Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 01:18
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.5138.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.RATX-gen.5138.exe
Resource
win10v2004-20231020-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.5138.exe
-
Size
782KB
-
MD5
9bb7f3b0c32cc58c27054de628206cee
-
SHA1
5fd5e46dc9a53b5af49fcac45f52d3ccd60114b4
-
SHA256
a999fa0b2c139c85ebb6a33cc1785777a333ee9b491ca696d776887f6d0400bc
-
SHA512
fb21b4e0c1466c16e75b28e716c13b000c3a5a093e1693f73806520522833618904ec5968f3c57a9264159002f34738c78e356eb06aaccd8ba95f047198e500e
-
SSDEEP
12288:DSprtFnXkIxN/9PCfsC6jf0ftLoydvr8yj2+/DV+3:6pF0AN/S2fstsyw+
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2880 set thread context of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1652 2796 WerFault.exe 34 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 2696 powershell.exe 2796 SecuriteInfo.com.Win32.RATX-gen.5138.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe Token: SeDebugPrivilege 2696 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2696 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 30 PID 2880 wrote to memory of 2696 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 30 PID 2880 wrote to memory of 2696 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 30 PID 2880 wrote to memory of 2696 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 30 PID 2880 wrote to memory of 2812 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 32 PID 2880 wrote to memory of 2812 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 32 PID 2880 wrote to memory of 2812 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 32 PID 2880 wrote to memory of 2812 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 32 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2880 wrote to memory of 2796 2880 SecuriteInfo.com.Win32.RATX-gen.5138.exe 34 PID 2796 wrote to memory of 1652 2796 SecuriteInfo.com.Win32.RATX-gen.5138.exe 35 PID 2796 wrote to memory of 1652 2796 SecuriteInfo.com.Win32.RATX-gen.5138.exe 35 PID 2796 wrote to memory of 1652 2796 SecuriteInfo.com.Win32.RATX-gen.5138.exe 35 PID 2796 wrote to memory of 1652 2796 SecuriteInfo.com.Win32.RATX-gen.5138.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDcHssmvHjwDQe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDcHssmvHjwDQe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D12.tmp"2⤵
- Creates scheduled task(s)
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.5138.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 363⤵
- Program crash
PID:1652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a745dffb9b5be5564f34262abd9f14b9
SHA161f1a675d50f75316a35325610813249fdf10199
SHA256080fb6ee059631bbade959b8b49d1bd80ddc86186302330af15f930b8b906a85
SHA512100fea6d38fb81414c738b1d7dc6604d832dbff8b37916bf2f33c03939eb62f96cb78b7d167cdcefda4ff147266df1902bd36692e918015424769bf5007dfbdc