Analysis Overview
SHA256
ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7
Threat Level: Known bad
The file ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7 was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-29 23:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-29 23:22
Reported
2023-08-29 23:24
Platform
win7-20230712-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\SVP7 = "C:\\Users\\Admin\\AppData\\Local\\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe" | C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
"C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe"
C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
"C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe"
C:\Windows\SysWOW64\notepad.exe
notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 38.181.24.204:80 | 38.181.24.204 | tcp |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp | |
| US | 38.181.24.204:8081 | tcp |
Files
memory/1632-5-0x0000000000FA0000-0x0000000000FD2000-memory.dmp
memory/1632-4-0x0000000010000000-0x0000000010031000-memory.dmp
memory/1632-9-0x0000000000F00000-0x0000000000F2A000-memory.dmp
\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
| MD5 | d22524d87aa7c70e91c3fcc8710b2a85 |
| SHA1 | 98570ab9917639f71231ae2732000691f643b2bd |
| SHA256 | ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7 |
| SHA512 | 9491f6c92e3e0a5e23e4ad79cfa0c7ee11982fb5bbc0fb1940ff273ae1a32f22560f9ab0eea3df03a7f70dd130a7c7e7d4a01b26e1f2b297bbe3f8f1d63fe336 |
C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
| MD5 | d22524d87aa7c70e91c3fcc8710b2a85 |
| SHA1 | 98570ab9917639f71231ae2732000691f643b2bd |
| SHA256 | ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7 |
| SHA512 | 9491f6c92e3e0a5e23e4ad79cfa0c7ee11982fb5bbc0fb1940ff273ae1a32f22560f9ab0eea3df03a7f70dd130a7c7e7d4a01b26e1f2b297bbe3f8f1d63fe336 |
C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
| MD5 | d22524d87aa7c70e91c3fcc8710b2a85 |
| SHA1 | 98570ab9917639f71231ae2732000691f643b2bd |
| SHA256 | ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7 |
| SHA512 | 9491f6c92e3e0a5e23e4ad79cfa0c7ee11982fb5bbc0fb1940ff273ae1a32f22560f9ab0eea3df03a7f70dd130a7c7e7d4a01b26e1f2b297bbe3f8f1d63fe336 |
C:\ProgramData\ca221.png
| MD5 | 6fd1cdf4c712ee59bf684ae7e18c5142 |
| SHA1 | b04b90abfb4f5c87000244b66842d1dfcfc5b63d |
| SHA256 | 50a7d092025b2e62728e33655d13ad28ff10b0863be7f9aef419efff660083dc |
| SHA512 | 2a8eaf3a5e25255e747b2600bbc6afd1d42a88260a446c3dd197cbe62eec1117a512e6d3f24fb8649c02bfdd44c1b05c2ecc36177309a13f9aec1391d12fecd5 |
C:\ProgramData\ca221.png
| MD5 | 6fd1cdf4c712ee59bf684ae7e18c5142 |
| SHA1 | b04b90abfb4f5c87000244b66842d1dfcfc5b63d |
| SHA256 | 50a7d092025b2e62728e33655d13ad28ff10b0863be7f9aef419efff660083dc |
| SHA512 | 2a8eaf3a5e25255e747b2600bbc6afd1d42a88260a446c3dd197cbe62eec1117a512e6d3f24fb8649c02bfdd44c1b05c2ecc36177309a13f9aec1391d12fecd5 |
C:\Users\Admin\AppData\Local\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
| MD5 | d22524d87aa7c70e91c3fcc8710b2a85 |
| SHA1 | 98570ab9917639f71231ae2732000691f643b2bd |
| SHA256 | ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7 |
| SHA512 | 9491f6c92e3e0a5e23e4ad79cfa0c7ee11982fb5bbc0fb1940ff273ae1a32f22560f9ab0eea3df03a7f70dd130a7c7e7d4a01b26e1f2b297bbe3f8f1d63fe336 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9M1KBX1\ceshijiqimao[1].bin
| MD5 | 6fd1cdf4c712ee59bf684ae7e18c5142 |
| SHA1 | b04b90abfb4f5c87000244b66842d1dfcfc5b63d |
| SHA256 | 50a7d092025b2e62728e33655d13ad28ff10b0863be7f9aef419efff660083dc |
| SHA512 | 2a8eaf3a5e25255e747b2600bbc6afd1d42a88260a446c3dd197cbe62eec1117a512e6d3f24fb8649c02bfdd44c1b05c2ecc36177309a13f9aec1391d12fecd5 |
memory/2892-29-0x0000000000220000-0x000000000024A000-memory.dmp
memory/1740-35-0x0000000000550000-0x0000000000551000-memory.dmp
memory/1740-39-0x0000000000560000-0x0000000000561000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-29 23:22
Reported
2023-08-29 23:24
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
152s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe
"C:\Users\Admin\AppData\Local\Temp\ff2e122119a6d1a83e00b3a549e98d1de5eaf9e120f314fe112ec81f838d0dd7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 38.181.24.204:80 | 38.181.24.204 | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 38.181.24.204:80 | 38.181.24.204 | tcp |
| US | 8.8.8.8:53 | 204.24.181.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| HK | 154.91.227.35:8848 | tcp | |
| US | 8.8.8.8:53 | 35.227.91.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/2860-4-0x0000000003BD0000-0x0000000003BEA000-memory.dmp
memory/2860-5-0x0000000073560000-0x0000000073D10000-memory.dmp
memory/2860-7-0x0000000006260000-0x0000000006270000-memory.dmp
memory/2860-6-0x0000000006260000-0x0000000006270000-memory.dmp
memory/2860-8-0x0000000006820000-0x0000000006DC4000-memory.dmp
memory/2860-9-0x0000000073560000-0x0000000073D10000-memory.dmp
memory/2860-10-0x0000000077861000-0x0000000077862000-memory.dmp
memory/2860-13-0x0000000006DD0000-0x0000000006E6C000-memory.dmp
memory/2860-14-0x0000000006780000-0x00000000067E6000-memory.dmp
memory/2860-15-0x0000000006260000-0x0000000006270000-memory.dmp