Overview
overview
10Static
static
37Q7ATX/9DTDG_o.exe
windows7-x64
107Q7ATX/9DTDG_o.exe
windows10-2004-x64
107Q7ATX/longlq.cl
windows7-x64
37Q7ATX/longlq.cl
windows10-2004-x64
37Q7ATX/msvbvm50.dll
windows7-x64
17Q7ATX/msvbvm50.dll
windows10-2004-x64
17Q7ATX/p.mgc
windows7-x64
37Q7ATX/p.mgc
windows10-2004-x64
3Analysis
-
max time kernel
357s -
max time network
419s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
7Q7ATX/9DTDG_o.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral2
Sample
7Q7ATX/9DTDG_o.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
7Q7ATX/longlq.cl
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
7Q7ATX/longlq.cl
Resource
win10v2004-20240412-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
7Q7ATX/msvbvm50.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
7Q7ATX/msvbvm50.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
7Q7ATX/p.mgc
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
7Q7ATX/p.mgc
Resource
win10v2004-20240412-en
windows10-2004-x64
General
-
Target
7Q7ATX/9DTDG_o.exe
-
Size
148KB
-
MD5
f852aa63bc40b55bee5f0df8ab7ca885
-
SHA1
35bd2a698af33ef4dd20a8c32f7afbe65aafdb80
-
SHA256
e8b572831fe43f52bcf004ae3eee3ec7be5e8a31fc46721b1f6343baa2858aa0
-
SHA512
e95d1963953fa7a29c162b848cf30629b7bfb025f4235a6eda5f293e793e9dfac630e482fd246a4e337e12a8c1738066d83382e93c5b5bcdcbe91fe24742e5f1
-
SSDEEP
1536:4ApcD8QFjMFvLl5DABLu7SN5+DLNPFthAQd3qHvDXrqwHn9cdsK0sM6QMIEvYn70:rp28Lpk82agQcqqW
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral1/memory/3068-3-0x0000000000270000-0x000000000029A000-memory.dmp fatalrat behavioral1/memory/1504-22-0x0000000000260000-0x000000000028A000-memory.dmp fatalrat -
Executes dropped EXE 2 IoCs
pid Process 3020 9DTDG_o.exe 1504 9DTDG_o.exe -
Loads dropped DLL 2 IoCs
pid Process 3068 9DTDG_o.exe 3068 9DTDG_o.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9DTDG_o.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 9DTDG_o.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1504 9DTDG_o.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3068 9DTDG_o.exe Token: SeDebugPrivilege 1504 9DTDG_o.exe Token: SeDebugPrivilege 1568 taskmgr.exe Token: SeDebugPrivilege 2020 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 1568 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3068 wrote to memory of 3020 3068 9DTDG_o.exe 28 PID 3068 wrote to memory of 3020 3068 9DTDG_o.exe 28 PID 3068 wrote to memory of 3020 3068 9DTDG_o.exe 28 PID 3068 wrote to memory of 3020 3068 9DTDG_o.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7Q7ATX\9DTDG_o.exe"C:\Users\Admin\AppData\Local\Temp\7Q7ATX\9DTDG_o.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\9DTDG_o.exe"C:\Users\Admin\AppData\Local\9DTDG_o.exe"2⤵
- Executes dropped EXE
PID:3020
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\7Q7ATX\9DTDG_o.exe"C:\Users\Admin\AppData\Local\Temp\7Q7ATX\9DTDG_o.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5f852aa63bc40b55bee5f0df8ab7ca885
SHA135bd2a698af33ef4dd20a8c32f7afbe65aafdb80
SHA256e8b572831fe43f52bcf004ae3eee3ec7be5e8a31fc46721b1f6343baa2858aa0
SHA512e95d1963953fa7a29c162b848cf30629b7bfb025f4235a6eda5f293e793e9dfac630e482fd246a4e337e12a8c1738066d83382e93c5b5bcdcbe91fe24742e5f1