Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Wattylexe.exe

windows7-x64

10

Wattylexe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    24s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    30/06/2023, 15:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Wattylexe.exe

  • Size

    477KB

  • MD5

    34e03669773d47d0d8f01be78ae484e4

  • SHA1

    4b0a7e2af2c28ae191737ba07632ed354d35c978

  • SHA256

    2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

  • SHA512

    8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

  • SSDEEP

    6144:ZvZ2iKiZ/QAKVfiROzkViZwc0W/1vNuMqTp/CelAaWjSZ/nnnKCXP7:J7wVfiRuqPW/dgMqIHdjSFnnKCX

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wattylexe.exe
    "C:\Users\Admin\AppData\Local\Temp\Wattylexe.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\SysWOW64\at.exe
        AT /delete /yes
        3⤵
          PID:468
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\SysWOW64\at.exe
          AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
          3⤵
            PID:568

      Network

      • flag-us
        DNS
        nhatquanglan2.0catch.com
        Wattylexe.exe
        Remote address:
        8.8.8.8:53
        Request
        nhatquanglan2.0catch.com
        IN A
        Response
      • flag-us
        DNS
        www.freewebs.com
        Wattylexe.exe
        Remote address:
        8.8.8.8:53
        Request
        www.freewebs.com
        IN A
        Response
        www.freewebs.com
        IN CNAME
        domains.vpsiteserver00.com
        domains.vpsiteserver00.com
        IN A
        104.17.25.109
        domains.vpsiteserver00.com
        IN A
        104.17.23.109
        domains.vpsiteserver00.com
        IN A
        104.17.22.109
        domains.vpsiteserver00.com
        IN A
        104.17.24.109
        domains.vpsiteserver00.com
        IN A
        104.17.26.109
      • flag-us
        GET
        http://www.freewebs.com/nhattruongquang/setting.nql
        Wattylexe.exe
        Remote address:
        104.17.25.109:80
        Request
        GET /nhattruongquang/setting.nql HTTP/1.1
        Host: www.freewebs.com
        Cache-Control: no-cache
        Response
        HTTP/1.1 301 Moved Permanently
        Date: Fri, 30 Jun 2023 15:48:21 GMT
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: max-age=3600
        Expires: Fri, 30 Jun 2023 16:48:21 GMT
        Location: https://www.freewebs.com/nhattruongquang/setting.nql
        Server: cloudflare
        CF-RAY: 7df78d9559f0b95c-AMS
        alt-svc: h3=":443"; ma=86400
      • flag-us
        GET
        http://www.freewebs.com/nhattruongquang/setting.xls
        Wattylexe.exe
        Remote address:
        104.17.25.109:80
        Request
        GET /nhattruongquang/setting.xls HTTP/1.1
        Host: www.freewebs.com
        Cache-Control: no-cache
        Response
        HTTP/1.1 301 Moved Permanently
        Date: Fri, 30 Jun 2023 15:48:24 GMT
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: max-age=3600
        Expires: Fri, 30 Jun 2023 16:48:24 GMT
        Location: https://www.freewebs.com/nhattruongquang/setting.xls
        Server: cloudflare
        CF-RAY: 7df78da74eb0b95c-AMS
        alt-svc: h3=":443"; ma=86400
      • flag-us
        GET
        https://www.freewebs.com/nhattruongquang/setting.nql
        Wattylexe.exe
        Remote address:
        104.17.25.109:443
        Request
        GET /nhattruongquang/setting.nql HTTP/1.1
        Host: www.freewebs.com
        Cache-Control: no-cache
        Connection: Keep-Alive
        Response
        HTTP/1.1 301 Moved Permanently
        Date: Fri, 30 Jun 2023 15:48:23 GMT
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: max-age=3600
        Expires: Fri, 30 Jun 2023 16:48:23 GMT
        Location: https://nhattruongquang.webs.com/setting.nql
        Server: cloudflare
        CF-RAY: 7df78da17e201c08-AMS
        alt-svc: h3=":443"; ma=86400
      • flag-us
        GET
        https://www.freewebs.com/nhattruongquang/setting.xls
        Wattylexe.exe
        Remote address:
        104.17.25.109:443
        Request
        GET /nhattruongquang/setting.xls HTTP/1.1
        Host: www.freewebs.com
        Cache-Control: no-cache
        Connection: Keep-Alive
        Response
        HTTP/1.1 301 Moved Permanently
        Date: Fri, 30 Jun 2023 15:48:24 GMT
        Transfer-Encoding: chunked
        Connection: keep-alive
        Cache-Control: max-age=3600
        Expires: Fri, 30 Jun 2023 16:48:24 GMT
        Location: https://nhattruongquang.webs.com/setting.xls
        Server: cloudflare
        CF-RAY: 7df78da77d621c08-AMS
        alt-svc: h3=":443"; ma=86400
      • flag-us
        DNS
        nhattruongquang.webs.com
        Wattylexe.exe
        Remote address:
        8.8.8.8:53
        Request
        nhattruongquang.webs.com
        IN A
        Response
        nhattruongquang.webs.com
        IN A
        104.18.151.58
        nhattruongquang.webs.com
        IN A
        104.18.150.58
      • flag-us
        GET
        https://nhattruongquang.webs.com/setting.nql
        Wattylexe.exe
        Remote address:
        104.18.151.58:443
        Request
        GET /setting.nql HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Host: nhattruongquang.webs.com
        Response
        HTTP/1.1 404 Not Found
        Date: Fri, 30 Jun 2023 15:48:24 GMT
        Content-Type: text/html
        Transfer-Encoding: chunked
        Connection: keep-alive
        Access-Control-Allow-Origin: https://developer.cimpress.io
        Cache-Control: no-cache
        Vary: Accept-Encoding
        CF-Cache-Status: MISS
        Server: cloudflare
        CF-RAY: 7df78da36d550b53-AMS
      • flag-us
        GET
        https://nhattruongquang.webs.com/setting.xls
        Wattylexe.exe
        Remote address:
        104.18.151.58:443
        Request
        GET /setting.xls HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Host: nhattruongquang.webs.com
        Response
        HTTP/1.1 404 Not Found
        Date: Fri, 30 Jun 2023 15:48:25 GMT
        Content-Type: text/html
        Transfer-Encoding: chunked
        Connection: keep-alive
        Access-Control-Allow-Origin: https://developer.cimpress.io
        Cache-Control: no-cache
        Vary: Accept-Encoding
        CF-Cache-Status: MISS
        Server: cloudflare
        CF-RAY: 7df78da8cf2c0a47-AMS
      • 104.17.25.109:80
        http://www.freewebs.com/nhattruongquang/setting.xls
        http
        Wattylexe.exe
        562 B
         1.7kB
         8
        7

        HTTP Request

        GET http://www.freewebs.com/nhattruongquang/setting.nql

        HTTP Response

        301

        HTTP Request

        GET http://www.freewebs.com/nhattruongquang/setting.xls

        HTTP Response

        301
      • 104.17.25.109:443
        https://www.freewebs.com/nhattruongquang/setting.xls
        tls, http
        Wattylexe.exe
        1.1kB
         5.9kB
         12
        12

        HTTP Request

        GET https://www.freewebs.com/nhattruongquang/setting.nql

        HTTP Response

        301

        HTTP Request

        GET https://www.freewebs.com/nhattruongquang/setting.xls

        HTTP Response

        301
      • 104.18.151.58:443
        https://nhattruongquang.webs.com/setting.nql
        tls, http
        Wattylexe.exe
        1.1kB
         15.3kB
         14
        19

        HTTP Request

        GET https://nhattruongquang.webs.com/setting.nql

        HTTP Response

        404
      • 104.18.151.58:443
        https://nhattruongquang.webs.com/setting.xls
        tls, http
        Wattylexe.exe
        1.1kB
         14.0kB
         13
        18

        HTTP Request

        GET https://nhattruongquang.webs.com/setting.xls

        HTTP Response

        404
      • 8.8.8.8:53
        nhatquanglan2.0catch.com
        dns
        Wattylexe.exe
        70 B
         154 B
         1
        1

        DNS Request

        nhatquanglan2.0catch.com

      • 8.8.8.8:53
        www.freewebs.com
        dns
        Wattylexe.exe
        62 B
         179 B
         1
        1

        DNS Request

        www.freewebs.com

        DNS Response

        104.17.25.109
        104.17.23.109
        104.17.22.109
        104.17.24.109
        104.17.26.109

      • 8.8.8.8:53
        nhattruongquang.webs.com
        dns
        Wattylexe.exe
        70 B
         102 B
         1
        1

        DNS Request

        nhattruongquang.webs.com

        DNS Response

        104.18.151.58
        104.18.150.58

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Cab3823.tmp
        Filesize

        62KB

        MD5

        3ac860860707baaf32469fa7cc7c0192

        SHA1

        c33c2acdaba0e6fa41fd2f00f186804722477639

        SHA256

        d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

        SHA512

        d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar38B3.tmp
        Filesize

        164KB

        MD5

        4ff65ad929cd9a367680e0e5b1c08166

        SHA1

        c0af0d4396bd1f15c45f39d3b849ba444233b3a2

        SHA256

        c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

        SHA512

        f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

        Download Submit

      • memory/1956-58-0x0000000000400000-0x000000000048D000-memory.dmp

        Filesize

        564KB

        Download

      • memory/1956-116-0x0000000000400000-0x000000000048D000-memory.dmp

        Filesize

        564KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.