Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

67a62cb441...ba.exe

windows7-x64

10

67a62cb441...ba.exe

windows10-2004-x64

10

67c679ac1d...4d.exe

windows7-x64

10

67c679ac1d...4d.exe

windows10-2004-x64

10

67e080e7fb...78.exe

windows7-x64

10

67e080e7fb...78.exe

windows10-2004-x64

10

67e78da23e...0e.exe

windows7-x64

8

67e78da23e...0e.exe

windows10-2004-x64

8

67e9ff3c0b...3e.exe

windows7-x64

7

67e9ff3c0b...3e.exe

windows10-2004-x64

7

682b4b814e...27.exe

windows7-x64

10

682b4b814e...27.exe

windows10-2004-x64

10

68461a12fa...a4.exe

windows7-x64

10

68461a12fa...a4.exe

windows10-2004-x64

10

68921d96c9...34.exe

windows7-x64

10

68921d96c9...34.exe

windows10-2004-x64

10

68aaab301e...db.exe

windows7-x64

10

68aaab301e...db.exe

windows10-2004-x64

10

68b8408aa7...2b.exe

windows7-x64

7

68b8408aa7...2b.exe

windows10-2004-x64

7

68e912a390...88.exe

windows7-x64

10

68e912a390...88.exe

windows10-2004-x64

10

68fef6943e...6c.exe

windows7-x64

10

68fef6943e...6c.exe

windows10-2004-x64

10

691fe746ab...24.exe

windows7-x64

8

691fe746ab...24.exe

windows10-2004-x64

8

692a24fa9e...4b.exe

windows7-x64

10

692a24fa9e...4b.exe

windows10-2004-x64

10

69319ee860...9e.exe

windows7-x64

7

69319ee860...9e.exe

windows10-2004-x64

7

6947cb60fe...09.exe

windows7-x64

1

6947cb60fe...09.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_25.zip

  • Size

    102.5MB

  • Sample

    250322-gyblksyzgv

  • MD5

    41fd5b9c28193964370e658554e37b0b

  • SHA1

    37fd84be5bc48db7a7021d567e051f5bbb0bdd69

  • SHA256

    545403ae8941712ac4f021d5867ac8df35a554d5754192c54da66f7b2a2d4e5f

  • SHA512

    4129c0138e7bd0f214b0708ed7d4c5c3eb0cc3f2c8249ed9fb4ec673df370810018994f054777d192985a1353e8aaeb6c8ff511b79ff3310a0b6e3f26e4b757a

  • SSDEEP

    3145728:UVhIPaDT36Um0PgjtEvANn3hYzYd+aTIbhaG:ULIPaDr6UmogJEvwazYd+aTOaG

Score
10/10
dcratmetamorpherratnjratremcosxwormahmadovhostvictimdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:14012

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    unbranded.exe

Extracted

Family

njrat

Version

0.7d

Botnet

ahmadov

C2

127.0.0.1:1177

Mutex

1c3772931918e1149281693b02406309

Attributes
  • reg_key

    1c3772931918e1149281693b02406309

  • splitter

    |'|'|

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

46.197.220.52:1604

Mutex

d86002942e50fc369331de21e4537b9f

Attributes
  • reg_key

    d86002942e50fc369331de21e4537b9f

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

xworm

Version

5.0

C2

92.255.57.221:4414

185.84.160.71:7000
Mutex

bAxXydDWeCUErZLr

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      67a62cb441400a13757721a9f7d8c6ba.exe

    • Size

      63KB

    • MD5

      67a62cb441400a13757721a9f7d8c6ba

    • SHA1

      1e42025629579d101861b1b686beb475c48a8636

    • SHA256

      2f7457a67bc6130046e72c2ab095d3744a410e4b04ac3315197b8b8849fc4e22

    • SHA512

      87d3b0187a482638b15e8291793f72d8019bb952239dc749a3a79c9c11186d8a93cb18d0c7f4b9b582c2dde0a32c9173198082dd3c97589222fa4a6ba093ce54

    • SSDEEP

      1536:V50NqnY2ITdR7iA72cWD+bO3JWB5sViBgOi+X:Vi8Y5RFiA7+D+bOcA9OiQ

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      67c679ac1d31b57180ad84a2ccd0a74d.exe

    • Size

      23KB

    • MD5

      67c679ac1d31b57180ad84a2ccd0a74d

    • SHA1

      a3d46b898ba8ed8852a8cfac3f4c49989b97fd8b

    • SHA256

      edc05bae157c3ca29d70a609d115950b15d30a8963df6a58152e20c94ceaca41

    • SHA512

      f0f2a2f88fc4d41bd15cb1dccc4d8ada24abc4d3e93a2c0d1fade8adc36feccee0b682d23797ecd4f544256cfd636b0f627123a6d7d63f878ffa0a30080834dc

    • SSDEEP

      384:2+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZGe:pm+71d5XRpcnum

    Score
    10/10
    njratahmadovdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      67e080e7fb0b34b6c79705d7689afc78.exe

    • Size

      885KB

    • MD5

      67e080e7fb0b34b6c79705d7689afc78

    • SHA1

      e82affbbc2595fe40579375cf5c41a7d826eacc7

    • SHA256

      58898fe0524fffa99b22385eb2e89bd5779d40bf743b3b1ec0cde137015bbbbd

    • SHA512

      37ee5981558160f13d208bc871e33ffabb5dd1887b5b974f6b8232e936127c6cb5f2c59013675d4f64b22b9bd384eac71b5da3732d49c1da0312eeb05c988a6d

    • SSDEEP

      12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx1:0lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      67e78da23e09ae504200e107f8bd9c60081203120fd9f7abb56696c552dc520e.exe

    • Size

      3.4MB

    • MD5

      465dbd72a357767abad74e20eb2c1d96

    • SHA1

      b76518e1ee07d968e3888371fd58327b9593c7f0

    • SHA256

      67e78da23e09ae504200e107f8bd9c60081203120fd9f7abb56696c552dc520e

    • SHA512

      f6622aabec3290ca2bf483f8a07e930179bb5dbd4aeeb8f9b96debe543885fef8d4b7ad8cdc8ccab0231e7f50c68bc42dd301b9ba0007bcd2dee5b21878da246

    • SSDEEP

      98304:ZRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/HK/:Zkj8NBFwxpNOuk2MK/

    Score
    8/10
    defense_evasionexecutionspywarestealer

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral7behavioral8

    • Target

      67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e.exe

    • Size

      517KB

    • MD5

      f3882841d807ebcc147ff9c45263ee4d

    • SHA1

      b97d48e074558a172948c835044eff8142af4882

    • SHA256

      67e9ff3c0b908ed9076058d06270b856681178ce2e7d35867d1f5f75b715353e

    • SHA512

      fb3d4cccd0a6210886422250ce60da509659a49c27b1a9bb279725563f39365acff1f7fb868a2537e8db896fd849e4872488c367eda94af9bcf0aa654ca29697

    • SSDEEP

      1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral9

    • Target

      682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27.exe

    • Size

      1.6MB

    • MD5

      c86673bf3955f4820c9d706e1724c4ac

    • SHA1

      73a227f97cfe0ecd848e57cbf9d026b34ac9c6bf

    • SHA256

      682b4b814ea823587a4f3c3d6c7bc1b59baece364d2b670fd3e45e798afeac27

    • SHA512

      9010711d04d87d92cdfed6f1dc56d022fc9d5529b45443dcf9ad3fc0040a3e1695784525d81f5617b78bb7472c4293a1cc9599b388d1c5c9dc23d6b8b191b0f9

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral11behavioral12

    • Target

      68461a12fa99132c70d16fe56ad023eec0f3813ac15c52eb407d7422716fa0a4.exe

    • Size

      873KB

    • MD5

      2e947ac271b82d291ab63d9f0b16af1c

    • SHA1

      48fbf8c4f8c932e590410c2d3db2178dd331d7fc

    • SHA256

      68461a12fa99132c70d16fe56ad023eec0f3813ac15c52eb407d7422716fa0a4

    • SHA512

      be806eacd213cb785f89cb9c6ad7bb5f5971e746dc4a5dac84ca7654fe3d8796da3c83dcfef372c32b6b99421e8cf864fc6355adfd3b8fbb2c74ca210fa573f8

    • SSDEEP

      12288:Pp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3A1:PpugRNJI1D39dlfGQrFUxwAeA1

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      68921d96c994564496baf8e8befa5834.exe

    • Size

      55KB

    • MD5

      68921d96c994564496baf8e8befa5834

    • SHA1

      d866bee6645fdf339f6d3a29933e92397c77cd5a

    • SHA256

      4d80ed9f81ceb1d9e284b89c0b074d6b03bdf94f2a0fa56c114f9143d6f1f654

    • SHA512

      e6e23835cb12827616dd1a12757efba94d80cdca6ff51def8de944a3a461bdc1a77c4177c38fa8b635b4c83ac61f222a3ad52abfb38fcbad444442b88239cc64

    • SSDEEP

      768:19OecKt1ManMy2Nrjyjyn3UhkSN0mwFvfu0YMDHPs2L7XJSxI3pmum:1984DnANrjyjmADRwsNMDFXExI3pmum

    Score
    10/10
    njratdefense_evasiondiscoveryexecutionpersistencetrojan
    behavioral15behavioral16

    • Target

      68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb.exe

    • Size

      4.1MB

    • MD5

      9527ef0d6e62331be36135edcc600ae5

    • SHA1

      2b5dd4d06c19fba9942a5b946a6464f7c4e349d0

    • SHA256

      68aaab301e4dc976a9ee18a646fab60e01c839867d05d24df6dad31b95e6aedb

    • SHA512

      6025e530b6f409d0619368e48bf7578ac06355f71d120c79ba42e15ef39334eb07c449ac707fae46e045de35404413e7ae412815140fcf5608ec256a0c4f9fec

    • SSDEEP

      98304:5/rCoiMeed3IE1/xbUoEe78elDBupBPg8zUUdXT07/5/j2CoReeOnL8lZoJDXpFW:5jBiMeeR1/xbUoEe78elDBupBPg8zUUv

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17behavioral18

    • Target

      68b8408aa7c238f2f6646abb8c2ff32b.exe

    • Size

      15KB

    • MD5

      68b8408aa7c238f2f6646abb8c2ff32b

    • SHA1

      1eec3953051baedef2f9b56dce1dd2673a6dff29

    • SHA256

      46e5a4768db1d83d467431c07274873f38728339a82ceddfa9ca188d7e83cf93

    • SHA512

      41a57f39395e031524cdca1ff5c23f0db206f24bd2bef8d5b9ab2c399e9a5eaf0c27a563a420a1f157221194847af130061462effb2293120cf15f9844e68801

    • SSDEEP

      384:7OTxng39jk1pH+uURZt4dyK3OV1fksha4H94XGZlcvbFZ:AxQ9jupmRZbAOV1q4H9HZluhZ

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    behavioral19behavioral20

    • Target

      68e912a390ec3a616480c7e3f1330988.exe

    • Size

      858KB

    • MD5

      68e912a390ec3a616480c7e3f1330988

    • SHA1

      ed7ce10794fdb5ff55b86cd1df36b86cbdd8f2f6

    • SHA256

      47c0164e8579ee7e33cdd02eaf38c794b5e99727657515af22746a669d3668ef

    • SHA512

      b1d511383db2632c1e17c6a3e719ad97588d3e6c24e1bfaa8523813c925e0c27f2c406dfb7cd495c3e8129e592525137bd0252ab5a44efc3ce8c41fda5e79845

    • SSDEEP

      12288:xp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3W:xpugRNJI1D39dlfGQrFUxwAeW

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

    • Target

      68fef6943ee096474fd5049bb302656c.exe

    • Size

      78KB

    • MD5

      68fef6943ee096474fd5049bb302656c

    • SHA1

      e5386c8142bad5a4a2fc0827933146ee69109ae7

    • SHA256

      38171fdcb5e1043b82d2bf03801d06b4120917677bd64465968ab537b2b4e42e

    • SHA512

      444228af46e018aa37470b3fb1c1dd77518cd61e43d99f188c922d1686bd569e9231745c17ade2ed3097dc8dd3629a346dbed43c2f9c956cef713fe7af830094

    • SSDEEP

      1536:ly5jS6dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN659/L1ur:ly5jS1n7N041Qqhga9/i

    Score
    10/10
    metamorpherratdiscoverypersistenceratstealertrojan

    • MetamorpherRAT

      Metamorpherrat is a hacking tool that has been around for a while since 2013.

      trojanratstealermetamorpherrat

    • Metamorpherrat family

      metamorpherrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence
    behavioral23behavioral24

    • Target

      691fe746ab84ce9cc21d871e1c3f9b24.exe

    • Size

      574KB

    • MD5

      691fe746ab84ce9cc21d871e1c3f9b24

    • SHA1

      66ec1c5e597ce2741af432237c9f0ef27cdf4265

    • SHA256

      ea635a9114326ba4fdd939ca2f45d12571a18ae694843fafb0cb12d249625393

    • SHA512

      01c7578a8700100ba4d698ac605dc4d09e0c396deaa43b6adfffeb4501b8afa2ff2126aa3ba6061ca7e62555210603baacfcfbb210aa9bebe8e301e519135800

    • SSDEEP

      12288:cwWK5MOiV1fRABtvKh8DVc6+n6s846x5v+ENaaSmsVUsEzM5H2b/LkR:cg5MOiXfR8tvM8DVcB6x5voBmskO

    Score
    8/10
    discoveryexecutionspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      692a24fa9e70407c4d311a134752a34b.exe

    • Size

      5.9MB

    • MD5

      692a24fa9e70407c4d311a134752a34b

    • SHA1

      26e196e795d61f2054ff612c744807c39d83f5c4

    • SHA256

      82fada6265676b0e76d9902aed25cda0431e992ba79d21cceb3dd1e2c6471227

    • SHA512

      a6e6a2c1c8c3839542cf3e9f0012070809d7e30abbbc1c9f7b0c85f5bf1ce2974148784f2845fe724a36d5cf408e799b9265aa9fef4c65ea7342585e442c973e

    • SSDEEP

      98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw42:ByeU11Rvqmu8TWKnF6N/1wP

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

    • Target

      69319ee8609b1c1eebe97dc2bdf84c9e.exe

    • Size

      447KB

    • MD5

      69319ee8609b1c1eebe97dc2bdf84c9e

    • SHA1

      987502b1e9b0b2af58b783be6a098b390cbb5f0e

    • SHA256

      b961c3fdb1102f0dd80ff834e302b199be728cbf7998aa0b263982e8770b71cc

    • SHA512

      a2a1b2df6d992ec7b32643856dfd50088b8b88052992dda54f2e96446854dcb18854eac591e0c93991a4c1a99ec278bd05245128760e542c8dc078c97f7fb476

    • SSDEEP

      1536:N4eK+IFjWfoPbuaTRM3nFkwHbaA3LL0idWwiQcmWkF7jV:G+IF6foPCaTRMXbaev0FQcmWkRV

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral29behavioral30

    • Target

      6947cb60fed661aec1436b0ed5b443e13f6985da262967c2a9eb8160b1064e09.exe

    • Size

      43.0MB

    • MD5

      e8b16c47f0375087e417f1d46a98e519

    • SHA1

      bd24e03f712a9af8a27ca786e4825cf0eddff6b2

    • SHA256

      6947cb60fed661aec1436b0ed5b443e13f6985da262967c2a9eb8160b1064e09

    • SHA512

      d1a5db0dbea0b600a999407ec7e9b39478e82e93167115e82daa8ebed5a3d0ebe8026711809044e9eeeccde6ce6c28d56bfe80076100e4e20dbb62812fd7f21a

    • SSDEEP

      393216:qW3k54+W3biLa3L9NJ7W51AmOW1ZEk3Jp5LavV8I9dwt3Gg50mAJimWmHYRTIY1G:qWbH3biGRN1+qbwewbkvoVRpVCfN

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

ahmadovratvictimxwormnjratdcrat
Score
10/10

behavioral1

xwormpersistencerattrojan
Score
10/10

behavioral2

xwormpersistencerattrojan
Score
10/10

behavioral3

njratahmadovdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral4

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral5

dcratinfostealerrat
Score
10/10

behavioral6

dcratinfostealerrat
Score
10/10

behavioral7

defense_evasionexecutionspywarestealer
Score
8/10

behavioral8

defense_evasionexecutionspywarestealer
Score
8/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

dcratexecutioninfostealerrat
Score
10/10

behavioral12

dcratexecutioninfostealerrat
Score
10/10

behavioral13

remcoshostdiscoverypersistencerat
Score
10/10

behavioral14

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral15

njratdefense_evasiondiscoveryexecutionpersistencetrojan
Score
10/10

behavioral16

njratdefense_evasiondiscoveryexecutionpersistencetrojan
Score
10/10

behavioral17

xwormrattrojan
Score
10/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

discovery
Score
7/10

behavioral20

discovery
Score
7/10

behavioral21

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral22

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral23

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral24

metamorpherratdiscoverypersistenceratstealertrojan
Score
10/10

behavioral25

discoveryexecutionspywarestealer
Score
8/10

behavioral26

discoveryexecutionspywarestealer
Score
8/10

behavioral27

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral28

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

discovery
Score
7/10

behavioral31

Score
1/10

behavioral32

Score
1/10