fatalrat | b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4

Analysis

max time kernel
120s
max time network
147s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-09-2023 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Size

93KB
MD5

074a292b0a1405cf35e5a9d6067f15ca
SHA1

5bcc1e4784d67b3ba0dd7147514cd883b246a80a
SHA256

b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4
SHA512

b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f
SSDEEP

1536:1NeXBiSPip4rS8m+mRiSG8rnv2LAczc9Cv6RHSXZnsW/cd5UpmgCQ9pdeFi:1JSzrS8IG8rnv2LAczclIXm5UYgC6veg

Score

10^/10

fatalrat infostealer rat

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/3040-85-0x0000000000700000-0x000000000072A000-memory.dmp	fatalrat
behavioral1/memory/2876-135-0x0000000000550000-0x000000000057A000-memory.dmp	fatalrat

Executes dropped EXE 1 IoCs

pid	Process
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
Token: SeDebugPrivilege	2876	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2876	3040	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe	29
PID 3040 wrote to memory of 2876	3040	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe	29
PID 3040 wrote to memory of 2876	3040	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe	29
PID 3040 wrote to memory of 2876	3040	b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe	29

C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
"C:\Users\Admin\AppData\Local\Temp\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe
  "C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\088D78689371D39E2B183BEA37F7313E

Filesize
503B

MD5
f0a84e34684536aa28353865eeb1b8eb

SHA1
1537e73198ddec46589eff66494481468b4bb8a6

SHA256
9c91595df518bba03ad5ab78f794b234d53b5affb088023aad76812375bf9b01

SHA512
f14cc3d2c6bf382cabce521a42947ec4fbe600a1a7e718c553a94a9e0381d5eceeb78400a31efc0626ea62935da5aaee132b991ca78e69af9ba2a989a3cf9df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\088D78689371D39E2B183BEA37F7313E

Filesize
552B

MD5
835eda08ed9fa72e5aaf35f2560e8b1f

SHA1
92938db96156cf6ecb7f0ca396df4cc2f16cbe86

SHA256
e184b2757f5be3cb61c9e8f01549e789ab6cfbbe16ca59b3136e28f85d95ab9c

SHA512
78e62f6335705af9263bea463e7990f4bc4832961e23c7e43a3344d96f3d07b6b5e66e93c19617a29b3d64a0800cc51b7330d95ae6bf388e74ff637432b9348c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
7f7b6e627c420dc066f923153f3aebc9

SHA1
494db108f11a8a964da9cb13c5e3e163626941fd

SHA256
86b3a07564492e56b6076e6eec95a7a146a660709025d10009291be6bde7f6f9

SHA512
6c7aa8a6642a414bd52b5b9b9d4feafa37b736b4d44057f9649c3084530a01f7b946067f7bb7c7f9b82e41ca90e574e87f14b3f7b431bd9d889eca97f211297d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5977aee56cdf54943366ff1fe5a169dd

SHA1
e3a891859c771752c5b4e2d350f13ee60570b391

SHA256
3e4d7036b66d7a4f9dca645ed0675e799fbab7f647c23f3041d6cbbf7e911152

SHA512
e9a6e615385ee59d33d95ca5d502a9757e6c906770f4689e3b57a63ceda5d27722cf8aabea992dfd58884a011fc5202c1ec69a2349de58bb086c8c73de923352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
842fae2dcafd878cebe3a7aed378c30f

SHA1
2d39e09f01c9007f02854b9fca293b4b70970d66

SHA256
7026d4e6f8b30a4821c1f9cd2c48a04e5c61136b9659e296a9d9293f49a5d053

SHA512
ad46716d2a949eeedb1a8a1dad0ed853c7622f20b072f7538b3a87842c315252f59225b12d1d64614dc78bf001a128ec4d94c310b77c72320082a880d4ecec66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D60.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3ECA.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Filesize
93KB

MD5
074a292b0a1405cf35e5a9d6067f15ca

SHA1
5bcc1e4784d67b3ba0dd7147514cd883b246a80a

SHA256
b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4

SHA512
b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

Download Submit
C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Filesize
93KB

MD5
074a292b0a1405cf35e5a9d6067f15ca

SHA1
5bcc1e4784d67b3ba0dd7147514cd883b246a80a

SHA256
b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4

SHA512
b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

Download Submit
C:\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Filesize
93KB

MD5
074a292b0a1405cf35e5a9d6067f15ca

SHA1
5bcc1e4784d67b3ba0dd7147514cd883b246a80a

SHA256
b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4

SHA512
b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

Download Submit
\Users\Admin\AppData\Local\b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4.exe

Filesize
93KB

MD5
074a292b0a1405cf35e5a9d6067f15ca

SHA1
5bcc1e4784d67b3ba0dd7147514cd883b246a80a

SHA256
b2b8edb831047a486ad58488be7497f74c262ced7a35e0b1b2e063495bffd6c4

SHA512
b6ebc5b826e44b5e9c75d167ddefe98cd1aac3d2ea1dc3a96efceba3179f6a49b76239e6aa8504524d3ce02244a96d5f24642b267119fa11d919bd7b5283868f

Download Submit
memory/2876-135-0x0000000000550000-0x000000000057A000-memory.dmp

Filesize
168KB

Download
memory/3040-85-0x0000000000700000-0x000000000072A000-memory.dmp

Filesize
168KB

Download
memory/3040-80-0x0000000010000000-0x0000000010031000-memory.dmp

Filesize
196KB

Download
memory/3040-81-0x00000000006C0000-0x00000000006F2000-memory.dmp

Filesize
200KB

Download