Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 23:14
Static task
static1
Behavioral task
behavioral1
Sample
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe
Resource
win10v2004-20230915-en
General
-
Target
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe
-
Size
2.1MB
-
MD5
08c7b4532ef227cfa186f591572769da
-
SHA1
7481a96a7756aff20a893ebc1a037d3ab91356dd
-
SHA256
39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74
-
SHA512
c1cfa72cf16d2574ab7bc9c5318e64acc2434922363092aff19468ff251a149d737d0249a404716227be9fe6133d39aa110fcb7833b6232bcd3bf4889a3dd331
-
SSDEEP
49152:+bCsqGs57WcQgDO+Ivam8M0iTnDJJZk425V/zaBM3Sbawwtl:+3e57UgSZ8Mba4aBN3SbA
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 21 IoCs
resource yara_rule behavioral2/memory/2740-21-0x0000000005650000-0x0000000005686000-memory.dmp fatalrat behavioral2/memory/2740-31-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-32-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-33-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-34-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-35-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-36-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-37-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-38-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-39-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-40-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-41-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/2740-52-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-57-0x0000000004F60000-0x0000000004F96000-memory.dmp fatalrat behavioral2/memory/3416-65-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-66-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-67-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-68-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-69-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-70-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat behavioral2/memory/3416-71-0x0000000010000000-0x0000000010207000-memory.dmp fatalrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation Powermonster.exe -
Executes dropped EXE 2 IoCs
pid Process 2740 Powermonster.exe 3416 Powermonster.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine Powermonster.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Wine Powermonster.exe -
Loads dropped DLL 2 IoCs
pid Process 2740 Powermonster.exe 3416 Powermonster.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxfile = "C:\\Users\\Admin\\AppData\\Local\\Powermonster.exe" Powermonster.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2740 Powermonster.exe 3416 Powermonster.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Powermonster.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Powermonster.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2740 Powermonster.exe 2740 Powermonster.exe 2740 Powermonster.exe 2740 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe 3416 Powermonster.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2740 Powermonster.exe Token: SeDebugPrivilege 3416 Powermonster.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2740 4656 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 86 PID 4656 wrote to memory of 2740 4656 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 86 PID 4656 wrote to memory of 2740 4656 39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe 86 PID 2740 wrote to memory of 3416 2740 Powermonster.exe 100 PID 2740 wrote to memory of 3416 2740 Powermonster.exe 100 PID 2740 wrote to memory of 3416 2740 Powermonster.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe"C:\Users\Admin\AppData\Local\Temp\39fbaf33223cf1420da5ee4badd313d2fbd0b087714dd09b09132ebf8101de74.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Public\Pictures\Powermonster.exe"C:\Users\Public\Pictures\Powermonster.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Powermonster.exe"C:\Users\Admin\AppData\Local\Powermonster.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb
-
Filesize
918KB
MD54106c995b5693909f85c782ee75dd49d
SHA16eca500e40d80c3a9fbf50ad70a4328b607293b9
SHA256d52d0320a4e66c4cbece5963723f822b4b4809a0ca9d9ea6e310a170e604398c
SHA5122f59d3be9dd83bb84fc2a22dd7edcbd6f999af2c873f551563e5a2049b2cf7e582edaeeaeb0acaca25422910edd01322a16e60643df6ba89f376c67c25787ebb