Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
Resource
win10v2004-20241007-en
General
-
Target
24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe
-
Size
4.5MB
-
MD5
0b002ffd1ba0c617cfd6f25f75d8432e
-
SHA1
9a102e169744d9a28e575efecadc53b9d77fb751
-
SHA256
24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3
-
SHA512
52236ec4b8d3df89a7c60937c8d886ca05285cd77e639b731075368ef6bf80f973ae978d24123127d3785c8254f718c0556dc6b55be9355c4ac77bfb88f7172b
-
SSDEEP
49152:9YJMpJc32PMgJjQhGp7fOU3h1hyiTrMIx7Rtpb68N54+97boAXuE+OPnmr7DvjZd:9Og51Mgr/txTbV7+6W
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatalrat family
-
Fatal Rat payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1056-39-0x0000000002E40000-0x0000000002E6A000-memory.dmp fatalrat -
Drops startup file 2 IoCs
Processes:
OuNKjE.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk OuNKjE.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk OuNKjE.exe -
Executes dropped EXE 2 IoCs
Processes:
OuNKjE.exeOuNKjE.exepid Process 1852 OuNKjE.exe 1056 OuNKjE.exe -
Loads dropped DLL 1 IoCs
Processes:
OuNKjE.exepid Process 1056 OuNKjE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
OuNKjE.exeOuNKjE.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OuNKjE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OuNKjE.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
OuNKjE.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OuNKjE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OuNKjE.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d6e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d6e0000000114020000000000c0000000000000466e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{00021401-0000-0000-C000-000000000046} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000bf0c4ef76f44db01 cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exeOuNKjE.exepid Process 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe 1056 OuNKjE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
OuNKjE.exedescription pid Process Token: SeDebugPrivilege 1056 OuNKjE.exe Token: SeDebugPrivilege 1056 OuNKjE.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
wordpad.exeOuNKjE.exepid Process 1680 wordpad.exe 1680 wordpad.exe 1680 wordpad.exe 1680 wordpad.exe 1680 wordpad.exe 1056 OuNKjE.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exewrite.execmd.execmd.exedescription pid Process procid_target PID 4552 wrote to memory of 3660 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 87 PID 4552 wrote to memory of 3660 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 87 PID 3660 wrote to memory of 1680 3660 write.exe 89 PID 3660 wrote to memory of 1680 3660 write.exe 89 PID 1300 wrote to memory of 1852 1300 cmd.exe 92 PID 1300 wrote to memory of 1852 1300 cmd.exe 92 PID 1300 wrote to memory of 1852 1300 cmd.exe 92 PID 4552 wrote to memory of 3060 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 98 PID 4552 wrote to memory of 3060 4552 24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe 98 PID 3060 wrote to memory of 1056 3060 cmd.exe 99 PID 3060 wrote to memory of 1056 3060 cmd.exe 99 PID 3060 wrote to memory of 1056 3060 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe"C:\Users\Admin\AppData\Local\Temp\24b31819e09dd8eaa1c26a08c1a4e7ae55063c7ebb3dbd0273968d13a4f0d0e3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\System32\write.exe"C:\Windows\System32\write.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
-
C:\Windows\System32\cmd.execmd /c start "" "C:\ProgramData\OuNKjE\OuNKjE.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\ProgramData\OuNKjE\OuNKjE.exe"C:\ProgramData\OuNKjE\OuNKjE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\Users\Admin\Desktop\OuNK.lnk1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Roaming\OuNKjE.exe"C:\Users\Admin\AppData\Roaming\OuNKjE.exe" -n C:\Users\Admin\AppData\Roaming\OuNKj.zip -d C:\Users\Admin\AppData\Roaming2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508KB
MD5a79a2e0b7f299ab2f80ee8315679baee
SHA143d76adbcc19e4c8b60ffba419797a22b756e927
SHA2560a804e7efe38d6eba358781597205519b936239e9daebcdf2f71c62c6a416f5c
SHA512f246044eb82e2d4562081b0041ba2109cbda385b335b3bf10d3408acda6ae0c605ab1a522a7f5f363dfd6417e6825ff7d2831d42b8e4440d012fdf33ec605649
-
Filesize
1.6MB
MD5d6a3fed112ab4e6bfe32cbe220dc225d
SHA1bb9190ee490c46959e2bc192009f7773222dfa12
SHA2568d89d4282f514acf2d7ef3ff7a618bbd513a84538ad309f2a48bff77c202bd58
SHA512043b866e32db62bf8deb4ad9aa896b8274813cf1e6e4e575a3afc595893b5e5265a0430f6a1010c80db955114a0f9d9c3f4e0b3ee47b3323fb2bbcda5b6b7f61
-
Filesize
1.2MB
MD56652b3a6e7290de3f12a5f94b9b72b8c
SHA14702a4305f14c8437787343de339fa4f0a4b4d75
SHA256946d9c70c3ae9d8b22530a844547494c60668a6a3b0cf4e25f84f03a0781743e
SHA51238950c74297de0820ba606680ad74252dc0f8a4c9d46bdb73b903da55ab7b243a4ae7fa6812f026d2b4ec47b8000454e944be587cb788d592ab30d3848b77d34
-
Filesize
655B
MD534ee9ebcefc5604fba3f892b7a061c75
SHA1f86cedb3f00b9caea7678eb13086647d9a278adb
SHA256717ef68df0c74408fa348d1f416aa170d6409210a88d042edf5029606c0b04fa
SHA51219fbb8ec7fb45228b1d6e239183443feee7d36362c48f88218c7e2126321344d04550715d0388e70fa5b4e0f1ed12a7112013abb75116bdeec4df2474c7d4d41
-
Filesize
105KB
MD56b8ebc942fe392c669b0b21bc8f83a03
SHA118fb9645a7365ae17b8386e47bec0b5ba6f5122f
SHA256e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7
SHA5120953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589
-
Filesize
948B
MD55e2ad5aea8429c5abf9b1e78b311b693
SHA19ad4de23eae7a9c8629027523481b510b8f7f985
SHA256893271baff52758c60a1457d2a047eb6368e70541aab48bc95305d5840a55a01
SHA512fa6049b56bdaa263183eb61f1ddf6b9cc9069cc52e1cd09fbd888286be9d5054b48b3abfd805007299e3f9dfd178debaf4ccee93b5bd0f03bef7f3852b51bdcb
-
Filesize
1KB
MD5fef7f95af8a5dc98eb9d1a98e4a98ed6
SHA18a98ab3a17e85cfc54c4726000120656d1118bb7
SHA256ae28d26c09cc26390c01d29f0a9b61a359daaa9145478108154ab0d51c032f57
SHA51206c66c967269b04279e2f38100fc16e0298a05a732feb66f94d3290de822bedc31ad6b902e4b0719283496f99a0c185a7cf67ffc2cc67f5d668c78e9e9b1a26c