Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
14/10/2023, 02:06
General
-
Target
abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe
-
Size
1.4MB
-
MD5
ae9e85d6e11f83b95812c072249bd504
-
SHA1
e0f4bcef2a2e0501b06e4a45a5f0063ce1e5c644
-
SHA256
abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340
-
SHA512
8752e01e26096cf44986119c7a04fba03a11587f48183b1aebca82a9ef2a0bafaca370ab385c8ca0fc29d922745d4854bf9743083d962e7fe5fd4f6fcf19b10b
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe"C:\Users\Admin\AppData\Local\Temp\abe0a71622dc48c4176e92bdf436a83a7cf4b2ee7c7c8222610c7c5d164ee340.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="BQNDLEKG" set AutomaticManagedPagefile=False5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 96⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"6⤵
- Modifies WinLogon for persistence
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\Music\rot.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 136⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
- Adds Run key to start application
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 65⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵
- Modifies WinLogon for persistence
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 11 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 11 > nul && "C:\Users\Admin\Music\rot.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 115⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 115⤵
- Runs ping.exe
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
468.9MB
MD581abcd73a11ebd136c869448a9298812
SHA10e0b8590e8f5479bb62808201cc631097a0ed302
SHA2568682a696bb36b7e2ed682551e8b1248bb31cb8cb1a7d8148470eedf067233668
SHA5125d0bf70cc00efec9f2b6de029c26a09370758275e5e6994025641eb9a98c67374e021f4f43a8f5f3ad35a4363a7eecad25174eeaa3718c9b7a175f902fdb96e0
-
Filesize
348.0MB
MD5ab27de2d8bc1b82edc5a9e431fdd2e8a
SHA1d3445e5c019f9938953a10fd025f7967c008fd84
SHA2567290cd67b0d483d7fa8286b7b0f0ba3187856cf61335670748000339a0fae313
SHA5122dbb669e5395325d60dc868c818152fcb52eaa8f2727864e4fa030fe9e48c446d7d1a9586280eb3d1ee82df608dfb902a9080375c811294c7acbddd5528236de
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
1KB
MD59a2d0ce437d2445330f2646472703087
SHA133c83e484a15f35c2caa3af62d5da6b7713a20ae
SHA25630ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c
SHA512a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d
-
Filesize
11KB
MD5eaa9a8122761318164dc72df162a20dd
SHA1dfa4c6d3385c323b2cbeb5f92d25b864d5fe0a31
SHA25605077fd643f93523de9124b251d5eae7932b60e2e4d9b16f8c333b3dcb742189
SHA5125d3e0f8a15062235fca2833671e374c42a6bfc37f21058855d1080616182cce71056cc7704072cae324d0fc0156ad90034dc4ed42306d68a2d5767d04c1b60b6
-
Filesize
11KB
MD5d66c84900429bbc66704f7a733909f00
SHA16176a3c929f0380452327f14a0183e8cc22dcb00
SHA256664bf319faf8cb1cbfb6eb93ac54cf18cd643790deb3a6ee69483b5f9e1e3dd0
SHA5125da91fbcc85ca6e63a66f514125719035f05933f79597d78719818054471dd193f023a21f4c41f68620539b0029108a3d09ad97b19e878dfc20b67fbbe76045f
-
Filesize
11KB
MD53f4e7ace963599bc35043df2b34d2299
SHA1bfed340d207a567a1ed328127fb0c4c3d246c245
SHA256ccf83ddc93083c375de751ecd8cf31dba7d56513c1539ba5a70f7e53f3680541
SHA512ff8b0cf07c2a3512db8b3598c86d875ea0556c1be256d7100e3721a9d57d04ce741c5eff1d9f30449ec32ca2a536cd98b48531a3251127c9098ccecf7de5057c
-
Filesize
11KB
MD549541b10ddb91559bc96a5a578a9f3c8
SHA1399d20c99761523de92f7a4344f4b335d0f1ecc6
SHA25645ab7f1fac872c39aa2dc93596ec1c2b354c034cecde95bdf64cf0b4ee032e0a
SHA5122dcdcd9a98b01b8aa214d0e49df15e87c4a7644025e609a540abfedef30b52e77ae20f63c7a3448d21f88b62e80c0685372ffbdcb5594161301b366771e6c4ea
-
Filesize
11KB
MD5be3575b440938f930b7e9a881ea2b019
SHA1df9157d44a18fb91ed0898ffc2583435ee992822
SHA256dd41388f04a688ffd258467fae5fd556b3ca41d2706fe52ab451742d6a331b54
SHA512a9041e0340a352af03bc621a25b021acd46da35d0933c99b9c433f83777f0b4ca551ebc5eeb4f37a5cf2767b3ad6d37874e5029f205826596e5b77e7b2eace8b
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
Filesize
745.1MB
MD5be788bb3680cf3809d9678ee6f7ba321
SHA1499f01d5f654f83e172004dcc03f99abdd251734
SHA25603a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b
SHA51283c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e
-
Filesize
264.9MB
MD53aefb6ce884497a3fbe173e76d4e121a
SHA12116eb200f101ccbabce78be02400b2acf6972b1
SHA256701c572daac9097f0fdd8ffccd35d48de7a9b1f65e4632aa933c4bd3db42ef7a
SHA512da247857a6821cfc5cfe06d51c328301367c4d728fe5becf1ef816a2ee53c7ee52f3fbec13521a9a2c426a2599ac9ebaded4f0e2ab00f2e6e0239ea5081fb86f
-
Filesize
200KB
-
Filesize
904KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
1.7MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
280KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB