Resubmissions

02-12-2024 06:58

241202-hrp13azmep 10

02-12-2024 04:09

241202-eqvclstrbk 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 04:09

General

  • Target

    24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe

  • Size

    4.5MB

  • MD5

    0b002ffd1ba0c617cfd6f25f75d8432e

  • SHA1

    9a102e169744d9a28e575efecadc53b9d77fb751

  • SHA256

    24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3

  • SHA512

    52236ec4b8d3df89a7c60937c8d886ca05285cd77e639b731075368ef6bf80f973ae978d24123127d3785c8254f718c0556dc6b55be9355c4ac77bfb88f7172b

  • SSDEEP

    49152:9YJMpJc32PMgJjQhGp7fOU3h1hyiTrMIx7Rtpb68N54+97boAXuE+OPnmr7DvjZd:9Og51Mgr/txTbV7+6W

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

  • Fatalrat family
  • Fatal Rat payload 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
    "C:\Users\Admin\AppData\Local\Temp\24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Windows\System32\write.exe
      "C:\Windows\System32\write.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Program Files\Windows NT\Accessories\wordpad.exe
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1680
    • C:\Windows\System32\cmd.exe
      cmd /c start "" "C:\ProgramData\OuNKjE\OuNKjE.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\ProgramData\OuNKjE\OuNKjE.exe
        "C:\ProgramData\OuNKjE\OuNKjE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1056
  • C:\Windows\system32\cmd.exe
    cmd /c start C:\Users\Admin\Desktop\OuNK.lnk
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Roaming\OuNKjE.exe
      "C:\Users\Admin\AppData\Roaming\OuNKjE.exe" -n C:\Users\Admin\AppData\Roaming\OuNKj.zip -d C:\Users\Admin\AppData\Roaming
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1852
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\OuNKjE\OuNKjE.exe

      Filesize

      508KB

      MD5

      a79a2e0b7f299ab2f80ee8315679baee

      SHA1

      43d76adbcc19e4c8b60ffba419797a22b756e927

      SHA256

      0a804e7efe38d6eba358781597205519b936239e9daebcdf2f71c62c6a416f5c

      SHA512

      f246044eb82e2d4562081b0041ba2109cbda385b335b3bf10d3408acda6ae0c605ab1a522a7f5f363dfd6417e6825ff7d2831d42b8e4440d012fdf33ec605649

    • C:\ProgramData\OuNKjE\VEDecoder.dll

      Filesize

      1.6MB

      MD5

      d6a3fed112ab4e6bfe32cbe220dc225d

      SHA1

      bb9190ee490c46959e2bc192009f7773222dfa12

      SHA256

      8d89d4282f514acf2d7ef3ff7a618bbd513a84538ad309f2a48bff77c202bd58

      SHA512

      043b866e32db62bf8deb4ad9aa896b8274813cf1e6e4e575a3afc595893b5e5265a0430f6a1010c80db955114a0f9d9c3f4e0b3ee47b3323fb2bbcda5b6b7f61

    • C:\ProgramData\OuNKjE\longlq.cl

      Filesize

      1.2MB

      MD5

      6652b3a6e7290de3f12a5f94b9b72b8c

      SHA1

      4702a4305f14c8437787343de339fa4f0a4b4d75

      SHA256

      946d9c70c3ae9d8b22530a844547494c60668a6a3b0cf4e25f84f03a0781743e

      SHA512

      38950c74297de0820ba606680ad74252dc0f8a4c9d46bdb73b903da55ab7b243a4ae7fa6812f026d2b4ec47b8000454e944be587cb788d592ab30d3848b77d34

    • C:\Users\Admin\AppData\Roaming\OuNKj.zip

      Filesize

      655B

      MD5

      34ee9ebcefc5604fba3f892b7a061c75

      SHA1

      f86cedb3f00b9caea7678eb13086647d9a278adb

      SHA256

      717ef68df0c74408fa348d1f416aa170d6409210a88d042edf5029606c0b04fa

      SHA512

      19fbb8ec7fb45228b1d6e239183443feee7d36362c48f88218c7e2126321344d04550715d0388e70fa5b4e0f1ed12a7112013abb75116bdeec4df2474c7d4d41

    • C:\Users\Admin\AppData\Roaming\OuNKjE.exe

      Filesize

      105KB

      MD5

      6b8ebc942fe392c669b0b21bc8f83a03

      SHA1

      18fb9645a7365ae17b8386e47bec0b5ba6f5122f

      SHA256

      e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

      SHA512

      0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

    • C:\Users\Admin\Desktop\OuNK.lnk

      Filesize

      948B

      MD5

      5e2ad5aea8429c5abf9b1e78b311b693

      SHA1

      9ad4de23eae7a9c8629027523481b510b8f7f985

      SHA256

      893271baff52758c60a1457d2a047eb6368e70541aab48bc95305d5840a55a01

      SHA512

      fa6049b56bdaa263183eb61f1ddf6b9cc9069cc52e1cd09fbd888286be9d5054b48b3abfd805007299e3f9dfd178debaf4ccee93b5bd0f03bef7f3852b51bdcb

    • C:\Users\Admin\Desktop\OuNK.lnk

      Filesize

      1KB

      MD5

      fef7f95af8a5dc98eb9d1a98e4a98ed6

      SHA1

      8a98ab3a17e85cfc54c4726000120656d1118bb7

      SHA256

      ae28d26c09cc26390c01d29f0a9b61a359daaa9145478108154ab0d51c032f57

      SHA512

      06c66c967269b04279e2f38100fc16e0298a05a732feb66f94d3290de822bedc31ad6b902e4b0719283496f99a0c185a7cf67ffc2cc67f5d668c78e9e9b1a26c

    • memory/1056-39-0x0000000002E40000-0x0000000002E6A000-memory.dmp

      Filesize

      168KB

    • memory/1852-23-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/4552-0-0x0000000002410000-0x00000000027F6000-memory.dmp

      Filesize

      3.9MB

    • memory/4552-35-0x0000000000400000-0x0000000000890000-memory.dmp

      Filesize

      4.6MB

    • memory/4552-36-0x0000000002410000-0x00000000027F6000-memory.dmp

      Filesize

      3.9MB