Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 17:06
Static task
static1
Behavioral task
behavioral1
Sample
563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
Resource
win10v2004-20241007-en
General
-
Target
563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
-
Size
4.4MB
-
MD5
47febfc18d8ac366531eb57487a46beb
-
SHA1
bce07154cc505d99dcc95ad2167d7979692af0b7
-
SHA256
563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e
-
SHA512
397cc52d7ca018a982602c0857779e80ca4d46b8f75fb7bd27515cc954343fe5303ec8f22bca3f6a4f9c621831429dbaa9dc718463d0db7df55056b7c32bc123
-
SSDEEP
49152:9YJMpJc32PMgJjQhGp7fOU3h1hyiTrMIx7Rtpb68N54+97boAXuE+OPnmr7DvjZV:9Og51Mgr/txTbV7+6
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatalrat family
-
Fatal Rat payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/864-39-0x00000000026D0000-0x00000000026FA000-memory.dmp fatalrat -
Drops startup file 2 IoCs
Processes:
PAlLPS.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk PAlLPS.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Macromedia-Packages.lnk PAlLPS.exe -
Executes dropped EXE 2 IoCs
Processes:
PAlLPS.exePAlLPS.exepid Process 1712 PAlLPS.exe 864 PAlLPS.exe -
Loads dropped DLL 1 IoCs
Processes:
PAlLPS.exepid Process 864 PAlLPS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PAlLPS.exePAlLPS.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAlLPS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAlLPS.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
cmd.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d6d0000000114020000000000c0000000000000468c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{00021401-0000-0000-C000-000000000046} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000005826939adc44db01 cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d6d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exepid Process 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAlLPS.exedescription pid Process Token: SeDebugPrivilege 864 PAlLPS.exe Token: SeDebugPrivilege 864 PAlLPS.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
wordpad.exePAlLPS.exepid Process 4416 wordpad.exe 4416 wordpad.exe 4416 wordpad.exe 4416 wordpad.exe 4416 wordpad.exe 864 PAlLPS.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exewrite.execmd.execmd.exedescription pid Process procid_target PID 1912 wrote to memory of 4884 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 85 PID 1912 wrote to memory of 4884 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 85 PID 4884 wrote to memory of 4416 4884 write.exe 87 PID 4884 wrote to memory of 4416 4884 write.exe 87 PID 1012 wrote to memory of 1712 1012 cmd.exe 88 PID 1012 wrote to memory of 1712 1012 cmd.exe 88 PID 1012 wrote to memory of 1712 1012 cmd.exe 88 PID 1912 wrote to memory of 4352 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 95 PID 1912 wrote to memory of 4352 1912 563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe 95 PID 4352 wrote to memory of 864 4352 cmd.exe 96 PID 4352 wrote to memory of 864 4352 cmd.exe 96 PID 4352 wrote to memory of 864 4352 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe"C:\Users\Admin\AppData\Local\Temp\563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\write.exe"C:\Windows\System32\write.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files\Windows NT\Accessories\wordpad.exe"C:\Program Files\Windows NT\Accessories\wordpad.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
-
C:\Windows\System32\cmd.execmd /c start "" "C:\ProgramData\PAlLPS\PAlLPS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\ProgramData\PAlLPS\PAlLPS.exe"C:\ProgramData\PAlLPS\PAlLPS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864
-
-
-
C:\Windows\system32\cmd.execmd /c start C:\Users\Admin\Desktop\PAlL.lnk1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Roaming\PAlLPS.exe"C:\Users\Admin\AppData\Roaming\PAlLPS.exe" -n C:\Users\Admin\AppData\Roaming\PAlLP.zip -d C:\Users\Admin\AppData\Roaming2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508KB
MD5a79a2e0b7f299ab2f80ee8315679baee
SHA143d76adbcc19e4c8b60ffba419797a22b756e927
SHA2560a804e7efe38d6eba358781597205519b936239e9daebcdf2f71c62c6a416f5c
SHA512f246044eb82e2d4562081b0041ba2109cbda385b335b3bf10d3408acda6ae0c605ab1a522a7f5f363dfd6417e6825ff7d2831d42b8e4440d012fdf33ec605649
-
Filesize
1.6MB
MD5d6a3fed112ab4e6bfe32cbe220dc225d
SHA1bb9190ee490c46959e2bc192009f7773222dfa12
SHA2568d89d4282f514acf2d7ef3ff7a618bbd513a84538ad309f2a48bff77c202bd58
SHA512043b866e32db62bf8deb4ad9aa896b8274813cf1e6e4e575a3afc595893b5e5265a0430f6a1010c80db955114a0f9d9c3f4e0b3ee47b3323fb2bbcda5b6b7f61
-
Filesize
1.2MB
MD56652b3a6e7290de3f12a5f94b9b72b8c
SHA14702a4305f14c8437787343de339fa4f0a4b4d75
SHA256946d9c70c3ae9d8b22530a844547494c60668a6a3b0cf4e25f84f03a0781743e
SHA51238950c74297de0820ba606680ad74252dc0f8a4c9d46bdb73b903da55ab7b243a4ae7fa6812f026d2b4ec47b8000454e944be587cb788d592ab30d3848b77d34
-
Filesize
649B
MD5ea17527d20427beda4a99c004bade13b
SHA1d5f977f129896241b27b2439c8627a963e0a0d04
SHA256bea325d7e5d1ebdc4ba69704194c2923946d22a4826cadf8254993eecd372fc8
SHA512a55903e9f774d046ac3a179a38830f54c1c683cf669fd726a4b6000ac9b6a63cad416d5c18d811f43e5cd1655f9701004b4d13d2212cd40232cfd8469b32af81
-
Filesize
105KB
MD56b8ebc942fe392c669b0b21bc8f83a03
SHA118fb9645a7365ae17b8386e47bec0b5ba6f5122f
SHA256e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7
SHA5120953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589
-
Filesize
948B
MD5d21ef153a58bdfe7ff997f39e39bcc07
SHA15659a615284d4b319c73ea2dd2a90ecbfc242338
SHA25600c44de19df5ef526eff92990ec5d37cbe450a97821abf1708ed95fa0881b9a3
SHA5120f5cab6e202fe2102152913607b45ddc58b0aef13f18f4c11887e5b8429ded89be49a4f35a8053c0a674593654d9fbaa7da8951ea80d219c29a5ebae7e28f5ab
-
Filesize
1KB
MD53288755da603de96474fef5604f5fc01
SHA1bcfdd8f978f00a1a96c640752aa31f1373e1140f
SHA2567a3119a3713432856026b1425ec0d6fd7ef8c6e6e333dfc4ba5ad9a341996379
SHA5129d1c7dbc659dd03e86d327aa107bd77eff8dc726814adabc9a51312c08bae1544c8f4d6d0439cf79349fd1f9bbb7b230497380f71138377c23bf0078ef5dbadf