Analysis
-
max time kernel
30s -
max time network
30s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 16:40
General
-
Target
fatality.exe
-
Size
3.4MB
-
MD5
19eeb3ce01f40894ced6065215d7a666
-
SHA1
6da9fb24f7560284219c0aa42134be3d76615c7c
-
SHA256
2c80f72b0be446e73b7f8f7e660750d8147a527b3e0c1316c2ddadc708e783c3
-
SHA512
9ad07ec548303e7d2db20093441710f4a08725ccc2365904ab3ef670a174030733409a4b22324eece2ba472354c32ad34bd96fb9cc095696a84caac70f0ef801
-
SSDEEP
49152:12quZB3Lyy3ok0xaAmNu2WsgAbfjHsKTJ4Nz9kP93s8+g/l7mKyftvzQBNomC6H:IHX3LyC0L7AbfjJT/l7byV4NJH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatality.exe"C:\Users\Admin\AppData\Local\Temp\fatality.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinruntimeBrokerDll\GMEFyNcoiNG60wEpcxyNZ4Di23KQc0kfLK4aF.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\WinruntimeBrokerDll\ItjtUdx3t6H3YIR9PpTLl9BZRrl4Oo9QIKh5ZNyZ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WinruntimeBrokerDll\AgentfontPerfNet.exe"C:\WinruntimeBrokerDll/AgentfontPerfNet.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5q04zl4s\5q04zl4s.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB100.tmp" "c:\Windows\System32\CSCE984E0BF1EB74B82A85C10EF234C170.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rQ8XJgmT5B.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\WinruntimeBrokerDll\AgentfontPerfNet.exe"C:\WinruntimeBrokerDll\AgentfontPerfNet.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\AgentfontPerfNet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNet" /sc ONLOGON /tr "'C:\Users\Admin\Recent\AgentfontPerfNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\AgentfontPerfNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 9 /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNet" /sc ONLOGON /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentfontPerfNetA" /sc MINUTE /mo 10 /tr "'C:\WinruntimeBrokerDll\AgentfontPerfNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
1KB
MD5e85386a9acc795bf867d47d3f6513919
SHA1d40dd01f925ed75f989e6ad7c81591db2d245f88
SHA2565daa048dde7ba1f531ea27307e054758ecadc307e7e105aee65933f09bc008b5
SHA512bcbe8e10eba2c8da22acf1f6716d841c8c47a53c6cec038027e344e17554ea453b2820faf6331c8f9f0a6bbaafe03b71a0fcc7e6c80d71725694933831ae9ce0
-
Filesize
171B
MD57a6e1581274cb4fd75bcbfb90e9b149f
SHA1fefa2bfec61c7c48c7bc9722605b151cbcfaa32d
SHA25617f72ba0dd59fcbbcd4fbed3cc7ef569be6872661e763be1a89b8799d571d405
SHA512b6a664d5fb9d87f3ff67483d165190fca848494aa2dc283deb591c26485273e5b270d0572f520c8162a8b38957bc229adf0474dfcf0b6b0718cf4effd6b64596
-
Filesize
1.9MB
MD5f9779f2d70e9974ff41e46a914d7d238
SHA1ab332ae513b0170e88c0bd7d2b6664d9e8d55c8d
SHA256c901beb42e1372c73cdf25cab74e1aba0e57b51608ed8d014160df2ead86626f
SHA51219b386fd62677341eeaa5812d9d77ca40c4d9497a23c954496ccb659266528de68161ce198f7b5024f2626b435c71c2e53a8d46d075528f357d5af04d26a8cdf
-
Filesize
238B
MD5f8551118abe74fa67b41749a29f8f542
SHA118bb595f0e378727ddd92be510a211759b9ce3fc
SHA25648bb9ca4e442369517cb8a87fc02736c3ea5e02893a3f3126037eced0e192e16
SHA512c7cff3de9ad46e125ab2d6714995cf4310b178cc781f42b700fb0b54ec160701af1e99760624910ccf50c96f5efdc5d3a7bb00d3af7731a0e2f898f9db3a3864
-
Filesize
95B
MD514299ac4bcd55335ed78d9f3a839983c
SHA18519353b52599850456783e3419d132648be6ed6
SHA256ea7785252e31c7332d0baa4939895f66335d0fd638cec14ac834f42f4c65b4d3
SHA51293c5a6975a14a2a76ee9b9fd1452017b4fa7f4f70d01ce140976a9f1c44e6a44c640003209ee7d819351d9b37172cb21990bd7e15bc95024d7aedf0520c4b16e
-
Filesize
4KB
MD53d7f4ba57aeebe69ba77b356d7d61fac
SHA1aa78732258c56b4751150ceea2f5248d5d6a57ef
SHA2569fc9fdea7cc69c562477e02d1ce2b693162fbe7b23184706955c3095b6722a6c
SHA512c9f3ae03503a5d04b79c826315f431a14f79e2b4a982384adcce7c4fb4d44a73d015b12c69aba98f44d998a74e6d7190feea868f2d9817bb6248dae49653b833
-
Filesize
384B
MD5971e4568174f864b34a54854dc498cf0
SHA159018b9c2e71edd05f698f4d54553c8e790ac4b0
SHA256a40ae42eea1fb873ec64d32b1fde949b6b2939362dbb0acd2842a3bf88abcf06
SHA512d174b4ef12615a26a1d96272b8f429db1e0a897725d670007b57e19ed4093a7d9b79369c8a64453ab541863f9d37740b75c9021ad9940e095e90af7cd86aa49c
-
Filesize
235B
MD5f5550e71ee1636d55db31c26126b98ce
SHA1e08cba8915f5d538f6825597d8830212209ee018
SHA256be18ff45cc7a80e895bad14c822667df0ddf924ab6b2d68c97648f80695f1a0e
SHA51259d40027786a4e7db43638b19bff45c574b16d36ed707ed5a1ddd8ad34bc5a7db6547a8b0005e40013e0b3c68f32e9ab93e204bf86abe1efff8acd5b2c234332
-
Filesize
1KB
MD5aaedb470feff0ca43ba622b01d0e7b4f
SHA1e88615dbe9a5c74b28a0cb38666ddb91bd014dd4
SHA256deb4e21657569076441e2f2ed83756a093bb6588a75d8febbabedd64d96d183f
SHA512cf825cfd11de31c4faa0516b0d3b6bc54290f5c5d1098950a6f82fbdc02b8235c2dcae53df823c00def7d47bdada06970cceee01cb5db183ff83879d98977910
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
1.7MB
-
Filesize
428KB
-
Filesize
56KB