Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-04-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
Resource
win10v2004-20240412-en
General
-
Target
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe
-
Size
820KB
-
MD5
ba5ded4a384dc6ab600dd6af1ba25884
-
SHA1
8bad7156fda273bfc789b6810dacabec05207688
-
SHA256
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861
-
SHA512
5a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b
-
SSDEEP
12288:OKnJXa/rMOPsQ3ykLlf6VEPvgHyBqgiyUDHUgYR9mLzQx:1OLPsQ9faSQNyUD07EH
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-0-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat -
Executes dropped EXE 2 IoCs
Processes:
Svwxya.exeSvwxya.exepid process 3048 Svwxya.exe 2564 Svwxya.exe -
Loads dropped DLL 1 IoCs
Processes:
Svwxya.exepid process 3048 Svwxya.exe -
Drops file in Program Files directory 4 IoCs
Processes:
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exeSvwxya.exedescription ioc process File opened for modification C:\Program Files (x86)\Svwxya.exe c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe File opened for modification C:\Program Files (x86)\Svwxya.exe Svwxya.exe File created C:\Program Files (x86)\Svwxya.exe Svwxya.exe File created C:\Program Files (x86)\Svwxya.exe c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe -
Modifies data under HKEY_USERS 16 IoCs
Processes:
Svwxya.exeSvwxya.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2024-04-24 17:14" Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Svwxya.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exepid process 1796 c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exeSvwxya.exeSvwxya.exedescription pid process Token: SeDebugPrivilege 1796 c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe Token: SeDebugPrivilege 3048 Svwxya.exe Token: SeDebugPrivilege 2564 Svwxya.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Svwxya.exedescription pid process target process PID 3048 wrote to memory of 2564 3048 Svwxya.exe Svwxya.exe PID 3048 wrote to memory of 2564 3048 Svwxya.exe Svwxya.exe PID 3048 wrote to memory of 2564 3048 Svwxya.exe Svwxya.exe PID 3048 wrote to memory of 2564 3048 Svwxya.exe Svwxya.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe"C:\Users\Admin\AppData\Local\Temp\c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
C:\Program Files (x86)\Svwxya.exe"C:\Program Files (x86)\Svwxya.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Svwxya.exe"C:\Program Files (x86)\Svwxya.exe" Win72⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2564
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
820KB
MD5ba5ded4a384dc6ab600dd6af1ba25884
SHA18bad7156fda273bfc789b6810dacabec05207688
SHA256c18df16013c1a039cb7125ee50d26b5f9835f61d3c791d38d5a0f7ad2215e861
SHA5125a1d98da409088e0f2e8af57ec5292ce1b2d0149a84e7cdcfa6d8335219eb3c1375d81daf1776f454126256fa536e86ea609621ef027417197d04975764a4a5b