Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 17:06

General

  • Target

    563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe

  • Size

    4.4MB

  • MD5

    47febfc18d8ac366531eb57487a46beb

  • SHA1

    bce07154cc505d99dcc95ad2167d7979692af0b7

  • SHA256

    563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e

  • SHA512

    397cc52d7ca018a982602c0857779e80ca4d46b8f75fb7bd27515cc954343fe5303ec8f22bca3f6a4f9c621831429dbaa9dc718463d0db7df55056b7c32bc123

  • SSDEEP

    49152:9YJMpJc32PMgJjQhGp7fOU3h1hyiTrMIx7Rtpb68N54+97boAXuE+OPnmr7DvjZV:9Og51Mgr/txTbV7+6

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

  • Fatalrat family
  • Fatal Rat payload 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe
    "C:\Users\Admin\AppData\Local\Temp\563f31f303446a6ddab50a027b3a66cad2da2ddb33c9b8eba16a62a2e73baf1e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\System32\write.exe
      "C:\Windows\System32\write.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Program Files\Windows NT\Accessories\wordpad.exe
        "C:\Program Files\Windows NT\Accessories\wordpad.exe"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:4416
    • C:\Windows\System32\cmd.exe
      cmd /c start "" "C:\ProgramData\PAlLPS\PAlLPS.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\ProgramData\PAlLPS\PAlLPS.exe
        "C:\ProgramData\PAlLPS\PAlLPS.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:864
  • C:\Windows\system32\cmd.exe
    cmd /c start C:\Users\Admin\Desktop\PAlL.lnk
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Users\Admin\AppData\Roaming\PAlLPS.exe
      "C:\Users\Admin\AppData\Roaming\PAlLPS.exe" -n C:\Users\Admin\AppData\Roaming\PAlLP.zip -d C:\Users\Admin\AppData\Roaming
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1712
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\PAlLPS\PAlLPS.exe

      Filesize

      508KB

      MD5

      a79a2e0b7f299ab2f80ee8315679baee

      SHA1

      43d76adbcc19e4c8b60ffba419797a22b756e927

      SHA256

      0a804e7efe38d6eba358781597205519b936239e9daebcdf2f71c62c6a416f5c

      SHA512

      f246044eb82e2d4562081b0041ba2109cbda385b335b3bf10d3408acda6ae0c605ab1a522a7f5f363dfd6417e6825ff7d2831d42b8e4440d012fdf33ec605649

    • C:\ProgramData\PAlLPS\VEDecoder.dll

      Filesize

      1.6MB

      MD5

      d6a3fed112ab4e6bfe32cbe220dc225d

      SHA1

      bb9190ee490c46959e2bc192009f7773222dfa12

      SHA256

      8d89d4282f514acf2d7ef3ff7a618bbd513a84538ad309f2a48bff77c202bd58

      SHA512

      043b866e32db62bf8deb4ad9aa896b8274813cf1e6e4e575a3afc595893b5e5265a0430f6a1010c80db955114a0f9d9c3f4e0b3ee47b3323fb2bbcda5b6b7f61

    • C:\ProgramData\PAlLPS\longlq.cl

      Filesize

      1.2MB

      MD5

      6652b3a6e7290de3f12a5f94b9b72b8c

      SHA1

      4702a4305f14c8437787343de339fa4f0a4b4d75

      SHA256

      946d9c70c3ae9d8b22530a844547494c60668a6a3b0cf4e25f84f03a0781743e

      SHA512

      38950c74297de0820ba606680ad74252dc0f8a4c9d46bdb73b903da55ab7b243a4ae7fa6812f026d2b4ec47b8000454e944be587cb788d592ab30d3848b77d34

    • C:\Users\Admin\AppData\Roaming\PAlLP.zip

      Filesize

      649B

      MD5

      ea17527d20427beda4a99c004bade13b

      SHA1

      d5f977f129896241b27b2439c8627a963e0a0d04

      SHA256

      bea325d7e5d1ebdc4ba69704194c2923946d22a4826cadf8254993eecd372fc8

      SHA512

      a55903e9f774d046ac3a179a38830f54c1c683cf669fd726a4b6000ac9b6a63cad416d5c18d811f43e5cd1655f9701004b4d13d2212cd40232cfd8469b32af81

    • C:\Users\Admin\AppData\Roaming\PAlLPS.exe

      Filesize

      105KB

      MD5

      6b8ebc942fe392c669b0b21bc8f83a03

      SHA1

      18fb9645a7365ae17b8386e47bec0b5ba6f5122f

      SHA256

      e5a35deff01c93f658ab8c4192570ad9ae5ffaa4f5f6d1b4db99f176bf5bdbe7

      SHA512

      0953d528c5d07b22fa0a969c98d569cf68e58450e1fc0179ddb2068cb4c429d23044a71005fd0daebe7e0c896c5a7598c5329e4c040be9099dfb1e62a2686589

    • C:\Users\Admin\Desktop\PAlL.lnk

      Filesize

      948B

      MD5

      d21ef153a58bdfe7ff997f39e39bcc07

      SHA1

      5659a615284d4b319c73ea2dd2a90ecbfc242338

      SHA256

      00c44de19df5ef526eff92990ec5d37cbe450a97821abf1708ed95fa0881b9a3

      SHA512

      0f5cab6e202fe2102152913607b45ddc58b0aef13f18f4c11887e5b8429ded89be49a4f35a8053c0a674593654d9fbaa7da8951ea80d219c29a5ebae7e28f5ab

    • C:\Users\Admin\Desktop\PAlL.lnk

      Filesize

      1KB

      MD5

      3288755da603de96474fef5604f5fc01

      SHA1

      bcfdd8f978f00a1a96c640752aa31f1373e1140f

      SHA256

      7a3119a3713432856026b1425ec0d6fd7ef8c6e6e333dfc4ba5ad9a341996379

      SHA512

      9d1c7dbc659dd03e86d327aa107bd77eff8dc726814adabc9a51312c08bae1544c8f4d6d0439cf79349fd1f9bbb7b230497380f71138377c23bf0078ef5dbadf

    • memory/864-39-0x00000000026D0000-0x00000000026FA000-memory.dmp

      Filesize

      168KB

    • memory/1712-23-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/1912-0-0x0000000002420000-0x0000000002806000-memory.dmp

      Filesize

      3.9MB

    • memory/1912-36-0x0000000002420000-0x0000000002806000-memory.dmp

      Filesize

      3.9MB

    • memory/1912-35-0x0000000000400000-0x0000000000890000-memory.dmp

      Filesize

      4.6MB