Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2023, 08:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe
Resource
win7-20230831-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe
-
Size
1.3MB
-
MD5
9c39f93c41464571c61a9e6ad689b91a
-
SHA1
fb2ee625d3b88af6bf5519281250c09da171d438
-
SHA256
a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48
-
SHA512
8611e1f076240b18b70a417acba548c7e5111cd20a1390a596eb30b49faa29d40e12f51acf03fe5e9602fd635ba2feb946574664a3945e0199e2cc91690ff59f
-
SSDEEP
24576:yP3oWsSQq42nyvUPZ8lvIEK4GyiqRs1wc1EHSLgQyqa5M8VN2W2OI4:cYNqyM1wGy2f1mQ7aiJOP
Score
10/10
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 5 IoCs
resource yara_rule behavioral2/memory/4532-13076-0x0000000010000000-0x000000001002A000-memory.dmp fatalrat behavioral2/memory/4532-16959-0x0000000000400000-0x00000000005A5000-memory.dmp fatalrat behavioral2/memory/4532-26169-0x0000000000400000-0x00000000005A5000-memory.dmp fatalrat behavioral2/memory/2872-31872-0x0000000000400000-0x00000000005A5000-memory.dmp fatalrat behavioral2/memory/2712-39265-0x0000000000400000-0x00000000005A5000-memory.dmp fatalrat -
Executes dropped EXE 2 IoCs
pid Process 2872 Svwxya.exe 2712 Svwxya.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft Svwxya.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\getip[1].htm Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_BF731B9C0C82CCD069EEBB7C6DE19E59 Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_BF731B9C0C82CCD069EEBB7C6DE19E59 Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 Svwxya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 Svwxya.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 58 IoCs
pid Process 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe 2872 Svwxya.exe 2872 Svwxya.exe 2872 Svwxya.exe 2872 Svwxya.exe 2872 Svwxya.exe 2872 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe 2872 Svwxya.exe 2712 Svwxya.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Svwxya.exe a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe File opened for modification C:\Program Files (x86)\Svwxya.exe a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe File opened for modification C:\Program Files (x86)\Svwxya.exe Svwxya.exe File created C:\Program Files (x86)\Svwxya.exe Svwxya.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Svwxya.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Svwxya.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh\InstallTime = "2023-10-20 08:27" Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Stuvwx Abcdefgh Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion Svwxya.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" Svwxya.exe Set value (str) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Stuvwx Abcdefgh\Group = "Fatal" Svwxya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Svwxya.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe 2712 Svwxya.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4532 a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe Token: SeDebugPrivilege 2872 Svwxya.exe Token: SeDebugPrivilege 2712 Svwxya.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2712 2872 Svwxya.exe 92 PID 2872 wrote to memory of 2712 2872 Svwxya.exe 92 PID 2872 wrote to memory of 2712 2872 Svwxya.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe"C:\Users\Admin\AppData\Local\Temp\a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
C:\Program Files (x86)\Svwxya.exe"C:\Program Files (x86)\Svwxya.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Program Files (x86)\Svwxya.exe"C:\Program Files (x86)\Svwxya.exe" Win72⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD59c39f93c41464571c61a9e6ad689b91a
SHA1fb2ee625d3b88af6bf5519281250c09da171d438
SHA256a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48
SHA5128611e1f076240b18b70a417acba548c7e5111cd20a1390a596eb30b49faa29d40e12f51acf03fe5e9602fd635ba2feb946574664a3945e0199e2cc91690ff59f
-
Filesize
1.3MB
MD59c39f93c41464571c61a9e6ad689b91a
SHA1fb2ee625d3b88af6bf5519281250c09da171d438
SHA256a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48
SHA5128611e1f076240b18b70a417acba548c7e5111cd20a1390a596eb30b49faa29d40e12f51acf03fe5e9602fd635ba2feb946574664a3945e0199e2cc91690ff59f
-
Filesize
1.3MB
MD59c39f93c41464571c61a9e6ad689b91a
SHA1fb2ee625d3b88af6bf5519281250c09da171d438
SHA256a7c4285218581fc609232793a82c091b1855f120ea4484536140533907fa7a48
SHA5128611e1f076240b18b70a417acba548c7e5111cd20a1390a596eb30b49faa29d40e12f51acf03fe5e9602fd635ba2feb946574664a3945e0199e2cc91690ff59f