Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

2c0981a3ce...39.exe

windows7-x64

10

2c0981a3ce...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2023, 08:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639.exe

  • Size

    1.2MB

  • MD5

    96626a498a8ee503abd98cc7c641c1b5

  • SHA1

    68cb59e4dce54ba6ca33db94f8e337ae11a35249

  • SHA256

    2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639

  • SHA512

    f88d44dcf52536f6888a322cd1626f92a269298a594cf022211d3972267ee0420d093ce6c421f8f73f68784bcb557f8f46d463a690e9780a1869d72cfb1edfbc

  • SSDEEP

    24576:GFQIVQ+dn+bNoHdgUzuiw5Jpnrw4qjGib9JHslg9Nyhl7RLp5aKVgKIOL5:ZIi+dn+bUWwuiw5JpnU4cB9nNWJxp4KB

Score
10/10
fatalratinfostealerrat

Malware Config

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

    infostealerratfatalrat
  • Fatal Rat payload 5 IoCs
    ratinfostealer
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 17 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 59 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639.exe
    "C:\Users\Admin\AppData\Local\Temp\2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    PID:2936
  • C:\Windows\SysWOW64\Jklmno.exe
    C:\Windows\SysWOW64\Jklmno.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\Jklmno.exe
      C:\Windows\SysWOW64\Jklmno.exe Win7
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Jklmno.exe
    Filesize

    1.2MB

    MD5

    96626a498a8ee503abd98cc7c641c1b5

    SHA1

    68cb59e4dce54ba6ca33db94f8e337ae11a35249

    SHA256

    2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639

    SHA512

    f88d44dcf52536f6888a322cd1626f92a269298a594cf022211d3972267ee0420d093ce6c421f8f73f68784bcb557f8f46d463a690e9780a1869d72cfb1edfbc

    Download Submit

  • C:\Windows\SysWOW64\Jklmno.exe
    Filesize

    1.2MB

    MD5

    96626a498a8ee503abd98cc7c641c1b5

    SHA1

    68cb59e4dce54ba6ca33db94f8e337ae11a35249

    SHA256

    2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639

    SHA512

    f88d44dcf52536f6888a322cd1626f92a269298a594cf022211d3972267ee0420d093ce6c421f8f73f68784bcb557f8f46d463a690e9780a1869d72cfb1edfbc

    Download Submit

  • C:\Windows\SysWOW64\Jklmno.exe
    Filesize

    1.2MB

    MD5

    96626a498a8ee503abd98cc7c641c1b5

    SHA1

    68cb59e4dce54ba6ca33db94f8e337ae11a35249

    SHA256

    2c0981a3ceee83e83747c381986448ac06bad949bd756bc43264e4fddd914639

    SHA512

    f88d44dcf52536f6888a322cd1626f92a269298a594cf022211d3972267ee0420d093ce6c421f8f73f68784bcb557f8f46d463a690e9780a1869d72cfb1edfbc

    Download Submit

  • memory/2936-13071-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-0-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-13070-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-26167-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-13072-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-13074-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-13075-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-13076-0x0000000010000000-0x000000001002A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2936-5884-0x0000000076540000-0x00000000765BA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2936-3875-0x0000000075800000-0x00000000759A0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2936-1-0x00000000750D0000-0x00000000752E5000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2936-13069-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2936-17611-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-39244-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-39241-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-39243-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-39240-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-39239-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-39238-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-32052-0x0000000076540000-0x00000000765BA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/3004-39252-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3004-30042-0x0000000075800000-0x00000000759A0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3004-26168-0x00000000750D0000-0x00000000752E5000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3980-26155-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-30831-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-26160-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-26159-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-26157-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-26156-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-26154-0x0000000000400000-0x0000000000573000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3980-18968-0x0000000076540000-0x00000000765BA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/3980-16958-0x0000000075800000-0x00000000759A0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3980-13084-0x00000000750D0000-0x00000000752E5000-memory.dmp

    Filesize

    2.1MB

    Download