Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 15:27
Static task
static1
Behavioral task
behavioral1
Sample
fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe
Resource
win10v2004-20241007-en
General
-
Target
fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe
-
Size
140KB
-
MD5
d3501cba07547fc6b1ed36233fd4a5de
-
SHA1
3a0576dee70677db92a1de6b09f29d04e1e743cf
-
SHA256
fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a
-
SHA512
b878d6ec1ad3679306db10b52895eb7de31ad22a44208c97b327c535987c0a0de221c6aef79f94b45e718c80d840182c3fe6af9ae755429bddb456048ccf9ba0
-
SSDEEP
1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatalrat family
-
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/memory/1104-25-0x0000000002CC0000-0x0000000002CD2000-memory.dmp family_gh0strat behavioral2/memory/1104-23-0x0000000002CC0000-0x0000000002CD2000-memory.dmp family_gh0strat -
Gh0strat family
-
Fatal Rat payload 3 IoCs
resource yara_rule behavioral2/memory/3872-1-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral2/memory/4604-8-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral2/memory/3872-19-0x0000000000400000-0x0000000000424000-memory.dmp fatalrat -
Executes dropped EXE 2 IoCs
pid Process 4604 Defghi.exe 1104 Defghi.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Defghi.exe File opened (read-only) \??\F: Defghi.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
resource yara_rule behavioral2/memory/1104-25-0x0000000002CC0000-0x0000000002CD2000-memory.dmp upx behavioral2/memory/1104-23-0x0000000002CC0000-0x0000000002CD2000-memory.dmp upx behavioral2/memory/1104-20-0x0000000002CC0000-0x0000000002CD2000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Defghi.exe Defghi.exe File created C:\Windows\Defghi.exe fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe File opened for modification C:\Windows\Defghi.exe fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe File opened for modification C:\Windows\Defghi.exe Defghi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defghi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defghi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Defghi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Defghi.exe -
Modifies data under HKEY_USERS 18 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software Defghi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Defghi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Defghi.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Defghi Klmnopqr Defghi.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet Defghi.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Defghi Klmnopqr Defghi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Defghi.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services Defghi.exe Set value (str) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Defghi Klmnopqr\Group = "1114ÉÏ‚÷shell" Defghi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Defghi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Defghi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Defghi.exe Key deleted \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Defghi Klmnopqr Defghi.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM Defghi.exe Set value (str) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Defghi Klmnopqr\InstallTime = "2024-11-14 15:28" Defghi.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Defghi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Defghi.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Defghi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3872 fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe 3872 fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe 4604 Defghi.exe 4604 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe 1104 Defghi.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3872 fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3872 fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe Token: SeDebugPrivilege 4604 Defghi.exe Token: SeDebugPrivilege 1104 Defghi.exe Token: SeIncBasePriorityPrivilege 1104 Defghi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4604 wrote to memory of 1104 4604 Defghi.exe 98 PID 4604 wrote to memory of 1104 4604 Defghi.exe 98 PID 4604 wrote to memory of 1104 4604 Defghi.exe 98 PID 1104 wrote to memory of 2292 1104 Defghi.exe 102 PID 1104 wrote to memory of 2292 1104 Defghi.exe 102 PID 1104 wrote to memory of 2292 1104 Defghi.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe"C:\Users\Admin\AppData\Local\Temp\fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
C:\Windows\Defghi.exeC:\Windows\Defghi.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\Defghi.exeC:\Windows\Defghi.exe Win72⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q C:\Windows\Defghi.exe3⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5d3501cba07547fc6b1ed36233fd4a5de
SHA13a0576dee70677db92a1de6b09f29d04e1e743cf
SHA256fb758ef334a36a8ec5a334cfce883b56849cb1ab7e92493074e2adabefcd9b0a
SHA512b878d6ec1ad3679306db10b52895eb7de31ad22a44208c97b327c535987c0a0de221c6aef79f94b45e718c80d840182c3fe6af9ae755429bddb456048ccf9ba0