Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 23:14
Static task
static1
Behavioral task
behavioral1
Sample
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe
Resource
win10v2004-20230915-en
General
-
Target
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe
-
Size
2.1MB
-
MD5
08c7b4532ef227cfa186f591572769da
-
SHA1
7481a96a7756aff20a893ebc1a037d3ab91356dd
-
SHA256
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74
-
SHA512
c1cfa72cf16d2574ab7bc9c5318e64acc2434922363092aff19468ff251a149d737d0249a404716227be9fe6133d39aa110fcb7833b6232bcd3bf4889a3dd331
-
SSDEEP
49152:+bCsqGs57WcQgDO+Ivam8M0iTnDJJZk425V/zaBM3Sbawwtl:+3e57UgSZ8Mba4aBN3SbA
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 21 IoCs
resource yara_rule behavioral1/memory/2032-26-0x0000000000130000-0x0000000000166000-memory.dmp fatalrat behavioral1/memory/2032-35-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-36-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-37-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-38-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-39-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-40-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-41-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-42-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-43-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-44-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-45-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/2032-53-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-55-0x00000000020C0000-0x00000000020F6000-memory.dmp fatalrat behavioral1/memory/1656-65-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-66-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-67-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-68-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-69-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-70-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral1/memory/1656-71-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe -
Executes dropped EXE 2 IoCs
pid Process 2032 Powermonster.exe 1656 Powermonster.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Wine Powermonster.exe Key opened \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Wine Powermonster.exe -
Loads dropped DLL 7 IoCs
pid Process 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 2032 Powermonster.exe 2032 Powermonster.exe 1656 Powermonster.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\yxfile = "C:\\Users\\Admin\\AppData\\Local\\Powermonster.exe" Powermonster.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2032 Powermonster.exe 1656 Powermonster.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Powermonster.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Powermonster.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2032 Powermonster.exe 2032 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe 1656 Powermonster.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2032 Powermonster.exe Token: SeDebugPrivilege 1656 Powermonster.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2032 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 28 PID 2212 wrote to memory of 2032 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 28 PID 2212 wrote to memory of 2032 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 28 PID 2212 wrote to memory of 2032 2212 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 28 PID 2032 wrote to memory of 1656 2032 Powermonster.exe 31 PID 2032 wrote to memory of 1656 2032 Powermonster.exe 31 PID 2032 wrote to memory of 1656 2032 Powermonster.exe 31 PID 2032 wrote to memory of 1656 2032 Powermonster.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe"C:\Users\Admin\AppData\Local\Temp\39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Public\Pictures\Powermonster.exe"C:\Users\Public\Pictures\Powermonster.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Powermonster.exe"C:\Users\Admin\AppData\Local\Powermonster.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb