General
-
Target
fatality.exe
-
Size
3.1MB
-
Sample
241021-jac6lsvdja
-
MD5
a8f3e7de9218723b8abd30ce1422f139
-
SHA1
d05e6763bd194951d812ce32e486c9bd7ca90fcc
-
SHA256
fc711b6ee8babc14fb7a695bc94caa9df90deb4c7660bfeb99453251b674cf99
-
SHA512
9f293d93d606bed405974d1e86bec7a7a0239d17c27cf2840bf843b15cc6b03847cb76afbbd2b75e73ae24b81f9c2ec85161f062de3626573862bcdbfa50b62a
-
SSDEEP
49152:6Y+v/99OpKX1+2DAA1C8XAUO1aiENd7yIHY6CwCH8wzrtUGAzuV:6YSHy0o2D9AUO1avNRyIHY6Uc6rtX
Static task
static1
Behavioral task
behavioral1
Sample
fatality.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fatality.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
fatality.exe
-
Size
3.1MB
-
MD5
a8f3e7de9218723b8abd30ce1422f139
-
SHA1
d05e6763bd194951d812ce32e486c9bd7ca90fcc
-
SHA256
fc711b6ee8babc14fb7a695bc94caa9df90deb4c7660bfeb99453251b674cf99
-
SHA512
9f293d93d606bed405974d1e86bec7a7a0239d17c27cf2840bf843b15cc6b03847cb76afbbd2b75e73ae24b81f9c2ec85161f062de3626573862bcdbfa50b62a
-
SSDEEP
49152:6Y+v/99OpKX1+2DAA1C8XAUO1aiENd7yIHY6CwCH8wzrtUGAzuV:6YSHy0o2D9AUO1avNRyIHY6Uc6rtX
Score10/10-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1