Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 18:07
Behavioral task
behavioral1
Sample
Fatality.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Fatality.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Fatality.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Fatality.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Fatality.exe
Resource
win11-20240802-en
General
-
Target
Fatality.exe
-
Size
303KB
-
MD5
c58de13d43a4505c3d560f02782e7772
-
SHA1
1639355d610c3f8e0df698ab47835455a9687441
-
SHA256
7b7ffe08ad313ab1c699624e2240ff43a23466becef02d4c2d6b992efd7ac1bc
-
SHA512
4aab677344c2c07f95e5ed66aff445203a61b93ccbb31705757ed6bb37d58447cf294b87f1d8d5841f5a00c8ede742e3ab608319953166524774cffda35d7ac0
-
SSDEEP
6144:0HcT6MDdbICydeByXDmEjmpPwsQ6LmA1D0RuM:0HKgDmEjmoDA1DTM
Malware Config
Extracted
44caliber
https://discordapp.com/api/webhooks/1271420596722602126/pddK9O-e2ezh4XTOXIuVC-VkRWZALv5GTMKGnWaVgpAmoiQ4OGECd3TQ5qCQ_5FFPItE
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 760 Fatality.exe 760 Fatality.exe 760 Fatality.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 760 Fatality.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 760 wrote to memory of 2904 760 Fatality.exe 29 PID 760 wrote to memory of 2904 760 Fatality.exe 29 PID 760 wrote to memory of 2904 760 Fatality.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fatality.exe"C:\Users\Admin\AppData\Local\Temp\Fatality.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 760 -s 11802⤵PID:2904
-