fatalrat | 4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b.msi
Size

9.5MB
MD5

8b1b9af08bc62e4608d21b5568c0a581
SHA1

acc808accbb6897da328a1def679b42e198bf9e0
SHA256

4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b
SHA512

9c03511ccc5c4f1ee386a61e91f9afadc7310d1798a2ba7d233a308fa73dfa260a868c4e30efd92b3259406f645fc50e0449b89aeab8827d32c4c725dd2f971f
SSDEEP

196608:nWxLkNZONFiVDfWpugrukEa3bwQLWnhLQusRQR7p+2+E:nELkNZONFMUFruxoNazsRO7pJt

Score

10^/10

fatalrat bootkit infostealer persistence privilege_escalation rat upx

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Fatal Rat payload 2 IoCs

rat infostealer

resource	yara_rule
behavioral2/memory/2864-266-0x00000000031D0000-0x00000000031FA000-memory.dmp	fatalrat
behavioral2/memory/3348-299-0x00000000028F0000-0x000000000291A000-memory.dmp	fatalrat

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023484-224.dat	upx
behavioral2/memory/2228-227-0x0000000000C90000-0x0000000001233000-memory.dmp	upx
behavioral2/memory/2228-314-0x0000000000C90000-0x0000000001233000-memory.dmp	upx
behavioral2/memory/2228-321-0x0000000000C90000-0x0000000001233000-memory.dmp	upx
behavioral2/memory/2228-322-0x0000000000C90000-0x0000000001233000-memory.dmp	upx
behavioral2/memory/2228-326-0x0000000000C90000-0x0000000001233000-memory.dmp	upx
behavioral2/memory/2228-335-0x0000000000C90000-0x0000000001233000-memory.dmp	upx

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1428	msiexec.exe
7	1428	msiexec.exe
10	1428	msiexec.exe
44	856	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WPS.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	thelper.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIAEED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB087.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB427.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB26F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB438.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB504.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57ae41.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB028.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB067.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0643F5DB-9DB9-46E7-9FAB-792BF97FAEF8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB64E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB650.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB592.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB64F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ae41.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB007.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB163.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB37A.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
3740	MSIB64E.tmp
4108	MSIB64F.tmp
2228	WPS.exe
2864	thelper.exe
3348	thelper.exe

Loads dropped DLL 42 IoCs

pid	Process
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
856	MsiExec.exe
4744	MsiExec.exe
4744	MsiExec.exe
856	MsiExec.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
2864	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
1428	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002ca5e1034ed00b6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002ca5e1030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002ca5e103000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2ca5e103000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002ca5e10300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	thelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	thelper.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
856	MsiExec.exe
856	MsiExec.exe
4452	msiexec.exe
4452	msiexec.exe
2228	WPS.exe
2228	WPS.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe
3348	thelper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1428	msiexec.exe
Token: SeSecurityPrivilege	4452	msiexec.exe
Token: SeCreateTokenPrivilege	1428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1428	msiexec.exe
Token: SeLockMemoryPrivilege	1428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1428	msiexec.exe
Token: SeMachineAccountPrivilege	1428	msiexec.exe
Token: SeTcbPrivilege	1428	msiexec.exe
Token: SeSecurityPrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeLoadDriverPrivilege	1428	msiexec.exe
Token: SeSystemProfilePrivilege	1428	msiexec.exe
Token: SeSystemtimePrivilege	1428	msiexec.exe
Token: SeProfSingleProcessPrivilege	1428	msiexec.exe
Token: SeIncBasePriorityPrivilege	1428	msiexec.exe
Token: SeCreatePagefilePrivilege	1428	msiexec.exe
Token: SeCreatePermanentPrivilege	1428	msiexec.exe
Token: SeBackupPrivilege	1428	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeShutdownPrivilege	1428	msiexec.exe
Token: SeDebugPrivilege	1428	msiexec.exe
Token: SeAuditPrivilege	1428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1428	msiexec.exe
Token: SeChangeNotifyPrivilege	1428	msiexec.exe
Token: SeRemoteShutdownPrivilege	1428	msiexec.exe
Token: SeUndockPrivilege	1428	msiexec.exe
Token: SeSyncAgentPrivilege	1428	msiexec.exe
Token: SeEnableDelegationPrivilege	1428	msiexec.exe
Token: SeManageVolumePrivilege	1428	msiexec.exe
Token: SeImpersonatePrivilege	1428	msiexec.exe
Token: SeCreateGlobalPrivilege	1428	msiexec.exe
Token: SeBackupPrivilege	4304	vssvc.exe
Token: SeRestorePrivilege	4304	vssvc.exe
Token: SeAuditPrivilege	4304	vssvc.exe
Token: SeBackupPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe
Token: SeTakeOwnershipPrivilege	4452	msiexec.exe
Token: SeRestorePrivilege	4452	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1428	msiexec.exe
1428	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 380	4452	msiexec.exe	98
PID 4452 wrote to memory of 380	4452	msiexec.exe	98
PID 4452 wrote to memory of 856	4452	msiexec.exe	100
PID 4452 wrote to memory of 856	4452	msiexec.exe	100
PID 4452 wrote to memory of 856	4452	msiexec.exe	100
PID 4452 wrote to memory of 4744	4452	msiexec.exe	102
PID 4452 wrote to memory of 4744	4452	msiexec.exe	102
PID 4452 wrote to memory of 4744	4452	msiexec.exe	102
PID 4452 wrote to memory of 3740	4452	msiexec.exe	103
PID 4452 wrote to memory of 3740	4452	msiexec.exe	103
PID 4452 wrote to memory of 3740	4452	msiexec.exe	103
PID 4452 wrote to memory of 4108	4452	msiexec.exe	104
PID 4452 wrote to memory of 4108	4452	msiexec.exe	104
PID 4452 wrote to memory of 4108	4452	msiexec.exe	104
PID 2864 wrote to memory of 3348	2864	thelper.exe	107
PID 2864 wrote to memory of 3348	2864	thelper.exe	107
PID 2864 wrote to memory of 3348	2864	thelper.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4bf33d5531fe319bed3d1550608ded652ef6b52437b6cc94d47a0d388f5bb03b.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 23F637CFF1F64682365CF94C14A253D9
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9E5982F9EFF83D3535E917505FEC63E1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4744
- C:\Windows\Installer\MSIB64E.tmp
  "C:\Windows\Installer\MSIB64E.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\WPS.exe"
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\Installer\MSIB64F.tmp
  "C:\Windows\Installer\MSIB64F.tmp" /DontWait "C:\ProgramData\Microsoft\MF\thelper.exe"
  2⤵
  - Executes dropped EXE
  PID:4108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\ProgramData\Microsoft\MF\thelper.exe
"C:\ProgramData\Microsoft\MF\thelper.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\thelper.exe
  "C:\Users\Admin\AppData\Local\thelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3348

C:\Users\Admin\AppData\Roaming\WPS.exe
"C:\Users\Admin\AppData\Roaming\WPS.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ae44.rbs

Filesize
377KB

MD5
b4945a5bac72b1288f75d953d92a3a92

SHA1
7c9d2a7f755b57be4c9f5d5dfae3e26c3a4aee80

SHA256
106dfa5ec6b58862d768ccbf466f4eda2a4d089f414e5f19a3fbf95f322e3d25

SHA512
cd7e8ad5a1a3291f8e12ad98ed11d65bb76eef4785debd8db85072443d7cd8f9132e2a0825ace689e624ae939390849e3e65d199b5b01bdaecd636c673a58cc9

Download Submit
C:\ProgramData\Microsoft\MF\Mi.jpg

Filesize
199KB

MD5
75cbb4f1e63e245bd3462cab5cb5be2c

SHA1
2961f8579ed879cdc1bd50dde56c6441965818ed

SHA256
dec9df011a3ee5fb9a9544bda976eec41667f344bc0b3166392f4cfffaf3f7c6

SHA512
f7620741cf450da09981f8fc8449d79981490696b84b65f35354f5be7d0d3a6ed6ce8a08334e50f5b9d81ddaaebe30b4fdb6da6fd8015b0270477d761e2ee642

Download Submit
C:\ProgramData\Microsoft\MF\XLFSIO.dll

Filesize
900KB

MD5
a06090c5f2d3df2cedc51cc99e19e821

SHA1
701ac97c2fd140464b234f666a0453d058c9fabf

SHA256
64ffdffb82fc649e6847b3c4f8678d9cca0d5117fa54c9abbb746625d3feef89

SHA512
541804db74a25fc5f50801f23b4d9f2be788d3c95d3d23dd8098f4c8888d1fc808e6eb6959c458965c639ea28b594a87dff7f3a89c4750c109b29b573c4535cf

Download Submit
C:\ProgramData\Microsoft\MF\XLFSIO2.dll

Filesize
209KB

MD5
1bc7af7a8512cf79d4f0efc5cb138ce3

SHA1
68fd202d9380cacd2f8e0ce06d8df1c03c791c5b

SHA256
ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62

SHA512
84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

Download Submit
C:\ProgramData\Microsoft\MF\XLGraphic.dll

Filesize
730KB

MD5
74c75ae5b97ad708dbe6f69d3a602430

SHA1
a02764d99b44ce4b1d199ef0f8ce73431d094a6a

SHA256
89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2

SHA512
52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

Download Submit
C:\ProgramData\Microsoft\MF\XLLuaRuntime.dll

Filesize
249KB

MD5
5362cb2efe55c6d6e9b51849ec0706b2

SHA1
d91acbe95dedc3bcac7ec0051c04ddddd5652778

SHA256
1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40

SHA512
dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

Download Submit
C:\ProgramData\Microsoft\MF\XLUE.dll

Filesize
2.4MB

MD5
0abbe96e1f7a254e23a80f06a1018c69

SHA1
0b83322fd5e18c9da8c013a0ed952cffa34381ae

SHA256
10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4

SHA512
2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

Download Submit
C:\ProgramData\Microsoft\MF\ic.dll

Filesize
1.6MB

MD5
bb1197bea58b158554fa3fa25866d1ea

SHA1
cae7f395ed42fa2dd3362f4c816fb678072feb49

SHA256
20a04729fdd8e02e2fb5be79af130c364d0f3ce85e49478a6819a0a2020ae844

SHA512
f80b7669da861400a5b5add8148b85cc62994819e3a3a2220475d7ec2fc31f70bc3c683d5a5d6043b319b428a0ac47b9b41201aee7aba5d5cc927a8556dd7b73

Download Submit
C:\ProgramData\Microsoft\MF\libexpat.dll

Filesize
668KB

MD5
5ff790879aab8078884eaac71affeb4a

SHA1
59352663fdcf24bb01c1f219410e49c15b51d5c5

SHA256
cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f

SHA512
34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

Download Submit
C:\ProgramData\Microsoft\MF\libpng13.dll

Filesize
157KB

MD5
bb1922dfbdd99e0b89bec66c30c31b73

SHA1
f7a561619c101ba9b335c0b3d318f965b8fc1dfb

SHA256
76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99

SHA512
3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

Download Submit
C:\ProgramData\Microsoft\MF\mt.dll

Filesize
1.5MB

MD5
9ded3fdffb0ff7f62e6a0a7f996c0caf

SHA1
fcc959b28a32923ccdb1ca4e304c74a31dede929

SHA256
87aab1db611adb132f503c08c32dc4efc23c9216d97e918f7279f86920701c93

SHA512
a7e7cb96a78827b01e71c595ca0d106eaf7afe35d4a548e5beccf0b009cc02d33274822958dca4998a427d8b4027eaefe99b40b3648e24730c81df34eab32ba0

Download Submit
C:\ProgramData\Microsoft\MF\thelper.exe

Filesize
226KB

MD5
17749f66292f190ef93652eb512c5ab7

SHA1
e2f651aa9d37404063ffc79e920787c9d3e71fdb

SHA256
0aa17ee66b8dae520e82a94388b1a1d603ec2aed20c464d6cac9a521d4167f24

SHA512
2ef192a191dc40a16c9b8768e749175c1a57319ab896809691effcc5de61c4a38fd8a8388b8907a1985e505907a8529f4d10990e362831092c75dafb8900b13e

Download Submit
C:\ProgramData\Microsoft\MF\zlib1.dll

Filesize
62KB

MD5
37163aacc5534fbab012fb505be8d647

SHA1
73de6343e52180a24c74f4629e38a62ed8ad5f81

SHA256
0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba

SHA512
c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_36810BBF1FC90A1703AE6CC64773484E

Filesize
1KB

MD5
db21f0649ce2db08b10c59c381ff65e2

SHA1
c10af0e267798f1cd4ba86675ba9b300fdebd51f

SHA256
1c81cf986626053ddf6d30a9d82b33974d14d3481e9df141d2e221b28295eb43

SHA512
9572fa1258cdd0533177105cc7c4d26292860a4b1cf7af3cc485cb882273fa3e1994896fcb8b9e89f268e9b3c5b5aefa9577fc53fb8233e5e0809dce38ec1cc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
1df79bee620ddab3e316a058b1844d8f

SHA1
06e79cae304059b0f6f8c86cd9b5b94b2148c397

SHA256
2f0083d6c8a406f9bca3be8f34996cd700daa2e690f2a810f0c52956d683125d

SHA512
9775cb1391f880f9d742a2dff771cd0041e43a3c7568689e840c78b6e1609587c2149425831ae8550552efa8829417dd17adf1f253a7e3a3dfd19e85812d5587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_36810BBF1FC90A1703AE6CC64773484E

Filesize
536B

MD5
2649895e17bc8606d6fef155a82f10c5

SHA1
cd5a225eb32f3a3e9ccc127bd2eb18fa57e12baa

SHA256
a082afd25a4841e385baa99b6eb8d9a1b78d5fb8e40aabac0cb456bed2454dfc

SHA512
85c1d7b583037d2dcc1eac38a780d4a5fd6f5f70cbc371e21b8d14abf529ad4b78baf7f1b2af6715868545f65ab9e490d475e37a39f8b234acb48d743dff141a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
6d0be619d6d863404e13a9278399c9db

SHA1
a756a510a4721ffdeb373a3ae7b8c31b508f63e9

SHA256
ac2454462dd1971b9c728b24e18b063d1c1b23e59ea23c57805ba5ec0a150cc9

SHA512
3fd5ee1194926d490f8e80202ac57964e23963727e06d25d47c21bf2ca89d316b38973152a3f995bcce9f4790d2c91a54ac69eedb1b99c5a4430414b07376887

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.23.66\tracking.ini

Filesize
84B

MD5
ec5296369828d06a9ff75130557f0190

SHA1
bc04d1225728585f611517e02f10c287a6c36664

SHA256
9f7a18b3009dd90fc130da4ca7c1a431784f9f162846e257a6a49106eab1e803

SHA512
eb16463b9addd591ef8adb8804994788cd862f6b140587e19a26bc74be18e971b709d2658bf1eadc5eba9147aecd774a229366913db74fbf67c2a3effeb4f5f6

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.23.66\tracking.ini

Filesize
84B

MD5
09c4344643ec7f84c771790830ca5c0f

SHA1
c48546ec8269194bf6cf4d0d4bed75954c6ca2b6

SHA256
c4422a9ef996165326cfc0745063efc0f3d7fd1f0566f4ebe5ce677a30c6bade

SHA512
ef2cd2bb9f55d4916e3d7b3db6d10b3654f2dc4df889ec016a898e58d19e1b67e60d8ef2531f40fb0a29a71f82e97d8b17e89e226008bd0f6d89acef6134724a

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6696c9562ff508bfba81ef0a\76.23.66\{FD14CDA0-4E85-4BFF-85CC-D743036073EB}.session

Filesize
8KB

MD5
dcd8545c756e0b23c21e5622ebc95abb

SHA1
1686f9a2da7b557a1eb1d26b71033b91e257742c

SHA256
0a09332d8b7ab225ef57e4a7a884b7833f29b974de1db22d85ff94387dda48ad

SHA512
1a4cc7b63e09fce5b77ea689f5756b03e61cc198c0b0838f11f8bc4f2051b0195de53cc709d1b448927e2927b069bc8000b678ee600b213dee38b8bc0b0bf012

Download Submit
C:\Users\Admin\AppData\Roaming\WPS.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Windows\Installer\MSIAEED.tmp

Filesize
770KB

MD5
356fc2c181cc37e3f8ae4d6b855ebfcb

SHA1
2ead1e69f14099ae33a3216a9312c88007b73cd1

SHA256
c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c

SHA512
74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

Download Submit
C:\Windows\Installer\MSIB007.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIB087.tmp

Filesize
897KB

MD5
6189cdcb92ab9ddbffd95facd0b631fa

SHA1
b74c72cefcb5808e2c9ae4ba976fa916ba57190d

SHA256
519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783

SHA512
ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

Download Submit
C:\Windows\Installer\MSIB438.tmp

Filesize
187KB

MD5
f11e8ec00dfd2d1344d8a222e65fea09

SHA1
235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20

SHA256
775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93

SHA512
6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

Download Submit
C:\Windows\Installer\MSIB64E.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
memory/2228-227-0x0000000000C90000-0x0000000001233000-memory.dmp

Filesize
5.6MB

Download
memory/2228-314-0x0000000000C90000-0x0000000001233000-memory.dmp

Filesize
5.6MB

Download
memory/2228-335-0x0000000000C90000-0x0000000001233000-memory.dmp

Filesize
5.6MB

Download
memory/2228-326-0x0000000000C90000-0x0000000001233000-memory.dmp

Filesize
5.6MB

Download
memory/2228-322-0x0000000000C90000-0x0000000001233000-memory.dmp

Filesize
5.6MB

Download
memory/2228-321-0x0000000000C90000-0x0000000001233000-memory.dmp

Filesize
5.6MB

Download
memory/2864-287-0x0000000072750000-0x0000000072967000-memory.dmp

Filesize
2.1MB

Download
memory/2864-242-0x0000000001650000-0x0000000001758000-memory.dmp

Filesize
1.0MB

Download
memory/2864-286-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/2864-255-0x0000000001300000-0x0000000001335000-memory.dmp

Filesize
212KB

Download
memory/2864-240-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/2864-288-0x0000000072510000-0x0000000072744000-memory.dmp

Filesize
2.2MB

Download
memory/2864-266-0x00000000031D0000-0x00000000031FA000-memory.dmp

Filesize
168KB

Download
memory/2864-262-0x0000000003160000-0x0000000003191000-memory.dmp

Filesize
196KB

Download
memory/2864-245-0x0000000001290000-0x00000000012CF000-memory.dmp

Filesize
252KB

Download
memory/3348-306-0x00000000725A0000-0x00000000727D4000-memory.dmp

Filesize
2.2MB

Download
memory/3348-299-0x00000000028F0000-0x000000000291A000-memory.dmp

Filesize
168KB

Download
memory/3348-305-0x00000000727E0000-0x00000000729F7000-memory.dmp

Filesize
2.1MB

Download
memory/3348-289-0x0000000000E70000-0x0000000000F78000-memory.dmp

Filesize
1.0MB

Download
memory/3348-291-0x0000000000B80000-0x0000000000BBF000-memory.dmp

Filesize
252KB

Download
memory/3348-293-0x0000000000D00000-0x0000000000D35000-memory.dmp

Filesize
212KB

Download
memory/3348-323-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download
memory/3348-324-0x00000000727E0000-0x00000000729F7000-memory.dmp

Filesize
2.1MB

Download
memory/3348-325-0x00000000725A0000-0x00000000727D4000-memory.dmp

Filesize
2.2MB

Download
memory/3348-295-0x00000000029F0000-0x0000000002A21000-memory.dmp

Filesize
196KB

Download
memory/3348-304-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Filesize
956KB

Download