Analysis
-
max time kernel
146s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 22:55
Static task
static1
Behavioral task
behavioral1
Sample
票助手PDFm.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
票助手PDFm.exe
Resource
win10v2004-20240802-en
General
-
Target
票助手PDFm.exe
-
Size
6.3MB
-
MD5
0d3d7ee3d8b1b32311a3f8f6b43d379b
-
SHA1
1c68d872ef070187544d671b45a9f17c0f347f99
-
SHA256
6a6b231182fd8a2df3252d3c8a1ac89054a9721255be8d6245e0fd722b38b40d
-
SHA512
a4dbf8754c435ecae8cbe42680ae8476158e7f16fc11765792fde05f318f861c834a7956ebbfc5e450df088205ef02d435a96a5d1680c9a45db693734810a99d
-
SSDEEP
98304:9iOQYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:jiby94pFKjBGr97eL
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
resource yara_rule behavioral1/memory/2864-66-0x0000000002470000-0x00000000024A2000-memory.dmp fatalrat behavioral1/memory/2864-68-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
pid Process 2864 SCSCVBm.exe -
Loads dropped DLL 1 IoCs
pid Process 2864 SCSCVBm.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SCSCVBm.exe SCSCVBm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCSCVBm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SCSCVBm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SCSCVBm.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 848 票助手PDFm.exe 848 票助手PDFm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe 2864 SCSCVBm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2864 SCSCVBm.exe Token: SeDebugPrivilege 2864 SCSCVBm.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2864 2744 taskeng.exe 30 PID 2744 wrote to memory of 2864 2744 taskeng.exe 30 PID 2744 wrote to memory of 2864 2744 taskeng.exe 30 PID 2744 wrote to memory of 2864 2744 taskeng.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\票助手PDFm.exe"C:\Users\Admin\AppData\Local\Temp\票助手PDFm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:848
-
C:\Windows\system32\taskeng.exetaskeng.exe {B326AEC4-020C-4CA3-88E4-2004B2C28963} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\ProgramData\4N4N7N\SCSCVBm.exeC:\ProgramData\4N4N7N\SCSCVBm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5bada72ab726036ea84eac019bccb8ffc
SHA13f8aa6a04538babde8e6d2b76ab8e83cb7e61d2e
SHA2565c7bd6c227802d6746b15b38360bf2c4ba2f553a250e1c8f7bf84591d97400a5
SHA512bfca87ef43b34bed31990e6780b3c6c4d4072f21daf8e36b1f15033c35b3b36f6fa76d0af30c4f4180012cb98139181943f59ab5f44250452007213a8119b0c7
-
Filesize
1.2MB
MD50dde2f5fcb760573e79b08ef31f0c9b0
SHA1447f5e59f76e753fa5f092a44248ae1582e6617f
SHA25691f94e74d971a5f8f7732260824cf7a45eb1a7438bd1abec12c6eaddf44f26a8
SHA51284482b5d3ab7180edfa173260b94cbe965790b6130f1f734ab075dc8a8cb440638b39fbc4bd5ab7e8a0082bbdbd1df971f07f3f8bb43a448a7c36dd9cfda5fcf
-
Filesize
142KB
MD5bbaea75e78b80434b7cd699749b93a97
SHA1c7d151758cb88dee39dbb5f4cd30e7d226980dde
SHA256c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c
SHA5127f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d
-
C:\Users\Admin\AppData\Roaming\Q9P9S\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk
Filesize756B
MD5946f750ae75f4977f7946603f008109e
SHA168e147a38260e892ee01b23ae24c55706e0974bd
SHA256f62d870427202950f954678f981d84538971bab254f452130f24cecaa707ea06
SHA51279a030605b17e5b697f410967873a0531cc1ae394af1270593d4ea0a7511b324dd995540417b895d5c5cf8cfd5479c38e4678bd706e1f038bf3e2c0d757328a9
-
Filesize
903KB
MD536dbe670282d5727f0c44b705ff767cc
SHA1a1417e16a602eda333e7d7bfb891f5f694ff01de
SHA2569bf4f07491feaddd822fed4a4019f2da4cf69f20c6549bd182d020860269ae11
SHA512ad72de707609d673d5764390d3d2e30fb9a13da5a55e60e3162e43cb0983daef8519b326c386687ac1b1e8a14c1772989412f36ffdc7b795dd155934294724a7
-
Filesize
1.6MB
MD5e603041002b66bcd011876f1f73ef712
SHA10f14e961f06a3667eac666e490adb096db13c694
SHA256209c382b56c1bcb6ef5337c94ebe7d9ce38a9286567a463cce679e476d250c00
SHA512ec879c200e6ec5f305be4404d5a95b6651729716a94e553e86f7600170c876d1298623813e264e96cf852cc10beb7bc90926957399b8fdab686ab406f957ecfa