Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5d3c3a3096...42.exe

windows7-x64

10

5d3c3a3096...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2023, 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe

  • Size

    1.3MB

  • MD5

    f3eab5e140210e0e4ff2ff625b2ffe21

  • SHA1

    610fa43452f5cde3800a2ca81ce14e36a1dd3d6c

  • SHA256

    5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42

  • SHA512

    98cfb85663ecf5165f979fb76ab3302ea071cd0c64a1762d24c8334000999859555cae345a7382d5819a6f923fd8cdf2fd8d4d2e68e863378c7576882cd6a568

  • SSDEEP

    24576:V5Jv9AJdTyl4pf97WzwSsQniCbqr0RwquvqryHFdYTZ/V:V5JVAJYl4pFyzwB6t63SyHFu99

Score
10/10
fatalratgh0stratevasioninfostealerratupx

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Fatal Rat payload 12 IoCs
    ratinfostealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe
    "C:\Users\Admin\AppData\Local\Temp\5d3c3a309604356d25cc4bb23a8caeef2be23171a930817301a5f66d33fe8f42.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4144
    • C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe
      C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Users\Admin\AppData\Local\Agghost.exe
        "C:\Users\Admin\AppData\Local\Agghost.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2084
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39e5855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4244

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Agghost.exe
    Filesize

    111KB

    MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

    SHA1

    e15bba9e662ef45350720218617d563620c76823

    SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

    SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    Download Submit

  • C:\Users\Admin\AppData\Local\Agghost.exe
    Filesize

    111KB

    MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

    SHA1

    e15bba9e662ef45350720218617d563620c76823

    SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

    SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    Download Submit

  • C:\Users\Admin\AppData\Local\Agghost.exe
    Filesize

    111KB

    MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

    SHA1

    e15bba9e662ef45350720218617d563620c76823

    SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

    SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe
    Filesize

    111KB

    MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

    SHA1

    e15bba9e662ef45350720218617d563620c76823

    SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

    SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\Agghost.exe
    Filesize

    111KB

    MD5

    a9b40e0b76aa5a292cb6052c6c2fd81d

    SHA1

    e15bba9e662ef45350720218617d563620c76823

    SHA256

    f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c

    SHA512

    ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\EduWebContainer.dll
    Filesize

    936KB

    MD5

    4683696a3518f9cd7c4ee730a53405c2

    SHA1

    23881246d838d9d2a1bd76430f9c5f7458e00e83

    SHA256

    43e51c6becb9c635cce68d1aa32310ddd6ae68125ca2c00e5e47dc3536cb5fca

    SHA512

    5bfc43d489b53585e7369e3d28daf9f501d6999517310249f88b158d268c2a4e730b8e10aec0959094f276e3b4ba79b5737add5dc01ef3d6136e42a04552522c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\EduWebContainer.dll
    Filesize

    936KB

    MD5

    4683696a3518f9cd7c4ee730a53405c2

    SHA1

    23881246d838d9d2a1bd76430f9c5f7458e00e83

    SHA256

    43e51c6becb9c635cce68d1aa32310ddd6ae68125ca2c00e5e47dc3536cb5fca

    SHA512

    5bfc43d489b53585e7369e3d28daf9f501d6999517310249f88b158d268c2a4e730b8e10aec0959094f276e3b4ba79b5737add5dc01ef3d6136e42a04552522c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\EduWebContainer.dll
    Filesize

    936KB

    MD5

    4683696a3518f9cd7c4ee730a53405c2

    SHA1

    23881246d838d9d2a1bd76430f9c5f7458e00e83

    SHA256

    43e51c6becb9c635cce68d1aa32310ddd6ae68125ca2c00e5e47dc3536cb5fca

    SHA512

    5bfc43d489b53585e7369e3d28daf9f501d6999517310249f88b158d268c2a4e730b8e10aec0959094f276e3b4ba79b5737add5dc01ef3d6136e42a04552522c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\VCRUNTIME140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\data\vcruntime140.dll
    Filesize

    77KB

    MD5

    f107a3c7371c4543bd3908ba729dd2db

    SHA1

    af8e7e8f446de74db2f31d532e46eab8bbf41e0a

    SHA256

    00df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0

    SHA512

    fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530

    Download Submit

  • memory/2084-186-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-183-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-196-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-195-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-194-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-193-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-169-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-174-0x0000000004E40000-0x0000000004E8D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/2084-180-0x0000000004E10000-0x0000000004E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-181-0x0000000004E20000-0x0000000004E22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2084-182-0x0000000004E30000-0x0000000004E31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-191-0x00000000058E0000-0x0000000005A2D000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2084-184-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-185-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-192-0x00000000058E0000-0x0000000005A2D000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2084-187-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2084-188-0x00000000058E0000-0x0000000005A2D000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3196-145-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3196-156-0x00000000047E0000-0x00000000047E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3196-146-0x00000000047F0000-0x000000000483D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/3196-168-0x0000000010000000-0x0000000010215000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3196-154-0x00000000047C0000-0x00000000047C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3196-155-0x00000000047D0000-0x00000000047D2000-memory.dmp

    Filesize

    8KB

    Download