fatalrat | a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1

Analysis

max time kernel
123s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2023 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
Size

1.6MB
MD5

1bcddbf266ca5ead13f8fda22f798fd6
SHA1

a416fc0d6616d02d9032c63e2f1dea351fc356d9
SHA256

a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1
SHA512

4bee8aa62248c7581349e308bd2861145a9c8a937f0c8a5bfb3c5d0a6952b7227a5d9328600e7349eb8c60f07ae75e695c9c5b0f0b1f56b2bd916417d6abe979
SSDEEP

49152:fjPrzD4vARLDQNZw9vnQ1MSltub4RWfl7RVwO+6N:fDrzD4vA1DQ2gfI4e9VVT

Score

10^/10

fatalrat evasion infostealer persistence rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/4628-48-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PTvrst.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Control Panel\International\Geo\Nation	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe

Executes dropped EXE 4 IoCs

pid	Process
2764	q1.exe
4192	spolsvt.exe
4628	spolsvt.exe
4316	PTvrst.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\Software\Wine	PTvrst.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2716-0-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/files/0x000800000002321a-7.dat	upx
behavioral2/files/0x000800000002321a-13.dat	upx
behavioral2/memory/2764-14-0x0000000000E50000-0x0000000000FA2000-memory.dmp	upx
behavioral2/files/0x000800000002321a-15.dat	upx
behavioral2/memory/2716-23-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2764-25-0x0000000000E50000-0x0000000000FA2000-memory.dmp	upx
behavioral2/memory/2764-59-0x0000000000E50000-0x0000000000FA2000-memory.dmp	upx
behavioral2/memory/2716-82-0x0000000000400000-0x000000000042D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ÏµÍ³×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe"	spolsvt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe"	PTvrst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4316	PTvrst.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2764 set thread context of 4192	2764	q1.exe	88
PID 4192 set thread context of 4628	4192	spolsvt.exe	89

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_closereview_18.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File created	C:\Program Files (x86)\q1.exe	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ro-ro\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-default_32.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main-selector.css	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured_lg.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_18.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\multi-tab-file-view-2x.png	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\DNomb\spolsvt.exe	q1.exe
File created	C:\Windows\DNomb\yh.png	q1.exe
File created	C:\Windows\DNomb\PTvrst.exe	q1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000_Classes\Local Settings	q1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	q1.exe
2764	q1.exe
2764	q1.exe
2764	q1.exe
2764	q1.exe
2764	q1.exe
2764	q1.exe
2764	q1.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe
4628	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	spolsvt.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2764	q1.exe
2764	q1.exe
4192	spolsvt.exe
4192	spolsvt.exe
4316	PTvrst.exe
4316	PTvrst.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2764	2716	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe	85
PID 2716 wrote to memory of 2764	2716	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe	85
PID 2716 wrote to memory of 2764	2716	JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe	85
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 2764 wrote to memory of 4192	2764	q1.exe	88
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89
PID 4192 wrote to memory of 4628	4192	spolsvt.exe	89

C:\Users\Admin\AppData\Local\Temp\JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe
"C:\Users\Admin\AppData\Local\Temp\JC_a945f87d013f6b70b25cf80ed405f0636d4d2c968079cfd542bd2eda37aba7d1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files (x86)\q1.exe
  "C:\Program Files (x86)\q1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\DNomb\spolsvt.exe
    C:\Windows\DNomb\spolsvt.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Users\Public\Documents\t\spolsvt.exe
      C:\Users\Public\Documents\t\spolsvt.exe
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2188

C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\q1.exe

Filesize
395KB

MD5
32865e3033c398c38c8e1d29482ca61e

SHA1
6b6b220cda653101a0adcc1f027016f2262292a6

SHA256
b58c30c03b5f0634918ca3e582e5835df073f0c93cde562a1651cd6ea4d4227c

SHA512
54795c14d468e31b964156e67156d11a08dd7ad2b2673969bc5044932c00c2dbfb69eb7d08aa72672818e56b7cbd3970ba620ffe8aabafe98e343f2b00e28631

Download Submit
C:\Program Files (x86)\q1.exe

Filesize
395KB

MD5
32865e3033c398c38c8e1d29482ca61e

SHA1
6b6b220cda653101a0adcc1f027016f2262292a6

SHA256
b58c30c03b5f0634918ca3e582e5835df073f0c93cde562a1651cd6ea4d4227c

SHA512
54795c14d468e31b964156e67156d11a08dd7ad2b2673969bc5044932c00c2dbfb69eb7d08aa72672818e56b7cbd3970ba620ffe8aabafe98e343f2b00e28631

Download Submit
C:\Program Files (x86)\q1.exe

Filesize
395KB

MD5
32865e3033c398c38c8e1d29482ca61e

SHA1
6b6b220cda653101a0adcc1f027016f2262292a6

SHA256
b58c30c03b5f0634918ca3e582e5835df073f0c93cde562a1651cd6ea4d4227c

SHA512
54795c14d468e31b964156e67156d11a08dd7ad2b2673969bc5044932c00c2dbfb69eb7d08aa72672818e56b7cbd3970ba620ffe8aabafe98e343f2b00e28631

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\123\PTvrst.exe

Filesize
1.2MB

MD5
d22cfb5bfaeb1503b12b07e53ef0a149

SHA1
8ea2c85e363f551a159fabd65377affed4e417a1

SHA256
260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360

SHA512
151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
C:\Windows\DNomb\spolsvt.exe

Filesize
9KB

MD5
523d5c39f9d8d2375c3df68251fa2249

SHA1
d4ed365c44bec9246fc1a65a32a7791792647a10

SHA256
20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

SHA512
526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

Download Submit
memory/2716-82-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2716-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2716-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2764-59-0x0000000000E50000-0x0000000000FA2000-memory.dmp

Filesize
1.3MB

Download
memory/2764-25-0x0000000000E50000-0x0000000000FA2000-memory.dmp

Filesize
1.3MB

Download
memory/2764-14-0x0000000000E50000-0x0000000000FA2000-memory.dmp

Filesize
1.3MB

Download
memory/4192-30-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4192-29-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4192-35-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4192-28-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4192-36-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4192-27-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4316-58-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4316-72-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/4316-85-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4316-83-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/4316-84-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4316-63-0x00000000774E4000-0x00000000774E6000-memory.dmp

Filesize
8KB

Download
memory/4316-64-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/4316-65-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/4316-67-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4316-66-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/4316-68-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/4316-69-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/4316-71-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/4316-81-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/4316-73-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/4316-70-0x00000000047E0000-0x00000000047E2000-memory.dmp

Filesize
8KB

Download
memory/4316-75-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4316-74-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/4316-76-0x00000000048F0000-0x00000000048F2000-memory.dmp

Filesize
8KB

Download
memory/4316-77-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/4316-78-0x0000000004740000-0x0000000004741000-memory.dmp

Filesize
4KB

Download
memory/4316-79-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/4316-80-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/4628-48-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4628-41-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-43-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download