Overview

overview

10

Static

static

3

ChromeaSetup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    581s
  • max time network
    599s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2023, 22:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ChromeaSetup.exe

  • Size

    88.1MB

  • MD5

    1001791903c0dbd515877048a8508660

  • SHA1

    9994e2b120b8c61035032036694827c105c2b9ea

  • SHA256

    0476986195147a51e7f0b70050b27f73a0de46e2595b8c27eca4ad43064e8cb4

  • SHA512

    6f81497f9bebf5f20a74a30bed9b5474a3d82af3015303ed9008cadec511a5c7741aa00c9d0f9918c5421806c532090182ed280a95709f99bd087384d302d918

  • SSDEEP

    1572864:pHY4l+VZmS5afHwG1znyDUmd5KrwJNYGyMToUWT0fB5aPvJd13Ev0Lsmu:p44lSZ15afHwCtmGrsNYRMMb0JU9EvJ

Score
10/10
fatalratdiscoveryinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Executes dropped EXE 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ChromeaSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeaSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Users\Admin\AppData\Local\Temp\is-J7SKC.tmp\ChromeaSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-J7SKC.tmp\ChromeaSetup.tmp" /SL5="$120056,91486196,830976,C:\Users\Admin\AppData\Local\Temp\ChromeaSetup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\ProgramData\setup.exe
        "C:\ProgramData\setup.exe" setup
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetWindowsHookEx
        PID:4408
      • C:\ProgramData\install.exe
        "C:\ProgramData\install.exe" setup
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4356
  • C:\ProgramData\mstcs.exe
    C:\ProgramData\mstcs.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\ProgramData\mstcs.exe
      C:\ProgramData\mstcs.exe Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4236

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Chrome\chrome.exe
          Filesize

          2.4MB

          MD5

          a98d71eb1bec5d38549b2155a3e54008

          SHA1

          8bfc5af325534d4b4b690c4883e27e3d005eee20

          SHA256

          e6d9df99f3bce911f8241e4e40784288b879b93feaeb5edddb1cb4e0cac675f8

          SHA512

          6d8ff316d02b3a0e0943f1833076f8e277b3ba6d602fcd3ecf58687f6753d2b5e21bcfcc6c1b7d182219a532f709f37281eb44a9759f4cdc569498aeb27fe244

          Download Submit

        • C:\ProgramData\install.exe
          Filesize

          452KB

          MD5

          0ae239225c43476e8b8f2c2ddaecc208

          SHA1

          4a1933a2dd85df838a967e5796bf2420efbecbd6

          SHA256

          052e2bff4f4505ad9e3f488823d6125fe8c59b5ac030c7db64db7d7b9f6f5abd

          SHA512

          8a55ca9753d25e2a532565f719b48cb7c4f866a29e5cb6d37079184c32990cfae12c0f905d811a464db44bb51f72ecdc01466137e10d89d3f89631a29f4ef9fa

          Download Submit

        • C:\ProgramData\install.exe
          Filesize

          256KB

          MD5

          21fb0c294faf4293f951bdd039a37734

          SHA1

          3a24f2895c9c602f998e864c47f40d2df2fa8ab8

          SHA256

          78f9772ca9d2a416a109d8b78b22d42fb0ede382628323d632893855338af63e

          SHA512

          a1401df0c639c1255ead94cfdb94bb95fe606edd4d2d259592d85a96e230ab46f0fb496518525c9dfb1ef8984f828f8782788f6ca1b859ad1f9308bb722a90c6

          Download Submit

        • C:\ProgramData\mstcs.exe
          Filesize

          1.9MB

          MD5

          ff504e5889e75cd35713f531a837bf82

          SHA1

          1f47e5560a84e6ed0f172660c9882ddd751d7f18

          SHA256

          b99100e9b989224546d18df21ea90b5c9fa0fe00a098873befdf4afdefe0ab7c

          SHA512

          211c79bd716eeaaa4a8a042bdaa01e5b77081f0d090c9595ffcc6960def13f81d3bc15df4bf58847ef97d7858b98c050935207ccbf4a880585a79ecfd94ced31

          Download Submit

        • C:\ProgramData\setup.exe
          Filesize

          448KB

          MD5

          ac7e8db11e77d0c23ee92eee3f430da9

          SHA1

          df75b6e0749b5ef26cf4473a557e7ba22094dacf

          SHA256

          26888e7aa2f606dfb23c0cb200f4bf1555bbe65a30d2735657938d86cf2c90a8

          SHA512

          fdd3526cfab858f6cbfe6acf7c57031a294557ae5e9d3f2b01d4676c9504a626971f692dd03c6c66e0eb3ed9378ee26ae222da00c6a4815c905026bba727c91d

          Download Submit

        • C:\ProgramData\setup.exe
          Filesize

          896KB

          MD5

          d908272ebe4657659f38da46b1f2c86d

          SHA1

          5c1130eeb58681d4d920a05145aeeb92a4761b21

          SHA256

          48379cd147b97ff76afe88e527f5680f881083140224bda5759cf1ffffcc09f8

          SHA512

          77f4219f825e97a950246db7379981a5a782e3ef6a210f57c18db7f2eddc67a0eba30db34dc42639121323d8462da9a68db1984e849c19256083e1f23834500a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-J7SKC.tmp\ChromeaSetup.tmp
          Filesize

          3.0MB

          MD5

          3eac63e18f4808b72e360e5e00b44841

          SHA1

          d77da45097a6d456e3cd240c3dc8962403dd6cf2

          SHA256

          6a3af360ef6d716a8cc1a2da7f2737ffbae99b5b1c5a70fa1677c8f79a6c0b9b

          SHA512

          2ee842af9726c701a52e76714aa4e408eb27493a794c25cfb1748fe071b637efa46a8fafecfd9be8d02473070adc09e503339ac32e6a7b16cdad7fe61978ee07

          Download Submit

        • C:\WINDOWS\SysWOW64\1.bin
          Filesize

          66KB

          MD5

          6e0a1ae63b6c4df84585567286181195

          SHA1

          158c05ea9ce20d57ac27bf60032b1432ea26fc9b

          SHA256

          98f03f88b23c4f1a3d3dc9d0dc7cf5fd09e58e989ce976452d85f623e1afa740

          SHA512

          151b05a383c2a84b8cf03bf2fc951c09f54fa39d8ed4e61f5ed2510af43f26902494d30882c340206f3bbba3995ed1f09ec76a7162324da2d08d414c5bc20eb4

          Download Submit

        • C:\WINDOWS\SysWOW64\1.bin
          Filesize

          209KB

          MD5

          a7123c81c4ef7078afb1be30ce84c4bb

          SHA1

          489fab1e550794d008dfcc70fa0861bd59c6294c

          SHA256

          3978149da04b5be63c52e51b14e54a0d52bd2be1ac51b11d3565b0841173c31f

          SHA512

          5295517096877f63c8296c049764663b508d3add1c408f068c4b8d4542b822d198b57c41c395760d3856a62894eb476e317e81b67a45278d166f037c8380e9a6

          Download Submit

        • memory/3980-9-0x0000000000400000-0x0000000000714000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3980-57-0x0000000000400000-0x0000000000714000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3980-12-0x0000000000E90000-0x0000000000E91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3980-6-0x0000000000E90000-0x0000000000E91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3980-264-0x0000000000400000-0x0000000000714000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3980-266-0x0000000000400000-0x0000000000714000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4356-239-0x0000000002B00000-0x0000000002B35000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4356-240-0x0000000010000000-0x000000001002A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4408-238-0x00000000025D0000-0x0000000002605000-memory.dmp

          Filesize

          212KB

          Download

        • memory/5084-0-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/5084-8-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/5084-2-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/5084-267-0x0000000000400000-0x00000000004D8000-memory.dmp

          Filesize

          864KB

          Download