Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
票助手PDFm.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
票助手PDFm.exe
Resource
win10v2004-20240802-en
General
-
Target
票助手PDFm.exe
-
Size
6.3MB
-
MD5
0d3d7ee3d8b1b32311a3f8f6b43d379b
-
SHA1
1c68d872ef070187544d671b45a9f17c0f347f99
-
SHA256
6a6b231182fd8a2df3252d3c8a1ac89054a9721255be8d6245e0fd722b38b40d
-
SHA512
a4dbf8754c435ecae8cbe42680ae8476158e7f16fc11765792fde05f318f861c834a7956ebbfc5e450df088205ef02d435a96a5d1680c9a45db693734810a99d
-
SSDEEP
98304:9iOQYYX5YQmdT8PRv0J0hx09BSpKki9jBGrisYdMLU9V09DsL2qEKqjb:jiby94pFKjBGr97eL
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-66-0x00000000006E0000-0x0000000000712000-memory.dmp fatalrat behavioral1/memory/1292-68-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
Processes:
DTDTDWm.exepid process 1292 DTDTDWm.exe -
Loads dropped DLL 1 IoCs
Processes:
DTDTDWm.exepid process 1292 DTDTDWm.exe -
Drops file in System32 directory 1 IoCs
Processes:
DTDTDWm.exedescription ioc process File opened for modification C:\Windows\SysWOW64\DTDTDWm.exe DTDTDWm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
DTDTDWm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DTDTDWm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
DTDTDWm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DTDTDWm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DTDTDWm.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
票助手PDFm.exeDTDTDWm.exepid process 2932 票助手PDFm.exe 2932 票助手PDFm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe 1292 DTDTDWm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DTDTDWm.exedescription pid process Token: SeDebugPrivilege 1292 DTDTDWm.exe Token: SeDebugPrivilege 1292 DTDTDWm.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2884 wrote to memory of 1292 2884 taskeng.exe DTDTDWm.exe PID 2884 wrote to memory of 1292 2884 taskeng.exe DTDTDWm.exe PID 2884 wrote to memory of 1292 2884 taskeng.exe DTDTDWm.exe PID 2884 wrote to memory of 1292 2884 taskeng.exe DTDTDWm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\票助手PDFm.exe"C:\Users\Admin\AppData\Local\Temp\票助手PDFm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
C:\Windows\system32\taskeng.exetaskeng.exe {6D51C4EC-09B3-480E-99BD-30DBA627F99F} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\ProgramData\9S8S8S\DTDTDWm.exeC:\ProgramData\9S8S8S\DTDTDWm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5bada72ab726036ea84eac019bccb8ffc
SHA13f8aa6a04538babde8e6d2b76ab8e83cb7e61d2e
SHA2565c7bd6c227802d6746b15b38360bf2c4ba2f553a250e1c8f7bf84591d97400a5
SHA512bfca87ef43b34bed31990e6780b3c6c4d4072f21daf8e36b1f15033c35b3b36f6fa76d0af30c4f4180012cb98139181943f59ab5f44250452007213a8119b0c7
-
Filesize
1.6MB
MD5e603041002b66bcd011876f1f73ef712
SHA10f14e961f06a3667eac666e490adb096db13c694
SHA256209c382b56c1bcb6ef5337c94ebe7d9ce38a9286567a463cce679e476d250c00
SHA512ec879c200e6ec5f305be4404d5a95b6651729716a94e553e86f7600170c876d1298623813e264e96cf852cc10beb7bc90926957399b8fdab686ab406f957ecfa
-
Filesize
1.2MB
MD50dde2f5fcb760573e79b08ef31f0c9b0
SHA1447f5e59f76e753fa5f092a44248ae1582e6617f
SHA25691f94e74d971a5f8f7732260824cf7a45eb1a7438bd1abec12c6eaddf44f26a8
SHA51284482b5d3ab7180edfa173260b94cbe965790b6130f1f734ab075dc8a8cb440638b39fbc4bd5ab7e8a0082bbdbd1df971f07f3f8bb43a448a7c36dd9cfda5fcf
-
Filesize
142KB
MD5bbaea75e78b80434b7cd699749b93a97
SHA1c7d151758cb88dee39dbb5f4cd30e7d226980dde
SHA256c9a1c52f5f5c8deef76b8e989c6a377f00061fa369cbd1cee7f53f8f03295f5c
SHA5127f41846d61452c73566554ba5f6ef356e757ff4c292ad68bbcc1b84f736c02c6b0bc52e13270e5d7be4cde743d40cfc281028d4a0e322fbeecd9b786d08bac3d
-
C:\Users\Admin\AppData\Roaming\BRARA\Microsoft\Windows\Start Menu\Programs\startup\website_secure_lnk.lnk
Filesize756B
MD58b4c7e11b193a73a149b66a8144ce388
SHA1da12f048c31a7fdbbb5b1b51a2cabab1e789f8ed
SHA256a75c52ff32828c146a4071641b80db7a7c27743ef9b0fc34c198cc6d10dd636d
SHA512064dff4338e690ca43d5305a14ce0477b3faf12a2b27b71121c5559643c308450faaf45ee5ef4616b66ac42cd1a31359482775087b63b19cd3dc84b64e6413e3
-
Filesize
903KB
MD536dbe670282d5727f0c44b705ff767cc
SHA1a1417e16a602eda333e7d7bfb891f5f694ff01de
SHA2569bf4f07491feaddd822fed4a4019f2da4cf69f20c6549bd182d020860269ae11
SHA512ad72de707609d673d5764390d3d2e30fb9a13da5a55e60e3162e43cb0983daef8519b326c386687ac1b1e8a14c1772989412f36ffdc7b795dd155934294724a7