Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2023, 22:29
Static task
static1
General
-
Target
Trojan.Win32.Znyonm.exe
-
Size
5.5MB
-
MD5
211c3aecddbb97738943a1d9471ba7c2
-
SHA1
739cde98ae0761fb6e88fa548af75ea512631655
-
SHA256
44083be323ff08f7d4291a4b13a983ba680e3a793db7bd123179378e39d2a31b
-
SHA512
bae5ee49ae159167c0eae1dfc815a9039f85e2b4137f43dd6bd0dfa72d9cc82dac9796518bb4abf54e6b9c121c50d53e3eac8f28ab8bd71531a40db47ce253fd
-
SSDEEP
98304:ThM4FP72iUsD1nMx7tHcCWQzWXMw5qOzV3Mr7jt4SNnVYm9GkAQ+qvkAKLpLjH9j:tJ1Yu1Mx7tHcdQzMljx3C6SDY/kAQ+rH
Malware Config
Signatures
-
Detect ZGRat V1 28 IoCs
resource yara_rule behavioral1/memory/1160-26-0x000001F934530000-0x000001F934614000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-29-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-30-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-32-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-34-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-36-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-38-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-40-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-42-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-44-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-46-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-48-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-50-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-52-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-54-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-56-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-58-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-60-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-62-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-64-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-66-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-68-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-70-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-72-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-74-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-76-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-78-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 behavioral1/memory/1160-80-0x000001F934530000-0x000001F934610000-memory.dmp family_zgrat_v1 -
Executes dropped EXE 1 IoCs
pid Process 3612 ContinuationOptions.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2192 set thread context of 1160 2192 Trojan.Win32.Znyonm.exe 112 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4216 taskmgr.exe Token: SeSystemProfilePrivilege 4216 taskmgr.exe Token: SeCreateGlobalPrivilege 4216 taskmgr.exe Token: SeDebugPrivilege 2192 Trojan.Win32.Znyonm.exe Token: SeDebugPrivilege 1160 Trojan.Win32.Znyonm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe 4216 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1160 2192 Trojan.Win32.Znyonm.exe 112 PID 2192 wrote to memory of 1160 2192 Trojan.Win32.Znyonm.exe 112 PID 2192 wrote to memory of 1160 2192 Trojan.Win32.Znyonm.exe 112 PID 2192 wrote to memory of 1160 2192 Trojan.Win32.Znyonm.exe 112 PID 2192 wrote to memory of 1160 2192 Trojan.Win32.Znyonm.exe 112 PID 2192 wrote to memory of 1160 2192 Trojan.Win32.Znyonm.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exeC:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1348
-
C:\Users\Admin\AppData\Local\InheritanceFlags\vaunqarh\ContinuationOptions.exeC:\Users\Admin\AppData\Local\InheritanceFlags\vaunqarh\ContinuationOptions.exe1⤵
- Executes dropped EXE
PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5f14892cfc7a85c33f9b99f47cdd5185d
SHA1570203c53d61873484b2e126f50dca45b6967435
SHA2569a9ee810d8989188a107861974b58dc5a0e4fcf79ae97459768931347333ecc3
SHA512d58339b7e3a35f5fcaf1dc88d1e2a741f0e6d051a077fcad987f5ebf40ee6072e3fa17762eb7a716d0ff1194aa95fabeb14f12ab6fc0a2ec717912b997867b39
-
Filesize
1.9MB
MD56e3b0f7330b76a47c0d2eda858a20178
SHA1b24129f398b19359edffd2fde8a6b7ddbf27cbd2
SHA25668106142067a41c2c357d9869633b68dab3f4edbae3e1c1fe8d57e0dbabc0f30
SHA512bd6e5627b7647f4580a0ec0e6b3e9f58983b4304637bbeb0f2880925341f5e92dad176ff244ac46865959dfc3118d6c7553630d48b2cf9956bf959b0656966e8
-
Filesize
1KB
MD5cd1c4e81d6714e5b2bc3f5d74714217f
SHA1c4255dc7a180e002659dd759a4afaecec2699ddc
SHA2560b75bf9bbc710b289d490569e7cd87627b624f09ffca734052a1cb421683ca46
SHA5122186df1d749dfa46b35749f7e108785f8831289524e61b0d3443c57a6359d62b706b53d5dee3257dfe96d964c38f1ccf76ceeaf6b751a1d4ec45cf7190076b51