Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
01/02/2023, 19:46
General
-
Target
ZAZAgenv2.exe (1).exe
-
Size
3.8MB
-
MD5
5adc42fc3c4641933072fd628c07778b
-
SHA1
88dacdf1ab3aea812c7aaeb0e532edddf22c1ef4
-
SHA256
0db34a2edc14731f5a5b0a0cd0ce855f76a43f0279d0259383682ee59eba43f2
-
SHA512
9fcfda10612301d90846042b8a8ee5519012727caf5c4138037934b6ccd12cd9808c2e1c8378e54cc72b7a26fbc1274224179bb36e17f937b2254ba4b4dc7678
-
SSDEEP
98304:Qu0T+Srp3YVrsk9N8ivyhAdsPSQxhsnWJLXq0f9ogdCyb:QtfSVN8iNISOlJzqwf
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZAZAgenv2.exe (1).exe"C:\Users\Admin\AppData\Local\Temp\ZAZAgenv2.exe (1).exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start %temp%\svchoster.exe /stext "%temp%\Passes.cpp"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchoster.exeC:\Users\Admin\AppData\Local\Temp\svchoster.exe /stext "C:\Users\Admin\AppData\Local\Temp\Passes.cpp"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
Filesize
391KB
MD5053778713819beab3df309df472787cd
SHA199c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA51235a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb
-
Filesize
3.9MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
120KB