Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2023, 17:16
Behavioral task
behavioral1
Sample
a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe
Resource
win10v2004-20230703-en
General
-
Target
a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe
-
Size
299KB
-
MD5
5b8b5b65e19ac1bde4757df37cc514f2
-
SHA1
302ee18b546d39d2f7d99d55a8fdb41839dfffae
-
SHA256
a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517
-
SHA512
951b16e3811823301ef5c3f799d1243d8e357060af943866e7ad61b331fc49464a5d133c79bf321970e2f7ed0cfc6dbfdcdef4b7a2a9f1d74a5db6bd621a5831
-
SSDEEP
384:yf11c+U6A8pWfG+Ax7r6+Y9PffPztcOB8lpI7:yfrAgWfGJxCbPrtc68E7
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/2052-181-0x0000000002FF0000-0x000000000301A000-memory.dmp fatalrat -
Downloads MZ/PE file
-
resource yara_rule behavioral2/files/0x000600000002308c-162.dat aspack_v212_v242 behavioral2/files/0x000600000002308c-165.dat aspack_v212_v242 behavioral2/files/0x000600000002308c-167.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 3464 Adam.exe 2052 WmiSrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3464 Adam.exe 3464 Adam.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe 2052 WmiSrv.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3464 Adam.exe Token: SeDebugPrivilege 3464 Adam.exe Token: SeDebugPrivilege 2052 WmiSrv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2052 WmiSrv.exe 2052 WmiSrv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1404 wrote to memory of 3464 1404 a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe 86 PID 1404 wrote to memory of 3464 1404 a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe 86 PID 1404 wrote to memory of 3464 1404 a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe 86 PID 1404 wrote to memory of 2052 1404 a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe 88 PID 1404 wrote to memory of 2052 1404 a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe 88 PID 1404 wrote to memory of 2052 1404 a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe"C:\Users\Admin\AppData\Local\Temp\a6108ee9f106dfa91427fdec33e519ba94e61a678d65f5b16e54eb9d44291517.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Public\Documents\Admin558\Adam.exeC:\Users\Public\Documents\Admin558\Adam.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Users\Public\Documents\Admin558\WmiSrv.exeC:\Users\Public\Documents\Admin558\WmiSrv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2052
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD52cca2c467cfafb31500b0f5fae518372
SHA1823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1
SHA2568071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2
SHA512d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592
-
Filesize
48KB
MD52cca2c467cfafb31500b0f5fae518372
SHA1823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1
SHA2568071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2
SHA512d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592
-
Filesize
48KB
MD52cca2c467cfafb31500b0f5fae518372
SHA1823a897d3ac313c2c28d9e7276ef8beb0f6ad8d1
SHA2568071edb914b488e5e693b750f99e25eaaf74d6e587fce4eb5ddcd36ade9a07f2
SHA512d66f97dd68b15795eccace13e92eebd3d1330637c052e0a0c9e2ef87b5ddc62d4676de74ec9b56aa8084406502a6ab5d547ce6a727427e5f15e53b8e272d7592
-
Filesize
932KB
MD57dd16a3c5ee05579e756b34c23ea1c6e
SHA1f9df773ebd835addadfea97b353c4b6a11922380
SHA256387058c609bf7ba4a60b30677c03778ab1a80c3eaa38b0b3e8ca3f354dde1fb0
SHA512543d51fcf6c5bda5b37497815ab1f1a3e43e31824fb7b14fd63f978a6514bc07eea3bf50b1a5ce58e8a7dd46b87eb78988b6a665bc08931e503c2ad0a55bdbe1
-
Filesize
2.0MB
MD5c7c90fbcbd1a3faa9541dff69636709d
SHA12667d3f5c76dd2b6c6f0118bcf43e19cca142c66
SHA256eed4c28152fa4f961848dd6ef50458b3154db3541d4e32b45564bb9bf65d7614
SHA5127ce221a2d57dbb4612232153906417f748683badd3f52ad8af5bbe7b74364195361441fb4e2edcd6fe5d210a5a91d4f768acb59761e8ac67118a8b685c7bfe13
-
Filesize
2.0MB
MD5c7c90fbcbd1a3faa9541dff69636709d
SHA12667d3f5c76dd2b6c6f0118bcf43e19cca142c66
SHA256eed4c28152fa4f961848dd6ef50458b3154db3541d4e32b45564bb9bf65d7614
SHA5127ce221a2d57dbb4612232153906417f748683badd3f52ad8af5bbe7b74364195361441fb4e2edcd6fe5d210a5a91d4f768acb59761e8ac67118a8b685c7bfe13
-
Filesize
2.0MB
MD5c7c90fbcbd1a3faa9541dff69636709d
SHA12667d3f5c76dd2b6c6f0118bcf43e19cca142c66
SHA256eed4c28152fa4f961848dd6ef50458b3154db3541d4e32b45564bb9bf65d7614
SHA5127ce221a2d57dbb4612232153906417f748683badd3f52ad8af5bbe7b74364195361441fb4e2edcd6fe5d210a5a91d4f768acb59761e8ac67118a8b685c7bfe13
-
Filesize
6KB
MD5a66332a6c7cdda1045ea2a1cd29bf562
SHA1821ed5f58714c0d0dbc98758d34db583536d8fbc
SHA256a97b92126ba0c3fce702a5ec7015071b52fb4b3d2746a117c4de7bfb98b38d4b
SHA512ef8fbf24ec453cd7dfbf819cdb91a14d906a566e6e54b9b6b6139da658da83cabd74a185549a6b0050678c6beff1fa0e31701e562e83c0263d426566fd23f2d2