Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Trojan.Win...nm.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2023, 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win32.Znyonm.exe

  • Size

    5.5MB

  • MD5

    211c3aecddbb97738943a1d9471ba7c2

  • SHA1

    739cde98ae0761fb6e88fa548af75ea512631655

  • SHA256

    44083be323ff08f7d4291a4b13a983ba680e3a793db7bd123179378e39d2a31b

  • SHA512

    bae5ee49ae159167c0eae1dfc815a9039f85e2b4137f43dd6bd0dfa72d9cc82dac9796518bb4abf54e6b9c121c50d53e3eac8f28ab8bd71531a40db47ce253fd

  • SSDEEP

    98304:ThM4FP72iUsD1nMx7tHcCWQzWXMw5qOzV3Mr7jt4SNnVYm9GkAQ+qvkAKLpLjH9j:tJ1Yu1Mx7tHcdQzMljx3C6SDY/kAQ+rH

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 28 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe
      C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Znyonm.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4216
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1348
    • C:\Users\Admin\AppData\Local\InheritanceFlags\vaunqarh\ContinuationOptions.exe
      C:\Users\Admin\AppData\Local\InheritanceFlags\vaunqarh\ContinuationOptions.exe
      1⤵
      • Executes dropped EXE
      PID:3612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\InheritanceFlags\vaunqarh\ContinuationOptions.exe
      Filesize

      2.7MB

      MD5

      f14892cfc7a85c33f9b99f47cdd5185d

      SHA1

      570203c53d61873484b2e126f50dca45b6967435

      SHA256

      9a9ee810d8989188a107861974b58dc5a0e4fcf79ae97459768931347333ecc3

      SHA512

      d58339b7e3a35f5fcaf1dc88d1e2a741f0e6d051a077fcad987f5ebf40ee6072e3fa17762eb7a716d0ff1194aa95fabeb14f12ab6fc0a2ec717912b997867b39

      Download Submit

    • C:\Users\Admin\AppData\Local\InheritanceFlags\vaunqarh\ContinuationOptions.exe
      Filesize

      1.9MB

      MD5

      6e3b0f7330b76a47c0d2eda858a20178

      SHA1

      b24129f398b19359edffd2fde8a6b7ddbf27cbd2

      SHA256

      68106142067a41c2c357d9869633b68dab3f4edbae3e1c1fe8d57e0dbabc0f30

      SHA512

      bd6e5627b7647f4580a0ec0e6b3e9f58983b4304637bbeb0f2880925341f5e92dad176ff244ac46865959dfc3118d6c7553630d48b2cf9956bf959b0656966e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Trojan.Win32.Znyonm.exe.log
      Filesize

      1KB

      MD5

      cd1c4e81d6714e5b2bc3f5d74714217f

      SHA1

      c4255dc7a180e002659dd759a4afaecec2699ddc

      SHA256

      0b75bf9bbc710b289d490569e7cd87627b624f09ffca734052a1cb421683ca46

      SHA512

      2186df1d749dfa46b35749f7e108785f8831289524e61b0d3443c57a6359d62b706b53d5dee3257dfe96d964c38f1ccf76ceeaf6b751a1d4ec45cf7190076b51

      Download Submit

    • memory/1160-68-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-72-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-2209-0x00007FF88DAD0000-0x00007FF88E591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1160-2207-0x000001F94D320000-0x000001F94D374000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1160-2206-0x000001F94CF30000-0x000001F94CF86000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1160-2205-0x000001F932CA0000-0x000001F932CA8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1160-1086-0x00007FF88DAD0000-0x00007FF88E591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1160-1080-0x000001F94CFC0000-0x000001F94CFD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1160-80-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-78-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-76-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-74-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-44-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-70-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-66-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-64-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-22-0x0000000000400000-0x00000000004AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/1160-62-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-26-0x000001F934530000-0x000001F934614000-memory.dmp

      Filesize

      912KB

      Download

    • memory/1160-25-0x000001F94CFC0000-0x000001F94CFD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1160-60-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-28-0x00007FF88DAD0000-0x00007FF88E591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1160-29-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-30-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-32-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-34-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-36-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-38-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-42-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-58-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-40-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-46-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-48-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-50-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-52-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-54-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1160-56-0x000001F934530000-0x000001F934610000-memory.dmp

      Filesize

      896KB

      Download

    • memory/2192-7-0x0000018F61EE0000-0x0000018F61FA8000-memory.dmp

      Filesize

      800KB

      Download

    • memory/2192-27-0x00007FF88DAD0000-0x00007FF88E591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-3-0x00007FF88DAD0000-0x00007FF88E591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-1-0x00007FF88DAD0000-0x00007FF88E591000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-2-0x0000018F47760000-0x0000018F47770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2192-0-0x0000018F46DA0000-0x0000018F4731C000-memory.dmp

      Filesize

      5.5MB

      Download

    • memory/2192-5-0x0000018F617E0000-0x0000018F618C0000-memory.dmp

      Filesize

      896KB

      Download

    • memory/2192-6-0x0000018F61970000-0x0000018F61A38000-memory.dmp

      Filesize

      800KB

      Download

    • memory/2192-4-0x0000018F47760000-0x0000018F47770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2192-8-0x0000018F61900000-0x0000018F6194C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4216-9-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-16-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-15-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-10-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-21-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-11-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-20-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-19-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-18-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4216-17-0x0000020C23A60000-0x0000020C23A61000-memory.dmp

      Filesize

      4KB

      Download