Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
16/10/2023, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
Resource
win10v2004-20230915-en
General
-
Target
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe
-
Size
2.1MB
-
MD5
d73d71dc32505c87955f992091210f1a
-
SHA1
88d5e3fb2462b053b1161c8197168f2dafb63317
-
SHA256
9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144
-
SHA512
231d27c1028c62920d67ae48d76b40e2591490b984cb69d706b1ec118cc6a7e367277f1704a84853bbe16ae9a42e1ce2ecd125f0a5e2019e207bcfe1defbe920
-
SSDEEP
49152:lbZWaaPLan9GY7Pjp8oNivM0iTnDJJZk425V/zaBM3Sbawwtlx:lH8Lan9hp8oNivMba4aBN3SbAx
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 20 IoCs
resource yara_rule behavioral1/memory/3056-24-0x00000000024A0000-0x00000000024D6000-memory.dmp fatalrat behavioral1/memory/3056-36-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-37-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-38-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-39-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-40-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-41-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-42-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-43-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-44-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-45-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-46-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/3056-54-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/2792-56-0x0000000000890000-0x00000000008C6000-memory.dmp fatalrat behavioral1/memory/2792-67-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/2792-68-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/2792-69-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/2792-70-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/2792-71-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat behavioral1/memory/2792-72-0x0000000010000000-0x0000000010209000-memory.dmp fatalrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Powermonster.exe -
Executes dropped EXE 2 IoCs
pid Process 3056 Powermonster.exe 2792 Powermonster.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Wine Powermonster.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Wine Powermonster.exe -
Loads dropped DLL 7 IoCs
pid Process 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 3056 Powermonster.exe 3056 Powermonster.exe 2792 Powermonster.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\yxfile = "C:\\Users\\Admin\\AppData\\Local\\Powermonster.exe" Powermonster.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3056 Powermonster.exe 2792 Powermonster.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3056 Powermonster.exe 2792 Powermonster.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3056 Powermonster.exe Token: SeDebugPrivilege 2792 Powermonster.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3056 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 28 PID 2372 wrote to memory of 3056 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 28 PID 2372 wrote to memory of 3056 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 28 PID 2372 wrote to memory of 3056 2372 9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe 28 PID 3056 wrote to memory of 2792 3056 Powermonster.exe 31 PID 3056 wrote to memory of 2792 3056 Powermonster.exe 31 PID 3056 wrote to memory of 2792 3056 Powermonster.exe 31 PID 3056 wrote to memory of 2792 3056 Powermonster.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe"C:\Users\Admin\AppData\Local\Temp\9c0bc5dceb61efbf72250e8d04003b7b8f7806afba4e6a815b71185d09550144.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Public\Documents\Powermonster.exe"C:\Users\Public\Documents\Powermonster.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Powermonster.exe"C:\Users\Admin\AppData\Local\Powermonster.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
922KB
MD522019e31ea6f7134c94358e9eb8516fe
SHA151673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA51220d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
922KB
MD522019e31ea6f7134c94358e9eb8516fe
SHA151673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA51220d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
922KB
MD522019e31ea6f7134c94358e9eb8516fe
SHA151673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA51220d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
2.5MB
MD5842af33f5702fa99efd8f7b235f28fcc
SHA1b841b71a4e39432f3a940ad841e74ea1686da6c9
SHA25682ab7bbe88c0371e2122e7ad2faa452fdedc4063c2fda36d00c011bdd3948209
SHA512ba78f32b344842b36ec3e5da0ca1cd80f67c18ab0537ea0d8dd970b823be9e1e48bdc0c28d5ec1666d6da22fc6b5682e99b5844ccd513a836d37158ddb0d8a82
-
Filesize
922KB
MD522019e31ea6f7134c94358e9eb8516fe
SHA151673f72f119b1fc391fcb8b0780c0077aac1e13
SHA256291e91026dc87e8d85e4a25cdbdce09010c4a7f1b2492e23e3ec875a3370c7d7
SHA51220d226aec3cc06aa2d62b555d144896fc6f7d575968f02997f96875640ba51801b9fd29925dd1e3ec092870a7696c5d14c1c0303f35607aa979f40a28ccc33d4