea7f35d8539535d42c903c |
C:\ProgramData\ca221.png
| MD5 | 6fd1cdf4c712ee59bf684ae7e18c5142 |
| SHA1 | b04b90abfb4f5c87000244b66842d1dfcfc5b63d |
| SHA256 | 50a7d092025b2e62728e33655d13ad28ff10b0863be7f9aef419efff660083dc |
| SHA512 | 2a8eaf3a5e25255e747b2600bbc6afd1d42a88260a446c3dd197cbe62eec1117a512e6d3f24fb8649c02bfdd44c1b05c2ecc36177309a13f9aec1391d12fecd5 |
C:\ProgramData\ca221.png
| MD5 | 6fd1cdf4c712ee59bf684ae7e18c5142 |
| SHA1 | b04b90abfb4f5c87000244b66842d1dfcfc5b63d |
| SHA256 | 50a7d092025b2e62728e33655d13ad28ff10b0863be7f9aef419efff660083dc |
| SHA512 | 2a8eaf3a5e25255e747b2600bbc6afd1d42a88260a446c3dd197cbe62eec1117a512e6d3f24fb8649c02bfdd44c1b05c2ecc36177309a13f9aec1391d12fecd5 |
memory/1476-29-0x0000000000580000-0x00000000005AA000-memory.dmp
memory/2724-35-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2724-37-0x0000000000130000-0x0000000000131000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-27 14:17
Reported
2023-08-27 14:19
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe
"C:\Users\Admin\AppData\Local\Temp\e60d27d46f70d118d131ea9216fe27d45e549d91b4de126eee00ef83c852f4a2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 38.181.24.204:80 | 38.181.24.204 | tcp |
| US | 38.181.24.204:80 | 38.181.24.204 | tcp |
| US | 8.8.8.8:53 | 204.24.181.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| HK | 154.91.227.35:8848 | tcp | |
| US | 8.8.8.8:53 | 35.227.91.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
memory/660-4-0x00000000037D0000-0x00000000037EA000-memory.dmp
memory/660-5-0x0000000073A10000-0x00000000741C0000-memory.dmp
memory/660-6-0x0000000005D10000-0x0000000005D20000-memory.dmp
memory/660-7-0x00000000062D0000-0x0000000006874000-memory.dmp
memory/660-8-0x0000000073A10000-0x00000000741C0000-memory.dmp
memory/660-9-0x0000000005D10000-0x0000000005D20000-memory.dmp
memory/660-10-0x0000000005D10000-0x0000000005D20000-memory.dmp
memory/660-11-0x0000000077D11000-0x0000000077D12000-memory.dmp
memory/660-14-0x00000000069C0000-0x0000000006A5C000-memory.dmp
memory/660-15-0x0000000006A60000-0x0000000006AC6000-memory.dmp
memory/660-16-0x0000000005D10000-0x0000000005D20000-memory.dmp