Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/12/2024, 08:53
Static task
static1
Behavioral task
behavioral1
Sample
888 RAT Privatex.exe
Resource
win11-20241007-en
General
-
Target
888 RAT Privatex.exe
-
Size
11.3MB
-
MD5
eb92b2a00a4f4c8a14ab9e5845a51512
-
SHA1
6855badfc5f79a9e75b073c3ebc65902afe4698b
-
SHA256
492bd088b2da5df8a1de73e77c6413480be2a47c1600f67e57a52f03f5d7801b
-
SHA512
6c62f18f79fdf30494580868b139aa0b87580f25c37a8c99ecda64b0b8c442c6b26a5cacada0c404f1cf23f46e01d14e871923a6c624ddbdb4a7c2db5e85a18c
-
SSDEEP
196608:CJWQr/GQDd3JjPOVXRzPHGy+FtxIpeYIGx/3E8hNpRKEzTzvLuShmIYNoE+At:uWQrr5uX5PHGyZt/s4pR3pVY4
Malware Config
Signatures
-
Xmrig family
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/4864-22-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4864-30-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4864-29-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4864-32-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4864-31-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4864-33-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/4864-244-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3436 netsh.exe 2336 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x001900000002ab0f-75.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\International\Geo\Nation 888 RAT Privatex.exe -
Executes dropped EXE 2 IoCs
pid Process 4864 TiWorker.exe 1604 888 RAT Private.exe -
Loads dropped DLL 3 IoCs
pid Process 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe -
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 5076 cmd.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x001d00000002ab08-41.dat autoit_exe behavioral1/memory/1604-96-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-126-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-121-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-112-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-105-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-99-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-93-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-90-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-88-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe behavioral1/memory/1604-133-0x0000000000230000-0x0000000000945000-memory.dmp autoit_exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\TiWorker.exe 888 RAT Privatex.exe File opened for modification C:\Windows\SysWOW64\TiWorker.exe 888 RAT Privatex.exe File created C:\Windows\SysWOW64\config.json 888 RAT Privatex.exe File opened for modification C:\Windows\SysWOW64\config.json 888 RAT Privatex.exe File created C:\Windows\SysWOW64\MicrosoftWindows.xml 888 RAT Privatex.exe File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml 888 RAT Privatex.exe -
resource yara_rule behavioral1/files/0x001900000002ab0f-75.dat upx behavioral1/memory/1604-83-0x0000000010000000-0x00000000100BB000-memory.dmp upx behavioral1/memory/1604-243-0x0000000010000000-0x00000000100BB000-memory.dmp upx -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 888 RAT Private.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1980 888 RAT Privatex.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1604 888 RAT Private.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 4864 TiWorker.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe 1604 888 RAT Private.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1604 888 RAT Private.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1416 1980 888 RAT Privatex.exe 77 PID 1980 wrote to memory of 1416 1980 888 RAT Privatex.exe 77 PID 1416 wrote to memory of 3968 1416 cmd.exe 79 PID 1416 wrote to memory of 3968 1416 cmd.exe 79 PID 1416 wrote to memory of 1696 1416 cmd.exe 80 PID 1416 wrote to memory of 1696 1416 cmd.exe 80 PID 1980 wrote to memory of 5076 1980 888 RAT Privatex.exe 81 PID 1980 wrote to memory of 5076 1980 888 RAT Privatex.exe 81 PID 5076 wrote to memory of 2980 5076 cmd.exe 83 PID 5076 wrote to memory of 2980 5076 cmd.exe 83 PID 1980 wrote to memory of 3812 1980 888 RAT Privatex.exe 84 PID 1980 wrote to memory of 3812 1980 888 RAT Privatex.exe 84 PID 3812 wrote to memory of 2336 3812 cmd.exe 86 PID 3812 wrote to memory of 2336 3812 cmd.exe 86 PID 1980 wrote to memory of 3416 1980 888 RAT Privatex.exe 87 PID 1980 wrote to memory of 3416 1980 888 RAT Privatex.exe 87 PID 3416 wrote to memory of 3436 3416 cmd.exe 89 PID 3416 wrote to memory of 3436 3416 cmd.exe 89 PID 1980 wrote to memory of 2476 1980 888 RAT Privatex.exe 90 PID 1980 wrote to memory of 2476 1980 888 RAT Privatex.exe 90 PID 2476 wrote to memory of 464 2476 cmd.exe 92 PID 2476 wrote to memory of 464 2476 cmd.exe 92 PID 1980 wrote to memory of 4984 1980 888 RAT Privatex.exe 93 PID 1980 wrote to memory of 4984 1980 888 RAT Privatex.exe 93 PID 4984 wrote to memory of 4252 4984 cmd.exe 95 PID 4984 wrote to memory of 4252 4984 cmd.exe 95 PID 4984 wrote to memory of 3100 4984 cmd.exe 96 PID 4984 wrote to memory of 3100 4984 cmd.exe 96 PID 1980 wrote to memory of 3552 1980 888 RAT Privatex.exe 99 PID 1980 wrote to memory of 3552 1980 888 RAT Privatex.exe 99 PID 3552 wrote to memory of 3912 3552 cmd.exe 101 PID 3552 wrote to memory of 3912 3552 cmd.exe 101 PID 1980 wrote to memory of 1604 1980 888 RAT Privatex.exe 102 PID 1980 wrote to memory of 1604 1980 888 RAT Privatex.exe 102 PID 1980 wrote to memory of 1604 1980 888 RAT Privatex.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\888 RAT Privatex.exe"C:\Users\Admin\AppData\Local\Temp\888 RAT Privatex.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵PID:3968
-
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵PID:1696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵
- Indicator Removal: Clear Persistence
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵PID:2980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Scheduled Task/Job: Scheduled Task
PID:464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵PID:4252
-
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵PID:3100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵PID:3912
-
-
-
C:\Users\Admin\AppData\Local\Temp\888 RAT Private.exe"C:\Users\Admin\AppData\Local\Temp\888 RAT Private.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4864
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
1Clear Persistence
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD5fd333b3b8a82bb7de7f191c4748db00b
SHA1555be90439cf5fb71af7599f03a064704dde93d7
SHA256715defb279b04341fdc48d927e629079662da381d51bce7217d55c375220e678
SHA5129f5d5f8a38e9b39833fa0af5477fa3ea2a617a607b4e344cad4a4538d8d8424bf4c1aa3ce9f2f03f4ad23dd988de70e0d3eab9a4e7b2e46cf5de0371eac81d7d
-
Filesize
1KB
MD51bb617d3aab1dbe2ec2e4a90bf824846
SHA1bbe179f1bdc4466661da3638420e6ca862bd50ca
SHA2561bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580
SHA512ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52
-
Filesize
3.2MB
MD5ecede3c32ce83ff76ae584c938512c5a
SHA1090b15025e131cc03098f6f0d8fa5366bc5fa1f0
SHA256366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d
SHA51261ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d
-
Filesize
1.1MB
MD5060779ce2fdb52bfb9e7463704852d29
SHA1486541ee6bf89570966143cbc473e9e1f5d5ef37
SHA2561bd90d1c7ff94b4ec5369a9f94e446f96566a6286adede460584fd247b7bd540
SHA512a010220679d301a077f1feb6676a63b42aa66c17449808ab3109ae26cb2237b5b124e3053120291fe650eeb83bccad2d9f88269dde4d802fd6c7d34b1cdb39c2
-
Filesize
239KB
MD529e1d5770184bf45139084bced50d306
SHA176c953cd86b013c3113f8495b656bd721be55e76
SHA256794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307
SHA5127cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8
-
Filesize
4KB
MD5b1cbfcc7b7a5716a30b77f5dc5bb6135
SHA15c397ffd7a845b2fdf9e82ff73698784a91a2fb9
SHA25696f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430
SHA512d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7
-
Filesize
1011B
MD53da156f2d3307118a8e2c569be30bc87
SHA1335678ca235af3736677bd8039e25a6c1ee5efca
SHA256f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb
SHA51259748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0