Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/10/2024, 02:42
Behavioral task
behavioral1
Sample
[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Resource
win11-20241007-en
General
-
Target
[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
-
Size
332KB
-
MD5
c6f19bd285ac0c699435b607a163bedd
-
SHA1
959fd4aa99f9550359eeccf5770565fb0503104d
-
SHA256
21810e5c5329762599cdb396feba7c560e42808f11d7eda6ea8afcc0d3d1cd1d
-
SHA512
96be9a0c64c27cca97b690e9b8e07db114271b7888b4acacf8aed0a89750ab6fd967e48cd277abe3e359726af1f094e8c33b6b4e0b4b5561559189e8577ca708
-
SSDEEP
6144:JZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+Ww:JZNNNzbCClCA+jp02GmWhJnav5jUj
Malware Config
Signatures
-
Ratty Rat payload 1 IoCs
resource yara_rule behavioral5/files/0x001d00000002aa5d-14.dat family_ratty -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar java.exe -
Loads dropped DLL 1 IoCs
pid Process 692 java.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar = "C:\\Users\\Admin\\AppData\\Roaming\\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar" REG.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ java.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ java.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4768 REG.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 692 java.exe 692 java.exe 692 java.exe 692 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 692 wrote to memory of 4768 692 java.exe 78 PID 692 wrote to memory of 4768 692 java.exe 78 PID 692 wrote to memory of 4292 692 java.exe 79 PID 692 wrote to memory of 4292 692 java.exe 79 PID 692 wrote to memory of 3476 692 java.exe 82 PID 692 wrote to memory of 3476 692 java.exe 82 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3476 attrib.exe 4292 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar1⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar" /d "C:\Users\Admin\AppData\Roaming\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar" /f2⤵
- Adds Run key to start application
- Modifies registry key
PID:4768
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar2⤵
- Views/modifies file attributes
PID:4292
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar2⤵
- Views/modifies file attributes
PID:3476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD555f4de7f270663b3dc712b8c9eed422a
SHA17432773eb4d09dc286d43fcc77ddb0e1e3bce2b4
SHA25647c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25
SHA5129da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996
-
C:\Users\Admin\AppData\Roaming\[RU]DESKTOP-33B9CHF@V#eff870d155ad9996e86173d19c2373fd3cea5780.zip.jar
Filesize332KB
MD5c6f19bd285ac0c699435b607a163bedd
SHA1959fd4aa99f9550359eeccf5770565fb0503104d
SHA25621810e5c5329762599cdb396feba7c560e42808f11d7eda6ea8afcc0d3d1cd1d
SHA51296be9a0c64c27cca97b690e9b8e07db114271b7888b4acacf8aed0a89750ab6fd967e48cd277abe3e359726af1f094e8c33b6b4e0b4b5561559189e8577ca708