Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

72ab1fdb6c...91.dll

windows7-x64

8

72ab1fdb6c...91.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391.dll

  • Size

    74KB

  • MD5

    60e8527b26fb0d5458664ec5c674338a

  • SHA1

    034724e0211c1c988f4a48a51d5f2b433e73c455

  • SHA256

    72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391

  • SHA512

    cf0af30b547eb51b394a2096190652f8e82efd67813be1c553c630a5197c516a0f2ffa2a067a5817e7f18490cd781581edcf3376d73baa80f1a30314efc747b6

  • SSDEEP

    1536:+pi13988ZAcYPxykieJBkugszIkRkAkkkp7kkkkZkiJ++9gL45+ZVYHvzf9fhsiC:+pi1398qAcYPxykieJBkugszIkRkAkk/

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 1 IoCs
    ratinfostealer
  • Blocklisted process makes network request 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\72ab1fdb6c8bb30e32ba8d3d27a1cea2690ad59ab4ff28bfd0ebfb3788555391.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4388-0-0x00000000012A0000-0x00000000012D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4388-1-0x00000000012E0000-0x00000000012E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4388-3-0x0000000010000000-0x0000000010031000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4388-2-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4388-6-0x00000000012F0000-0x000000000131A000-memory.dmp

    Filesize

    168KB

    Download