Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2023, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe
-
Size
96KB
-
MD5
9eed79924f483a61a623e9aaefa56c4e
-
SHA1
2127364ae13f6e6bbd070a72bc9a92a443e1870f
-
SHA256
530b818e7b34f95857d6d5370cd54692f19f5ecf2b0a92c400778094c973f41f
-
SHA512
91c6514e463d18ad1d2a0223bf2dff11159d117805fdc165d12b088728be2bd5e8dde3f8512b45074dce02e49e0d99811d861d88b49e0264b540943c2ab865cc
-
SSDEEP
1536:b0FfM5+DncE24ujIds67Ef+TTd014KWzqYs3cTP:4FfM4D1/2+W14KWzqYs
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 1 IoCs
resource yara_rule behavioral2/memory/4864-45-0x0000000000C80000-0x0000000000CAA000-memory.dmp fatalrat -
Downloads MZ/PE file
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000600000002321a-22.dat acprotect -
resource yara_rule behavioral2/files/0x000700000002321d-23.dat aspack_v212_v242 behavioral2/files/0x000800000002321f-24.dat aspack_v212_v242 behavioral2/files/0x000800000002321f-27.dat aspack_v212_v242 behavioral2/files/0x000800000002321f-28.dat aspack_v212_v242 behavioral2/files/0x000700000002321d-34.dat aspack_v212_v242 behavioral2/files/0x000700000002321d-35.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 2628 Adam.exe 4864 WmiSrv.exe -
resource yara_rule behavioral2/files/0x000600000002321a-22.dat upx -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 WmiSrv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WmiSrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2628 Adam.exe 2628 Adam.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe 4864 WmiSrv.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2628 Adam.exe Token: SeDebugPrivilege 2628 Adam.exe Token: SeDebugPrivilege 4864 WmiSrv.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4920 wrote to memory of 2628 4920 2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe 96 PID 4920 wrote to memory of 2628 4920 2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe 96 PID 4920 wrote to memory of 2628 4920 2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe 96 PID 4920 wrote to memory of 4864 4920 2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe 97 PID 4920 wrote to memory of 4864 4920 2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe 97 PID 4920 wrote to memory of 4864 4920 2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe"C:\Users\Admin\AppData\Local\Temp\2023-08-26_9eed79924f483a61a623e9aaefa56c4e_mafia_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Public\Documents\Admin558\Adam.exeC:\Users\Public\Documents\Admin558\Adam.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Users\Public\Documents\Admin558\WmiSrv.exeC:\Users\Public\Documents\Admin558\WmiSrv.exe2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5928969d2a2dbb58479ae2236ac328d22
SHA1e4d9631a343d73b1ee0d7e4db55978ce59dee1d6
SHA256709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a
SHA51262a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c
-
Filesize
169KB
MD5928969d2a2dbb58479ae2236ac328d22
SHA1e4d9631a343d73b1ee0d7e4db55978ce59dee1d6
SHA256709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a
SHA51262a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c
-
Filesize
169KB
MD5928969d2a2dbb58479ae2236ac328d22
SHA1e4d9631a343d73b1ee0d7e4db55978ce59dee1d6
SHA256709776daeb0a8aac58b530e9fa0ff61afd4ffad1677c3b46ac7b375ccb1f2c4a
SHA51262a25aa6ac3383142ab3fdc3462c296ec60f8255173b21443a83b87151c2ce931cf0dd2fb6868f783f13fba8ad3c283d53250e61ebc172f80a0ef47bdcbaae9c
-
Filesize
1.1MB
MD561967681c21ab3403d35469c1639d2ca
SHA15c5f5090e2033e03346a50ad0cc2f72670667bbf
SHA2561e4855f383a002839707711cd77b9700074ad3f71037443eb574ffac8af472a2
SHA5121f70aa3bdf398b05f396d748f8dd1e99212e5bfa779753756e4c4f9dfd0547bc24d2606b6a3e9007b12e044946a7468f79cb4599990140b1bfa4d4f045a0d444
-
Filesize
197KB
MD5b6335bc769f15b2d20c92c1f6cc8fcc5
SHA1ef999a8fca3e683b6c3041f12cbddcf5c01b9c57
SHA2561a3ae7914610860bb295fd5ba9185b1db8f960738a43a20c838cc79e79b47f26
SHA512b0d10909b27f122725b56b2e81f84c46ea6314fa378c1efc9607db277d3cf1b670067aed3f82a8c29f2f2f9b632b02d79cec59dbe3507de08cb9b3cc4de52eea
-
Filesize
197KB
MD5b6335bc769f15b2d20c92c1f6cc8fcc5
SHA1ef999a8fca3e683b6c3041f12cbddcf5c01b9c57
SHA2561a3ae7914610860bb295fd5ba9185b1db8f960738a43a20c838cc79e79b47f26
SHA512b0d10909b27f122725b56b2e81f84c46ea6314fa378c1efc9607db277d3cf1b670067aed3f82a8c29f2f2f9b632b02d79cec59dbe3507de08cb9b3cc4de52eea
-
Filesize
197KB
MD5b6335bc769f15b2d20c92c1f6cc8fcc5
SHA1ef999a8fca3e683b6c3041f12cbddcf5c01b9c57
SHA2561a3ae7914610860bb295fd5ba9185b1db8f960738a43a20c838cc79e79b47f26
SHA512b0d10909b27f122725b56b2e81f84c46ea6314fa378c1efc9607db277d3cf1b670067aed3f82a8c29f2f2f9b632b02d79cec59dbe3507de08cb9b3cc4de52eea
-
Filesize
74KB
MD5f33ebee08e6201da42174de8813a1401
SHA14e9dae56f730ee8118396ae64b1005e1e844c1c1
SHA256a3ee77ec052b6511264c7a8af3b50e2c295b4a00313609c6f803940880a10685
SHA5120cc96e19442a680ae41a139f7b4498d69405c4388a065e5da240103fc7d8b760b843860b3c6d7fe90f06ba7b45f9d91a7cadf6b8089ee41e89f79d2b2fd8967f