003ace97463c139fb1d6c53909c5dac9ffd958a698330a817bc268e6131182c5

General

Target

Fatality.exe
Size

3.2MB
MD5

314375a212ba4f9038c454820d9c5cad
SHA1

2ce6451c052f88a9c0bddad5f23bc3253cb972bd
SHA256

003ace97463c139fb1d6c53909c5dac9ffd958a698330a817bc268e6131182c5
SHA512

31dcee114b402cded2bcc1f0589963b835e97dd9b2d173aad2ddf1afd72874e335f75bd2d08d2c14ef90334f4d7d01fe0830503479292e7b1d6938c2781eeaf8
SSDEEP

98304:dSSniwJ8BPhwpzMda5oyqo7UrstRTJjyPv+I:8+WwpzMw5zqo7UrsDt2PH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	fatality.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	Fatality.exe
2220	Fatality.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001656f-6.dat	upx
behavioral1/files/0x000800000001656f-12.dat	upx
behavioral1/memory/3020-15-0x0000000001300000-0x0000000001E24000-memory.dmp	upx
behavioral1/files/0x000800000001656f-11.dat	upx
behavioral1/files/0x000800000001656f-8.dat	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Fatality.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fatality.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fatality.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe
2220	Fatality.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2220	Fatality.exe
2220	Fatality.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3020	2220	Fatality.exe	30
PID 2220 wrote to memory of 3020	2220	Fatality.exe	30
PID 2220 wrote to memory of 3020	2220	Fatality.exe	30
PID 2220 wrote to memory of 3020	2220	Fatality.exe	30

C:\Users\Admin\AppData\Local\Temp\Fatality.exe
"C:\Users\Admin\AppData\Local\Temp\Fatality.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- \??\c:\users\admin\appdata\local\temp\fatality.exe
  c:\users\admin\appdata\local\temp\fatality.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:2964

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
2.7MB

MD5
e767833f2a0dd364f72246d4d76ec5bf

SHA1
68037b5f8cae9b07687869a6ca2aa2b79480e09f

SHA256
188f66887b2d322f6fa9b75e66acfbe9c8e215dacc2477445471a36cae57a793

SHA512
8ddfbd8e6fb1c515abcf7de83d67885f00d4dcd91b5c5820330e5d5996ef9214e81b5e3b91567b358357294b74478c831b15a1167bae6f25956416e31c93dc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
2.6MB

MD5
4dee1ea3dc7c3447608386aa7177af2e

SHA1
03d247f686ecbaa85dfb0f9a0c12f802b91991db

SHA256
86d09030cbf2c229ba110f9219c5deb48c8bac158933e5b383064fe86200b9c9

SHA512
c1a9892b380bfb9001667efd792e6b3123906d35ebe760d014bef8c7c2f0994794fcb66b69df8ac57a13ec0181c3ba1a26440885dae9a1053ac200976a1ec6f4

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
a64f10b2a6453d079d8ba0471fdad8d7

SHA1
10a844181d6d31c8f673c4e243143eb39d83f750

SHA256
93cb78ee8268147fe20e829d4de11c9379c9565b9067693641c99f9e24a27069

SHA512
618ad909737b43bc15b563e9e77ae093fe3439933cdae12304c9b7adbce7df25093da8f357a717c4d92c81fc45a7da1fa14677d538cb3b928a50c56774aad0f4

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
17e0d90ebfbebf56ac506ee1a002847c

SHA1
402113658d691f85cb6dbe25ac84758b4270ae5d

SHA256
84af98e0d210367def7265aa7f8393e4a52253522c00919c795bd8aed2180485

SHA512
0657b0d7e77cf915f6cc4bf1505f65461e38a1186f9c04fe727f6fcb510645d94bf17e38a51c079d034d42402980b076d1a19c3aea31fca466bb96d6f9aa6f3a

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
8e37c8f708839611e03123a0e2f277bf

SHA1
c988d7800be53f27e97d3db8afdd1f2722d16da4

SHA256
bfbcdecde6e6a4f30fe5dfadfc3ece7b06368a27c68909f34f655b8cf6bf1ff6

SHA512
f55c40ef08e2156fda42c2c8f6377bc4cc51158dc9037fceccf1218cec5e78cfe685b2a940275a4674d6b25ca5690eb8b29a3ef90f1d0c92e19f29eaab118d95

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
89c5082605e319c1285ba2c1476eb914

SHA1
e2ceebc4eb6514ff34336f60f0fdb829daedf726

SHA256
5b1055f02cf39c29b7c7941e505ea525d15d3643c4ba30a7643f2c88f6f01aa1

SHA512
9c1e7dda22aed7313b873374664071525c77aba639442c644f9b13320dc1300bbf6066df4abba3d36c66d39f524b8e88064ab52138b470e25ab0da19c20f82f2

Download Submit
\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
2.5MB

MD5
60b5ba281d28d41376631521e32f63a7

SHA1
df469d32391c1dde0255b603a25e65b3c0ed331f

SHA256
12cfa2842b3c65ee5ad6cee6bff2202b74c386f54815d83229a4aca366035ba5

SHA512
7d21c2b4264967b42d2e7228f1bd7c5d36b86509a7c192689cf6bf3831b5d8a8bbec1ab54a72f4b48ef75530f55c6570221cd35afdc7b96d0dac4b7e535dd180

Download Submit
\Users\Admin\AppData\Local\Temp\fatality.exe

Filesize
2.9MB

MD5
0d11377e425854997a725e8b3aef4c04

SHA1
364b68a5b5f2c84e9b4299d462d6027aec0fb75e

SHA256
bb877253ea4af8496271d17988615355aa26994bb63b0875efaac8a33a9b23ac

SHA512
ee63a4a735a046dcd98da6f504b4591aaa62fd7adf51b2979d24994475fc115b70d14998e21881018100cca952462e4a91a779d8c5f850ea7caa17b664885f66

Download Submit
memory/2220-13-0x0000000002C40000-0x0000000003764000-memory.dmp

Filesize
11.1MB

Download
memory/2220-19-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2220-14-0x0000000002C40000-0x0000000003764000-memory.dmp

Filesize
11.1MB

Download
memory/2220-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3020-15-0x0000000001300000-0x0000000001E24000-memory.dmp

Filesize
11.1MB

Download

Analysis

Sharing