Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10Rekt/Rekt/...LS.rtf
windows7-x64
4Rekt/Rekt/...LS.rtf
windows10-2004-x64
1Rekt/Rekt/...ol.exe
windows7-x64
3Rekt/Rekt/...ol.exe
windows10-2004-x64
3Rekt/Rekt/...33.exe
windows7-x64
10Rekt/Rekt/...33.exe
windows10-2004-x64
10Rekt/Rekt/JRPC.dll
windows7-x64
3Rekt/Rekt/JRPC.dll
windows10-2004-x64
3Rekt/Rekt/...rk.dll
windows7-x64
1Rekt/Rekt/...rk.dll
windows10-2004-x64
1Rekt/Rekt/Nipples.dll
windows7-x64
3Rekt/Rekt/Nipples.dll
windows10-2004-x64
3Rekt/Rekt/...ss.exe
windows7-x64
10Rekt/Rekt/...ss.exe
windows10-2004-x64
10Rekt/Rekt/xdevkit.dll
windows7-x64
1Rekt/Rekt/xdevkit.dll
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 23:55
Behavioral task
behavioral1
Sample
Rekt/Rekt/#REKTEDTOOLS.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rekt/Rekt/#REKTEDTOOLS.rtf
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Rekt/Rekt/#RektedToolsMultiGameTool.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Rekt/Rekt/#RektedToolsMultiGameTool.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Rekt/Rekt/33333333333.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Rekt/Rekt/33333333333.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
Rekt/Rekt/JRPC.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Rekt/Rekt/JRPC.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
Rekt/Rekt/MetroFramework.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Rekt/Rekt/MetroFramework.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
Rekt/Rekt/Nipples.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
Rekt/Rekt/Nipples.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Rekt/Rekt/UpdaterBypass.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
Rekt/Rekt/UpdaterBypass.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Rekt/Rekt/xdevkit.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Rekt/Rekt/xdevkit.dll
Resource
win10v2004-20240802-en
General
-
Target
Rekt/Rekt/UpdaterBypass.exe
-
Size
272KB
-
MD5
466b0d1009bfef71e27740092bc4c286
-
SHA1
66754e3aaf8128a790f9ddebf9f6830fc0db24cd
-
SHA256
0af94596f1f3bfb0b3b1d61bf7bedf28347254e5e5e1e8a07110f26e07f8b3cc
-
SHA512
86ec2fe6ac85a83572753ddb0ed93bdfe1e81b3c955476b3e9a54345b1cc3ab1c3f86f18a61cc7e6ecb8774e07b69f7dcf754afb5e8e23ad17409cde529258d2
-
SSDEEP
6144:iMhANGQqRGT1HPRPAeZID3ziZSzlGYnC939:hhANyg1HdAeZIviZSzlG6
Malware Config
Extracted
nanocore
1.2.2.0
XeKush32.chickenkiller.com:63072
127.0.0.1:63072
9a386a9b-a46f-49c4-91d6-d82c1b252ecb
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-05T08:02:20.893902836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
63072
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9a386a9b-a46f-49c4-91d6-d82c1b252ecb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
XeKush32.chickenkiller.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation UpdaterBypass.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UpdaterBypass.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2272 set thread context of 4632 2272 UpdaterBypass.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdaterBypass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UpdaterBypass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4544 cmd.exe 3364 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3364 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4632 UpdaterBypass.exe 4632 UpdaterBypass.exe 4632 UpdaterBypass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4632 UpdaterBypass.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2272 UpdaterBypass.exe Token: SeDebugPrivilege 4632 UpdaterBypass.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2272 wrote to memory of 4544 2272 UpdaterBypass.exe 86 PID 2272 wrote to memory of 4544 2272 UpdaterBypass.exe 86 PID 2272 wrote to memory of 4544 2272 UpdaterBypass.exe 86 PID 4544 wrote to memory of 3364 4544 cmd.exe 88 PID 4544 wrote to memory of 3364 4544 cmd.exe 88 PID 4544 wrote to memory of 3364 4544 cmd.exe 88 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 4632 2272 UpdaterBypass.exe 92 PID 2272 wrote to memory of 1488 2272 UpdaterBypass.exe 93 PID 2272 wrote to memory of 1488 2272 UpdaterBypass.exe 93 PID 2272 wrote to memory of 1488 2272 UpdaterBypass.exe 93 PID 2272 wrote to memory of 3272 2272 UpdaterBypass.exe 95 PID 2272 wrote to memory of 3272 2272 UpdaterBypass.exe 95 PID 2272 wrote to memory of 3272 2272 UpdaterBypass.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 103⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3364
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"C:\Users\Admin\AppData\Local\Temp\Rekt\Rekt\UpdaterBypass.exe"2⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y7ezfuvs.cmdline"2⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zrnjsebg.cmdline"2⤵
- System Location Discovery: System Language Discovery
PID:3272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221B
MD51970d18f40cb77845e57803988ff5709
SHA19267ebd3ba029c74dd13d3fb28121de5012b09a2
SHA25630d7b6904297e19bc0e668425754632c4f774b1d9e24fdcb18a98f7497ca826f
SHA51230c13ca64c09acc354c96277f7e835fa7f4cfc7534caef04389f79eb5bf94c81a87fc7037b642ec8cee778b3d25e90fb8e05630befbfbb09f229a731fca93bf2
-
Filesize
258B
MD572663f3277fbac5a9662db5eb2d39aff
SHA1e6f9fb579a79678fa187d76e0f606b8f6f8865ba
SHA256dfd14a792c1c87a839c40716dcda53d7f18c8dda2a70daa3a4efa3f27cef1342
SHA512a7f1fbc749ad2a125014e3f9dfd4638bfbeac32eafc46d31df8832c528eb9e683a1484246151fb6b89d7b08264937337298f2a599b922520523104f1c69d3523
-
Filesize
222B
MD5b2a3c1b910d9ad1d13e42acb2655366f
SHA19f05dfd1ea70f5913d88fa6e94a1a8db163434d8
SHA256232b51f0a7d5cdacb9208dec5773200142c252d57f2293bb62faaa456a6583e2
SHA512a9b5ab24e066ab0169262811ca005943a1bd0655368352f14afbb912a6086067e6c34dbc6e11fc0f54d593d9ebc5900d01f2d21713ac0806b40b9d7de899c289
-
Filesize
217B
MD54ef523c0a484a2d4a0d4f1d603938115
SHA16058b9b9115a9147c5ff31a0ec71e23990e4f2a7
SHA256371ebc9aa34f173ca00ba92562d74569a656d95959f88a0f8ef7ab38b92c4183
SHA512a402bd066d875ba867c68463156004da7aeabb56f72aa2c0f504d41cdfdaa9c494eb18ccbd4ac7fb6c26cd0ca273730283699a9efac939c1d781ff7b10f6dd7a