Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
208s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 03:13
Static task
static1
Behavioral task
behavioral1
Sample
9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe
Resource
win10v2004-20230915-en
General
-
Target
9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe
-
Size
1.4MB
-
MD5
3f67be83722c1b395fc4bcec2dd81866
-
SHA1
d67e4a209f94b6a051d96a12d609f32e453416c4
-
SHA256
9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b
-
SHA512
7517fe15e10e67a21b59869443b2154c39d334c63f3750ca20daa05d815d31c231143a16caf30923a205e858ffde195bea44164e4feb8aa01c5e837d8a8621a8
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4280 powershell.exe 4280 powershell.exe 372 powershell.exe 372 powershell.exe 4400 powershell.exe 4400 powershell.exe 4784 powershell.exe 4784 powershell.exe 4564 powershell.exe 4564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1520 WMIC.exe Token: SeSecurityPrivilege 1520 WMIC.exe Token: SeTakeOwnershipPrivilege 1520 WMIC.exe Token: SeLoadDriverPrivilege 1520 WMIC.exe Token: SeSystemProfilePrivilege 1520 WMIC.exe Token: SeSystemtimePrivilege 1520 WMIC.exe Token: SeProfSingleProcessPrivilege 1520 WMIC.exe Token: SeIncBasePriorityPrivilege 1520 WMIC.exe Token: SeCreatePagefilePrivilege 1520 WMIC.exe Token: SeBackupPrivilege 1520 WMIC.exe Token: SeRestorePrivilege 1520 WMIC.exe Token: SeShutdownPrivilege 1520 WMIC.exe Token: SeDebugPrivilege 1520 WMIC.exe Token: SeSystemEnvironmentPrivilege 1520 WMIC.exe Token: SeRemoteShutdownPrivilege 1520 WMIC.exe Token: SeUndockPrivilege 1520 WMIC.exe Token: SeManageVolumePrivilege 1520 WMIC.exe Token: 33 1520 WMIC.exe Token: 34 1520 WMIC.exe Token: 35 1520 WMIC.exe Token: 36 1520 WMIC.exe Token: SeIncreaseQuotaPrivilege 1520 WMIC.exe Token: SeSecurityPrivilege 1520 WMIC.exe Token: SeTakeOwnershipPrivilege 1520 WMIC.exe Token: SeLoadDriverPrivilege 1520 WMIC.exe Token: SeSystemProfilePrivilege 1520 WMIC.exe Token: SeSystemtimePrivilege 1520 WMIC.exe Token: SeProfSingleProcessPrivilege 1520 WMIC.exe Token: SeIncBasePriorityPrivilege 1520 WMIC.exe Token: SeCreatePagefilePrivilege 1520 WMIC.exe Token: SeBackupPrivilege 1520 WMIC.exe Token: SeRestorePrivilege 1520 WMIC.exe Token: SeShutdownPrivilege 1520 WMIC.exe Token: SeDebugPrivilege 1520 WMIC.exe Token: SeSystemEnvironmentPrivilege 1520 WMIC.exe Token: SeRemoteShutdownPrivilege 1520 WMIC.exe Token: SeUndockPrivilege 1520 WMIC.exe Token: SeManageVolumePrivilege 1520 WMIC.exe Token: 33 1520 WMIC.exe Token: 34 1520 WMIC.exe Token: 35 1520 WMIC.exe Token: 36 1520 WMIC.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 372 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 4784 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4716 wrote to memory of 1392 4716 9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe 88 PID 4716 wrote to memory of 1392 4716 9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe 88 PID 4716 wrote to memory of 1392 4716 9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe 88 PID 1392 wrote to memory of 4420 1392 cmd.exe 91 PID 1392 wrote to memory of 4420 1392 cmd.exe 91 PID 1392 wrote to memory of 4420 1392 cmd.exe 91 PID 4420 wrote to memory of 4332 4420 cmd.exe 92 PID 4420 wrote to memory of 4332 4420 cmd.exe 92 PID 4420 wrote to memory of 4332 4420 cmd.exe 92 PID 1392 wrote to memory of 4564 1392 cmd.exe 93 PID 1392 wrote to memory of 4564 1392 cmd.exe 93 PID 1392 wrote to memory of 4564 1392 cmd.exe 93 PID 4564 wrote to memory of 1520 4564 cmd.exe 94 PID 4564 wrote to memory of 1520 4564 cmd.exe 94 PID 4564 wrote to memory of 1520 4564 cmd.exe 94 PID 1392 wrote to memory of 4280 1392 cmd.exe 99 PID 1392 wrote to memory of 4280 1392 cmd.exe 99 PID 1392 wrote to memory of 4280 1392 cmd.exe 99 PID 1392 wrote to memory of 372 1392 cmd.exe 108 PID 1392 wrote to memory of 372 1392 cmd.exe 108 PID 1392 wrote to memory of 372 1392 cmd.exe 108 PID 1392 wrote to memory of 4400 1392 cmd.exe 109 PID 1392 wrote to memory of 4400 1392 cmd.exe 109 PID 1392 wrote to memory of 4400 1392 cmd.exe 109 PID 1392 wrote to memory of 4784 1392 cmd.exe 110 PID 1392 wrote to memory of 4784 1392 cmd.exe 110 PID 1392 wrote to memory of 4784 1392 cmd.exe 110 PID 1392 wrote to memory of 4564 1392 cmd.exe 111 PID 1392 wrote to memory of 4564 1392 cmd.exe 111 PID 1392 wrote to memory of 4564 1392 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe"C:\Users\Admin\AppData\Local\Temp\9ded64087b76f48dfa80c95ceffbf11ec7e442bdaed4cebdef40a3ed2593f86b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵PID:4332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵PID:1880
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
11KB
MD5dcf69db2b1b63f172f029c36d4ef2a9a
SHA13d99f278ae3d23503ad46d2bc35b6d2af51b9075
SHA256a91ef753da80481ff6ae18a24538bc2206e5f6aaa45c5304d4d8f01720600517
SHA5121e399b9d42d37ac1949bc6d165500e51f995a87daef408108873ec1a455721304c785885acfc4693264fe850b309a4eddbd12fcce09f45bf6f09329927e4e0d3
-
Filesize
11KB
MD5024c42a454d3be2960eb1a3eb1013132
SHA108835edec4b9c8876a7d7db9bcbfc3107a0b943b
SHA2564db5fef1596041805b1684a1e3308d3c68be744c5dae1bb8ecffb837054f91ab
SHA51286ca6186201ff8f906938794094445a33da0adcd3b736fe726a87dee8136b66b6e9dca7353f71f3d574980fc0643e2f707f22ab0c5a6e76f74fefc97c5c08660
-
Filesize
11KB
MD5d23df12d73b10858aa5339098e2ac13e
SHA19b86148ea68aafc312d08db974a582f60b5c8e39
SHA2565af66a746fca3e0af897a6adb7723a826047ef380de74b9c011b0ad7ed6d3af7
SHA512655b134de99390f5c00a6caec7c5bb35ff0c799708cf0714c24d6b634cb7bd9cab7a331a9627714cc40cd363f55fdcaa85c6a0220d44f52032592d1e3a9d24be
-
Filesize
11KB
MD586a701f8515a4917228a769f82fb10e0
SHA106326ef8d3a63a5d509e16a826d9be0f7bc6505d
SHA256829904d91768e2885b2c85309b087c6f6a32efe1f9182416216247820fbb572a
SHA512138694588030cbf0e41661d6192d9eacceff7757e941a95ad688fecb574f17a4ce68a24238003b47f3bbb46746fbfb56c88cda3cf8344dca8f6bd57e269bbe27
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317