hxxps://github[.]com/fligger/FateInjector/releases/download/1[.]0/FateInjector[.]exe

Analysis

max time kernel
78s
max time network
49s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
22/05/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/fligger/FateInjector/releases/download/1.0/FateInjector.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2848	FateInjector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608908189285015"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0\MRUListEx = ffffffff	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	FateInjector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "7"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 0100000000000000ffffffff	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	FateInjector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4"	FateInjector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\NodeSlot = "8"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\0 = 5a00310000000000b65833b4100053797374656d33320000420009000400efbec5522d60b65833b42e0000008f3600000000010000000000000000000000000000000e167500530079007300740065006d0033003200000018000000	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	FateInjector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6"	FateInjector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\1\MRUListEx = 00000000ffffffff	FateInjector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	FateInjector.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	FateInjector.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	FateInjector.exe
Key created	\REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	FateInjector.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FateInjector.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2848	FateInjector.exe
3384	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe
Token: SeShutdownPrivilege	5000	chrome.exe
Token: SeCreatePagefilePrivilege	5000	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
2848	FateInjector.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
2848	FateInjector.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
2848	FateInjector.exe
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2744	5000	chrome.exe	79
PID 5000 wrote to memory of 2744	5000	chrome.exe	79
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 2732	5000	chrome.exe	81
PID 5000 wrote to memory of 700	5000	chrome.exe	82
PID 5000 wrote to memory of 700	5000	chrome.exe	82
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83
PID 5000 wrote to memory of 4616	5000	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/fligger/FateInjector/releases/download/1.0/FateInjector.exe
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff1f9dab58,0x7fff1f9dab68,0x7fff1f9dab78
    3⤵
    PID:2744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:2
    3⤵
    PID:2732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:4616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:1
    3⤵
    PID:4600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2944 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:1
    3⤵
    PID:2052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:2792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:4404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4816 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:1640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:1788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4160 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    - NTFS ADS
    PID:412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5116 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4828 --field-trial-handle=1760,i,17252707992740139930,8706175141522479015,131072 /prefetch:8
    3⤵
    PID:3260
- C:\Users\Admin\Downloads\FateInjector.exe
  "C:\Users\Admin\Downloads\FateInjector.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2848

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2348

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2c87c486d4681f221c4141e7da23b826

SHA1
9ad790a6f89cea4af9f480f00351dda45fa2e441

SHA256
a060e5317b876cb1de5a6df85a2793fcbacf827eb03fc28383c260e566316613

SHA512
914c25a457cc43ed58fab2fa8d9d5eb28feede235d5fcd3d7d8b25b5562cfe0c9b9374e26261b755438ce221e3721e87f39e32aaead08efbd89fad8c8afb9396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
80218fe95f4f88e58f722dc56e7959d8

SHA1
d7830d4a6073baada76996fccce46ca52682ff25

SHA256
cb3878112ced4cb6c6fd7cd3881d614b13946faae06c7949fb6a0cb95540b62f

SHA512
a550b5e83b000b9410ba60a5db02da7305d3e1644371d652d198da6fe667ab416fe2d61dc3f28f6f1315974398644965265bce4002264b386266fe86801b7c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
63f1da68eff7a09acd1f40bb6996ad46

SHA1
1f666cb354f50f85480d731b1b9485efdfdda969

SHA256
8af6b4282fdaea46695e05ba81f86b7e56de8a69b45134be967010438f7e47bf

SHA512
4e0aa1c1a2b39b0a82fb4fbd13b2c7d4474fcc4acd8d8fb69bb1996776b05762ee1d4022a4b140655d1c8cdbe086af2033e0b080eb547abfc8ba4e9213185546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0fdb3c2146f5a1378dd2d474377c8638

SHA1
95441aeb7b8711a778e3376e8cec7a7f6cdfe950

SHA256
390e36e5e16981a7f6c0356b06540dc79f1e128cecdd9a6b5336eb0ead2f3ce2

SHA512
3801481450f5379389bd61342725fac0a8c9cebe830c3eb8fc602b15e4797747a59e95e35744e0e3b7e2124e3ced344f207a355a8b535b17c34920bb4997193c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
76a53c24ebbe12fc0e0f4e44f2a21a66

SHA1
4e30a31a4438137389101c1edcf48cf5c1b310a3

SHA256
9ea5dc3cf2fd121c3b1134ac761c2aaf25f68454fb752dfc946d0fd5d1ce6186

SHA512
7b3919f0c4ad5b1f32c77bd59e5ffa355e18a726b348b0e085722bbbb7bd99e0d82a7df05aba81dd31289267e049ad30d0d9fc91ed0d4f3841a36bd5f304977a

Download Submit
C:\Users\Admin\Downloads\FateInjector.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 80235.crdownload

Filesize
3.7MB

MD5
9e6de7c7ebd1a00c2f7ddec78ba9403a

SHA1
65a9e65bf9b2b683ed93ac9848df8b5c9f3d4297

SHA256
77a84c4ed29551d8968a9bc5de796d6f8463fa54df8554b3cff91ca83d8ff70d

SHA512
f2dac6efaf4fa6c32b14a45bfa60813b67eb3a46e9a7342d13c1ba3bea3e0a188a5703d34c5fc65d20baae751c334474a9b51d7862d4c74fb60007dd8ce4adc9

Download Submit