Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
名单助手I.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
名单助手I.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
说明.pdf
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
说明.pdf
Resource
win10v2004-20240802-en
General
-
Target
名单助手I.exe
-
Size
6.1MB
-
MD5
74f27f7c16f1df18dabb2e7cdaa1a972
-
SHA1
d333a571677f1472d5fd26ffa43ad2f96dde18fd
-
SHA256
fc1f2107672a4af330678c2dd2ca7a2701e8d79123c339292a72f0d31ce296a0
-
SHA512
b07c3e66674b6809d6773a8d1387dcca6859698ecd4a0c37aac0bc6103fa25efa0d6ea6dd342c68201b21dcc54ae80c9c1fc2a9aeee70022d690570fb287b12b
-
SSDEEP
98304:LYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:kiby94pFKjBGr97eL
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral1/memory/2756-75-0x00000000005A0000-0x00000000005D2000-memory.dmp fatalrat behavioral1/memory/2756-76-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
pid Process 2756 UDTDTDI.exe -
Loads dropped DLL 3 IoCs
pid Process 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\UDTDTDI.exe UDTDTDI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UDTDTDI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 UDTDTDI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz UDTDTDI.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2292 名单助手I.exe 2292 名单助手I.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe 2756 UDTDTDI.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2756 UDTDTDI.exe Token: SeDebugPrivilege 2756 UDTDTDI.exe Token: SeIncBasePriorityPrivilege 2756 UDTDTDI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2756 2868 taskeng.exe 33 PID 2868 wrote to memory of 2756 2868 taskeng.exe 33 PID 2868 wrote to memory of 2756 2868 taskeng.exe 33 PID 2868 wrote to memory of 2756 2868 taskeng.exe 33 PID 2756 wrote to memory of 812 2756 UDTDTDI.exe 34 PID 2756 wrote to memory of 812 2756 UDTDTDI.exe 34 PID 2756 wrote to memory of 812 2756 UDTDTDI.exe 34 PID 2756 wrote to memory of 812 2756 UDTDTDI.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\名单助手I.exe"C:\Users\Admin\AppData\Local\Temp\名单助手I.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
C:\Windows\system32\taskeng.exetaskeng.exe {2B56B8AC-4004-4E60-BCDF-F2E5BE2A025D} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\ProgramData\BRARAU\UDTDTDI.exeC:\ProgramData\BRARAU\UDTDTDI.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q C:\ProgramData\BRARAU\UDTDTDI.exe3⤵
- System Location Discovery: System Language Discovery
PID:812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
411KB
MD5bc83108b18756547013ed443b8cdb31b
SHA179bcaad3714433e01c7f153b05b781f8d7cb318d
SHA256b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671
SHA5126e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
86KB
MD503706618a4b880538f086fae374b06cd
SHA187af405c4ed70d56f555bc0c781f7f1fdd0c9b68
SHA25604db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f
SHA512da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682
-
Filesize
1.2MB
MD5226e469c4965cbabc63ef1485c5963e2
SHA1e103a32e47c97f2b46b4b95bbb18314f74705872
SHA256b28e21033642d097c933e68ce8ee164b059e24e5be38cb1be4a601f0b843e3a0
SHA51289620eb6c344bcc5372979b9ebe6b7c764e648fe4d30ac79bafab97d9d2f962c68967857a6b2a525fb0d3b362557e304aa816b954064178467f5ba77befb664f
-
Filesize
2.2MB
MD5513bff6f497ac73f2eeb1a29a2be2403
SHA1dc66451379318a3758fc9da3c484ba9b1e583186
SHA256a29435e99f4972d32e32f8c5355a3f2357c63062d74424afec12d09af55cc63c
SHA512a71f5f3bf10dcd94320b5be3d803571dcd8dd084d39f9513f21d58c1e91ed174358e0aa8ba531d346b5a84448d27ae52f81fadcac275a908e54564227f9d251e
-
C:\Users\Admin\AppData\Roaming\RBRAR\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk
Filesize756B
MD5821fc85376d12fa45e8fbd9665ef41fe
SHA17889da0be1c38114257c0aca2791948b87c1ca54
SHA25601468077b01d6f291b99322e78166b69389865d68f48e211d83dfbe8e8268ff4
SHA512059373518709192a151c2d781bfb66d260e107147e3036c4e4497ac81cb10d9469d3375e7f72d561ea74414fbc14145fbdbec2266317e2c457d395a187b23540
-
Filesize
142KB
MD5bbaea75e78b80434b7cd699749b93a97
SHA1c7d151758cb88dee39dbb5f4cd30e7d226980dde
SHA256c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c
SHA5127f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d
-
Filesize
1.5MB
MD5e9e37a7603e15e9ecfccab2c09195c1c
SHA1608796a01018a79ebf99135bcd47588569f66f01
SHA256b14c4e4b9a405da0301c4b2975a0043708d2b85eef4430bc898e2fca310d2c05
SHA512ead174f8518a2032f3a45744dc5f0f094d851b0ade50ce1b3f1c9044504f6818428c842bd67fc63da093bfadb096621bb13850cc31a13a743d813f81f95792cc