Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
Resource
win10v2004-20240802-en
General
-
Target
756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe
-
Size
713KB
-
MD5
0b7df39ea0e4d0a980ff69d34c6255cc
-
SHA1
fdda6465d415b9e146f55480a0831166c8a2e234
-
SHA256
756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f
-
SHA512
ca2d86eb519bf346c00499bf5788bc499fae23519492f32914531ec03f8c66253fa9195224206d0ad95ab7d0347c1e5e33fa35196f46064efd49aee247c67ad8
-
SSDEEP
6144:qcNrqbprPopMFVJnsdPq0TYU4bWmb8pRYp9HtfqQnHlETCf/MiO7OhQPdVw1iied:qcNGPlnsdPhTYUDvU9nHWTFPdxJVQX
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral1/memory/2592-84-0x0000000000610000-0x000000000063A000-memory.dmp fatalrat -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000700000001756a-66.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 2592 F_F_FYf.exe -
Loads dropped DLL 2 IoCs
pid Process 2592 F_F_FYf.exe 2592 F_F_FYf.exe -
resource yara_rule behavioral1/files/0x000700000001756a-66.dat upx behavioral1/memory/2592-68-0x0000000074570000-0x00000000747D7000-memory.dmp upx behavioral1/memory/2592-91-0x0000000074570000-0x00000000747D7000-memory.dmp upx behavioral1/memory/2592-101-0x0000000074570000-0x00000000747D7000-memory.dmp upx behavioral1/memory/2592-107-0x0000000074570000-0x00000000747D7000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\F_F_FYf.exe F_F_FYf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F_F_FYf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1280 756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe 1280 756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2592 F_F_FYf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2592 2484 taskeng.exe 34 PID 2484 wrote to memory of 2592 2484 taskeng.exe 34 PID 2484 wrote to memory of 2592 2484 taskeng.exe 34 PID 2484 wrote to memory of 2592 2484 taskeng.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe"C:\Users\Admin\AppData\Local\Temp\756667b99c18e6c13fdc86d30868e90581b53dab4230daaba2b8261a0f4ece0f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280
-
C:\Windows\system32\taskeng.exetaskeng.exe {18EA90F4-4ECD-43A4-95F2-10F4055E9354} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\ProgramData\BUEUDU\F_F_FYf.exeC:\ProgramData\BUEUDU\F_F_FYf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD503706618a4b880538f086fae374b06cd
SHA187af405c4ed70d56f555bc0c781f7f1fdd0c9b68
SHA25604db5fd77a016d339c642639cd5338e7c7777d9b66344c04c325f1e4c57fa00f
SHA512da5c6744f1fd5fde838af7635a48971910b08a7ca06018e05df85891e3bfbca59b65c4341763480c638ad3ddbae431a2419ac3b3c55135486b68b3e686acb682
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
1.2MB
MD51eaf8e0901eb3c862a865def25820db7
SHA198eb757704afc7be53d5dd9da9c802fc30650d54
SHA2562f7b69ed3ae26ba8afb5d33f67a409232ce8d05c789e862dbbdd047e90b805ef
SHA512e6eee6009ed1d3a92fa08fe1b791b499eeab2b36228d8f56174edaaf1c53596fc5644210dfc8aeac68333ed6db1d9792e410b2faad12d6958765bcf2ab740bf3
-
Filesize
807KB
MD548828df7be1cfbadf55ceb757101d2c0
SHA1fec86693a2e680791fa38517570a0185d5728cdc
SHA25686cf458d7330b5c564ea6d858517072095d78234009d69c2411db08af44f5b47
SHA512348c6a7256a7b309fc5493e6f306ce2a137faffd8cedd859d97bd5bc9def3d4125f2507349cb3f2e59a1cc018d401ec36cccf01a28dba9cf06a70b11afb80b41
-
Filesize
142KB
MD5bbaea75e78b80434b7cd699749b93a97
SHA1c7d151758cb88dee39dbb5f4cd30e7d226980dde
SHA256c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c
SHA5127f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d
-
C:\Users\Admin\AppData\Roaming\DWCWC\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk
Filesize756B
MD57424fa118b81bd8cd27820213d7cb09a
SHA1b7aa621e6db35a8c5f2f47b1a79215b513339617
SHA256ce13f78c544995ca971c05ec53d7965ebee5bb9abb2ea49826e04d9e8090b96f
SHA5125742ed8d1bc0e7c223406da9328b178a0e3e1ebed4a25ea0c1c845bfc797d308a0f40b4689220334a9b650e8d93b16cb0fe0d42241ea5acc4cdcf8cbe5655c9d
-
Filesize
1.3MB
MD5adb876923a9a22fca4a2cbbaca8fb4fd
SHA17e6b5306880e5b2c13ec84f2dffddbbafbf58e01
SHA2568ff46d56ec8df149fdc77b62d2103c2300b71a34bc9c50d93a4116976a15351d
SHA51265f8b9f028ea30f67b174c511ed61a4ae5755037d4ed6ca28208d3716858137b9637e9a504533055778634aea568f5f99754d58ca0fa019420b01ecc2fbbfac4