Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
23/10/2023, 10:38
Static task
static1
Behavioral task
behavioral1
Sample
9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
Resource
win10v2004-20231020-en
General
-
Target
9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe
-
Size
9.0MB
-
MD5
2e0cda9fc4ec5825448161d3f6af0906
-
SHA1
8f3b57f7ddf7a00e435f372d9013214c24b45b7f
-
SHA256
9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2
-
SHA512
9ded8989748ed83e0abbb30e1ca08870b6c231aaae70749fbdbe558b09d8b2df600f968479a8f73ea26e6b1c6d0ff4cc5b6fc23eb4be856d95e27c42f2eb7d8c
-
SSDEEP
98304:k2/1r91ACJda/Bg3DziUHWumVMPnkqFVwMmJTMNmlFU10dR8NzpKkvz:k2/FYCJcyziUHoWv/FKRJANSFNEpdv
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/memory/2844-55-0x0000000002ED0000-0x000000000301D000-memory.dmp family_gh0strat behavioral1/memory/2844-54-0x0000000002ED0000-0x000000000301D000-memory.dmp family_gh0strat behavioral1/memory/2844-56-0x0000000002ED0000-0x000000000301D000-memory.dmp family_gh0strat behavioral1/memory/2600-62-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat behavioral1/memory/2600-61-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat behavioral1/memory/2600-65-0x0000000010000000-0x0000000010011000-memory.dmp family_gh0strat behavioral1/memory/2844-70-0x0000000002ED0000-0x000000000301D000-memory.dmp family_gh0strat -
Fatal Rat payload 1 IoCs
resource yara_rule behavioral1/memory/2844-45-0x00000000004D0000-0x00000000004F9000-memory.dmp fatalrat -
Executes dropped EXE 4 IoCs
pid Process 2128 unzip.exe 2844 erp.exe 2600 SkyOption.exe 3004 erp.exe -
Loads dropped DLL 7 IoCs
pid Process 2792 cmd.exe 2792 cmd.exe 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 2844 erp.exe 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 2600 SkyOption.exe 3004 erp.exe -
resource yara_rule behavioral1/memory/2844-55-0x0000000002ED0000-0x000000000301D000-memory.dmp upx behavioral1/memory/2844-54-0x0000000002ED0000-0x000000000301D000-memory.dmp upx behavioral1/memory/2844-51-0x0000000002ED0000-0x000000000301D000-memory.dmp upx behavioral1/memory/2844-56-0x0000000002ED0000-0x000000000301D000-memory.dmp upx behavioral1/memory/2600-62-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/memory/2600-61-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/memory/2600-58-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/memory/2600-65-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/memory/2844-70-0x0000000002ED0000-0x000000000301D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 erp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz erp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2844 erp.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe 2600 SkyOption.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2844 erp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 2600 SkyOption.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2792 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 28 PID 2508 wrote to memory of 2792 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 28 PID 2508 wrote to memory of 2792 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 28 PID 2508 wrote to memory of 2792 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 28 PID 2792 wrote to memory of 2128 2792 cmd.exe 30 PID 2792 wrote to memory of 2128 2792 cmd.exe 30 PID 2792 wrote to memory of 2128 2792 cmd.exe 30 PID 2792 wrote to memory of 2128 2792 cmd.exe 30 PID 2508 wrote to memory of 2844 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 31 PID 2508 wrote to memory of 2844 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 31 PID 2508 wrote to memory of 2844 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 31 PID 2508 wrote to memory of 2844 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 31 PID 2508 wrote to memory of 2600 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 32 PID 2508 wrote to memory of 2600 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 32 PID 2508 wrote to memory of 2600 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 32 PID 2508 wrote to memory of 2600 2508 9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe 32 PID 2844 wrote to memory of 3004 2844 erp.exe 33 PID 2844 wrote to memory of 3004 2844 erp.exe 33 PID 2844 wrote to memory of 3004 2844 erp.exe 33 PID 2844 wrote to memory of 3004 2844 erp.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe"C:\Users\Admin\AppData\Local\Temp\9fc8f67f6570c9fc91f29046dd479445759d8536265efa9ca002c3572d6d30f2.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Recovery\unzip.exe -o C:\Recovery\2333.zip -d C:\Recovery2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Recovery\unzip.exeC:\Recovery\unzip.exe -o C:\Recovery\2333.zip -d C:\Recovery3⤵
- Executes dropped EXE
PID:2128
-
-
-
C:\Recovery\erp.exe"C:\Recovery\erp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Recovery\erp.exeC:\Recovery\erp.exe --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=书生ERP --annotation=ver=-devel --handshake-handle=0xe03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004
-
-
-
C:\Recovery\SkyOption.exe"C:\Recovery\SkyOption.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD539bb4b089b694ef6e8d5edef8b75633d
SHA1a22cdaa80df1fbaac3f100fa380fc6155475013e
SHA256e7eda820015554e7e39ab960235cb54796db56a0e99aa6d3f1f2cafe3f91caa2
SHA5120022e18ca14d930974a2c8133cf37dabda5a5802da095f0c81ea406a5a2e87e8287a0d209d9858765792f5ed8cf478bb73247c4c8e3938c9f76983d4c02af835
-
Filesize
489KB
MD5ab88fd36465c5d8da1996c1da1821038
SHA116d04d389c40d2c6e5ee11faf8349ae372c99d28
SHA25602de1d7e7ec382496ede996f52c00e75cf1ba28853eabd53a8e923a98610ffeb
SHA512d8647ba272a8494a1993786ddfc72dff4f814827cd482785ae582082c266c52e4f7d8552b151fe61cd1851c3167a7d85c22094e944ce78175c641c9447c08d04
-
Filesize
489KB
MD5ab88fd36465c5d8da1996c1da1821038
SHA116d04d389c40d2c6e5ee11faf8349ae372c99d28
SHA25602de1d7e7ec382496ede996f52c00e75cf1ba28853eabd53a8e923a98610ffeb
SHA512d8647ba272a8494a1993786ddfc72dff4f814827cd482785ae582082c266c52e4f7d8552b151fe61cd1851c3167a7d85c22094e944ce78175c641c9447c08d04
-
Filesize
4.0MB
MD5f48b35beada236353fd804618191b247
SHA161b554295d407e3f75462eac0022931291a56a7c
SHA256500a703a09d85f8e2426dbc56d66897fad125f9c4da0455cf52343a895602ebd
SHA5121bcc893d0aa1b345075ee0c765b4bf2a190400f2ccf3b66bd442384e0e54494fe98a7e8ac7a8cff56dc44269c47e5b2162cff1513ec571546ba8a65807d7951e
-
Filesize
1.0MB
MD5a182097a3169f5924c29d107c0b4b5a4
SHA18c5e7ff7a8b62de893a3cb6dad3fc028435ead92
SHA256a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01
SHA5120f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d
-
Filesize
1.0MB
MD5a182097a3169f5924c29d107c0b4b5a4
SHA18c5e7ff7a8b62de893a3cb6dad3fc028435ead92
SHA256a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01
SHA5120f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d
-
Filesize
1.0MB
MD5a182097a3169f5924c29d107c0b4b5a4
SHA18c5e7ff7a8b62de893a3cb6dad3fc028435ead92
SHA256a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01
SHA5120f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d
-
Filesize
390KB
MD52d16c5c935ab997def2273ca9a3f0ca4
SHA15303c3afd35674e0c90b4c18daa81de1a318dfa1
SHA256637ec1d424214afa4d45fd4ddc30122a38ffca736e3b940420042ca9fd6a718d
SHA51287ef78bfd721380bb14407e61b6d7a3cf9a5c5191ddc4fa054a51107088c3ccac4289fd19f65cd1b49a06d8cbc5b29c35dc5e64d067991cf795ec085a2219726
-
Filesize
3KB
MD509557e3d1848c43483f8cfb397b365fa
SHA164d329633154809ab79e37f7395e9e8153d4e2a6
SHA25661f574d6739679dced9e704d24766d73800504da5b44694ae3196e4db556dbbf
SHA512ee82c23f40932ed4f02b1022a608ca946c6d4ed93e72da53d15a7966854d4f69df29bbbfd4cff8d6d2ea645aa85a9dad335b4baf9622dab1550cba25f232fcd9
-
Filesize
4.0MB
MD5d4895d2e0fa6c401591f9d67ee21c389
SHA17d592032b3aaa437184c817b9649d303d1498fd1
SHA256e2ed5aa2f57a33e9f42e2c25e30029c20bbfbd753e4ff7b43a3ee0ba4ddf5c85
SHA51271154b7c432408a9e87c908a6f58dd9de94ef97241cf1000282671c1f866b08c5d7753aff997cdb798489aa11630aa0b87e873cc2471d62e8cef491ae33ee67c
-
Filesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
Filesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
Filesize
40B
MD582344e788e74efec925ee2edd5fb64df
SHA154fa3766eb8e636b289efd1addfa5d21d7132216
SHA256afe404a0971516a2f9cae92b896c5b54385c99b6343a057d302004041a665fc7
SHA5127f72c7afa25f8d1be33a6ec88065eb0129c917ff21a83ecf4be41ca2f7daf3a18110a7388d49b3f4f2e3eaf2335ce83e2d69d7a8371ef0d35212ca20e194702d
-
Filesize
489KB
MD5ab88fd36465c5d8da1996c1da1821038
SHA116d04d389c40d2c6e5ee11faf8349ae372c99d28
SHA25602de1d7e7ec382496ede996f52c00e75cf1ba28853eabd53a8e923a98610ffeb
SHA512d8647ba272a8494a1993786ddfc72dff4f814827cd482785ae582082c266c52e4f7d8552b151fe61cd1851c3167a7d85c22094e944ce78175c641c9447c08d04
-
Filesize
4.0MB
MD5f48b35beada236353fd804618191b247
SHA161b554295d407e3f75462eac0022931291a56a7c
SHA256500a703a09d85f8e2426dbc56d66897fad125f9c4da0455cf52343a895602ebd
SHA5121bcc893d0aa1b345075ee0c765b4bf2a190400f2ccf3b66bd442384e0e54494fe98a7e8ac7a8cff56dc44269c47e5b2162cff1513ec571546ba8a65807d7951e
-
Filesize
1.0MB
MD5a182097a3169f5924c29d107c0b4b5a4
SHA18c5e7ff7a8b62de893a3cb6dad3fc028435ead92
SHA256a60a8592d45f56d9c2ec2039089b55b371dda0797e4fbb57038d40e8c8530e01
SHA5120f57bac990a446d17c468cd4cf9604c5eec4e40c599afd64451a6718417174f7f06de717412863c0f44f2f692a0557857a8799f3f4c700016db2a406f1d6a50d
-
Filesize
4.0MB
MD5d4895d2e0fa6c401591f9d67ee21c389
SHA17d592032b3aaa437184c817b9649d303d1498fd1
SHA256e2ed5aa2f57a33e9f42e2c25e30029c20bbfbd753e4ff7b43a3ee0ba4ddf5c85
SHA51271154b7c432408a9e87c908a6f58dd9de94ef97241cf1000282671c1f866b08c5d7753aff997cdb798489aa11630aa0b87e873cc2471d62e8cef491ae33ee67c
-
Filesize
4.0MB
MD5d4895d2e0fa6c401591f9d67ee21c389
SHA17d592032b3aaa437184c817b9649d303d1498fd1
SHA256e2ed5aa2f57a33e9f42e2c25e30029c20bbfbd753e4ff7b43a3ee0ba4ddf5c85
SHA51271154b7c432408a9e87c908a6f58dd9de94ef97241cf1000282671c1f866b08c5d7753aff997cdb798489aa11630aa0b87e873cc2471d62e8cef491ae33ee67c
-
Filesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4
-
Filesize
161KB
MD5fecf803f7d84d4cfa81277298574d6e6
SHA10fd9a61bf9a361f87661de295e70a9c6795fe6a1
SHA25681046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a
SHA512a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4