Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/04/2023, 06:50
Behavioral task
behavioral1
Sample
d62edf919a26a936e142b18a1a1b9474.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d62edf919a26a936e142b18a1a1b9474.exe
Resource
win10v2004-20230220-en
General
-
Target
d62edf919a26a936e142b18a1a1b9474.exe
-
Size
3.9MB
-
MD5
d62edf919a26a936e142b18a1a1b9474
-
SHA1
375dc8ca18af2ccdefae012b3cca79f122a625e9
-
SHA256
368ef81f1e2fb7b031f05151a66bdcc17aa4953ad9ed706dcb203ebb2f3735db
-
SHA512
ece23038984e7e138c3a7924c38e1f73db2ff2018acc8378a88452ec7c511b9613eadd265af28c9aa18b0fdf712e592c7eb1603c1bf7745e158b9357957e92e6
-
SSDEEP
98304:9iEFSokDB4zhAnVL3urhAZOewzkTvQGbGGZNNwySSV4J:xMoU0A9qhAczkT7bd7NwySQ4J
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 4 IoCs
resource yara_rule behavioral1/memory/1712-57-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat behavioral1/memory/1712-72-0x0000000000400000-0x0000000000D50000-memory.dmp fatalrat behavioral1/memory/1992-79-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat behavioral1/memory/1992-84-0x0000000000400000-0x0000000000D50000-memory.dmp fatalrat -
Executes dropped EXE 1 IoCs
pid Process 1992 d62edf919a26a936e142b18a1a1b9474.exe -
Loads dropped DLL 2 IoCs
pid Process 1712 d62edf919a26a936e142b18a1a1b9474.exe 1712 d62edf919a26a936e142b18a1a1b9474.exe -
resource yara_rule behavioral1/memory/1712-54-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect behavioral1/memory/1712-55-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect behavioral1/files/0x000500000000b46e-65.dat vmprotect behavioral1/memory/1712-72-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect behavioral1/files/0x000500000000b46e-68.dat vmprotect behavioral1/files/0x000500000000b46e-67.dat vmprotect behavioral1/files/0x000500000000b46e-74.dat vmprotect behavioral1/files/0x000500000000b46e-73.dat vmprotect behavioral1/memory/1992-75-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect behavioral1/memory/1992-76-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect behavioral1/memory/1992-77-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect behavioral1/memory/1992-84-0x0000000000400000-0x0000000000D50000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz d62edf919a26a936e142b18a1a1b9474.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d62edf919a26a936e142b18a1a1b9474.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe 1992 d62edf919a26a936e142b18a1a1b9474.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1712 d62edf919a26a936e142b18a1a1b9474.exe Token: SeDebugPrivilege 1992 d62edf919a26a936e142b18a1a1b9474.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1712 wrote to memory of 1992 1712 d62edf919a26a936e142b18a1a1b9474.exe 27 PID 1712 wrote to memory of 1992 1712 d62edf919a26a936e142b18a1a1b9474.exe 27 PID 1712 wrote to memory of 1992 1712 d62edf919a26a936e142b18a1a1b9474.exe 27 PID 1712 wrote to memory of 1992 1712 d62edf919a26a936e142b18a1a1b9474.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\d62edf919a26a936e142b18a1a1b9474.exe"C:\Users\Admin\AppData\Local\Temp\d62edf919a26a936e142b18a1a1b9474.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\d62edf919a26a936e142b18a1a1b9474.exe"C:\Users\Admin\AppData\Local\d62edf919a26a936e142b18a1a1b9474.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5d62edf919a26a936e142b18a1a1b9474
SHA1375dc8ca18af2ccdefae012b3cca79f122a625e9
SHA256368ef81f1e2fb7b031f05151a66bdcc17aa4953ad9ed706dcb203ebb2f3735db
SHA512ece23038984e7e138c3a7924c38e1f73db2ff2018acc8378a88452ec7c511b9613eadd265af28c9aa18b0fdf712e592c7eb1603c1bf7745e158b9357957e92e6
-
Filesize
3.9MB
MD5d62edf919a26a936e142b18a1a1b9474
SHA1375dc8ca18af2ccdefae012b3cca79f122a625e9
SHA256368ef81f1e2fb7b031f05151a66bdcc17aa4953ad9ed706dcb203ebb2f3735db
SHA512ece23038984e7e138c3a7924c38e1f73db2ff2018acc8378a88452ec7c511b9613eadd265af28c9aa18b0fdf712e592c7eb1603c1bf7745e158b9357957e92e6
-
Filesize
3.9MB
MD5d62edf919a26a936e142b18a1a1b9474
SHA1375dc8ca18af2ccdefae012b3cca79f122a625e9
SHA256368ef81f1e2fb7b031f05151a66bdcc17aa4953ad9ed706dcb203ebb2f3735db
SHA512ece23038984e7e138c3a7924c38e1f73db2ff2018acc8378a88452ec7c511b9613eadd265af28c9aa18b0fdf712e592c7eb1603c1bf7745e158b9357957e92e6
-
Filesize
3.9MB
MD5d62edf919a26a936e142b18a1a1b9474
SHA1375dc8ca18af2ccdefae012b3cca79f122a625e9
SHA256368ef81f1e2fb7b031f05151a66bdcc17aa4953ad9ed706dcb203ebb2f3735db
SHA512ece23038984e7e138c3a7924c38e1f73db2ff2018acc8378a88452ec7c511b9613eadd265af28c9aa18b0fdf712e592c7eb1603c1bf7745e158b9357957e92e6
-
Filesize
3.9MB
MD5d62edf919a26a936e142b18a1a1b9474
SHA1375dc8ca18af2ccdefae012b3cca79f122a625e9
SHA256368ef81f1e2fb7b031f05151a66bdcc17aa4953ad9ed706dcb203ebb2f3735db
SHA512ece23038984e7e138c3a7924c38e1f73db2ff2018acc8378a88452ec7c511b9613eadd265af28c9aa18b0fdf712e592c7eb1603c1bf7745e158b9357957e92e6