Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 15:32
Behavioral task
behavioral1
Sample
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
Resource
win10v2004-20240709-en
General
-
Target
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe
-
Size
7.6MB
-
MD5
22b431d06ffbd17f49894fb5a8d708e1
-
SHA1
0ffd16b2b439648da1cceca617e8d629c7905e8e
-
SHA256
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee
-
SHA512
51c90a0bb6e269654cb7d95dd865b0fc196ce7b945d5e2cc5bea0c104863ce15e90d1e2969bf589ec7222a9111317cd1c8c4bff378b42fea62df270fde5de0fe
-
SSDEEP
196608:w5LIRiAsLXsRZj62vvoVLp7YuLNxr7mFCpp3FjbA9:cYsrsRZj62X4EE7pl9A9
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2112-40-0x0000000002DF0000-0x0000000002E1A000-memory.dmp fatalrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe -
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 2112 update.exe -
Loads dropped DLL 4 IoCs
Processes:
update.exepid process 2112 update.exe 2112 update.exe 2112 update.exe 2112 update.exe -
Processes:
resource yara_rule behavioral2/memory/2372-1-0x0000000000B80000-0x0000000001A67000-memory.dmp vmprotect behavioral2/memory/2372-5-0x0000000000B80000-0x0000000001A67000-memory.dmp vmprotect behavioral2/memory/2372-33-0x0000000000B80000-0x0000000001A67000-memory.dmp vmprotect -
Drops file in Program Files directory 6 IoCs
Processes:
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exedescription ioc process File created C:\Program Files (x86)\Fonsd\dmcef.dll 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe File created C:\Program Files (x86)\Fonsd\msvcp100.dll 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe File created C:\Program Files (x86)\Fonsd\msvcr100.dll 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe File created C:\Program Files (x86)\Fonsd\kdsd.dat 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe File created C:\Program Files (x86)\Fonsd\version.xml 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe File created C:\Program Files (x86)\Fonsd\update.exe 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exeupdate.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exeupdate.exepid process 2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe 2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe 2112 update.exe 2112 update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
update.exedescription pid process Token: SeDebugPrivilege 2112 update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exepid process 2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exedescription pid process target process PID 2372 wrote to memory of 2112 2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe update.exe PID 2372 wrote to memory of 2112 2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe update.exe PID 2372 wrote to memory of 2112 2372 1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe"C:\Users\Admin\AppData\Local\Temp\1484dbb7df09d9c16a2f90477c0d19636c1aa472bb15fc7bd5504fa2cf59d6ee.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Program Files (x86)\Fonsd\update.exe"C:\Program Files (x86)\Fonsd\update.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD5ef3e115c225588a680acf365158b2f4a
SHA1ecda6d3b4642d2451817833b39248778e9c2cbb0
SHA25625d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8
SHA512d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a
-
Filesize
112KB
MD54cc6c14965dc584f09024497e32bce07
SHA167143d3b0338b7bcb8c1cfcfc24a25859d67095a
SHA25608fdef9c3b54e2049ad80b838a4a4afef3a99c608e1305f358360ea1d0e37cb9
SHA512f26db500778869bbc04b7ae54a75a7250edcb2fd6c9ff9a692cc98030863ae0b87952320c7dcd6d64c35c6b46b6f7090aa493f656fb606ec53bf31d10d0841c4
-
Filesize
198KB
MD5549af62420bf054e967a2e1c5bb88769
SHA1043dc0cccd0337e83cc2aa45b572fd83584b6c82
SHA2560c2dcd599299c084fc53384d9eb9f50ac3d74a96029b50b4bf3ccd9aa209897d
SHA512547148f4c9c97acae26431af818e6ae94834ac85284b1fab8603ce654b2c889e9467addecb8b6db23fa36cf420bf6f5251bf3009a4926db3777dbe06cc715123
-
Filesize
412KB
MD5ed40615aa67499e2d2da8389ba9b331a
SHA109780d2c9d75878f7a9bb94599f3dc9386cf3789
SHA256cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d
SHA51247d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee
-
Filesize
294KB
MD5bcf4278bf8b9a49fbab9b49d9d6e34cd
SHA14138c5b6159e280cb9df9007d63d859e4aae9bdd
SHA256bce88b8d91f9dad4d0492a5ba633cab7ffb32afdfe9a47e4e76898d8662835c8
SHA512aa23a9f38636175ef06bb64c0c7bb881a9ce5a169b77445347d333c40ca49b243ce119ab0602fd661a6574a1e9ec914306ab0a3bfe9b7a2b58ca5ef63f4971a3
-
Filesize
78KB
MD5003f49618eb5502132ed575cf1124c19
SHA14d378b777d881f1da23c2a8e7bf702e6e2953b1d
SHA2566098f2a0e775bede6c322628b76a64eae7c2656c178858d7f65b4c0846e5c568
SHA51298fbbaa15ae3c35922a458bc06ad218fd0b076bfae67af1522b888f9b2bc349514f2362dc2fc22ef2cceb68d22b230e3bc18e724b58ca89048b0daaf8d950881