Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
76s -
platform
windows10-1703_x64 -
resource
win10-20231025-en -
resource tags
arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system -
submitted
12/12/2023, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
Zecdtuorders.exe
Resource
win10-20231025-en
Behavioral task
behavioral2
Sample
Zecdtuorders.exe
Resource
win11-20231129-en
General
-
Target
Zecdtuorders.exe
-
Size
871KB
-
MD5
7e4166e62463bf537fb9f4fefeb11b0f
-
SHA1
1bbf554f92a484b4140eb127e926b4d493a07860
-
SHA256
edfe3d2b49b3e5b9a133c3ee9144565f413f683a1e53af9d295d568ddfb62e0d
-
SHA512
287b0aafe17e76e3d530fa512001b13dfaa4b513dfc30898759a9f249e79cb703ee4c075afa695f8e270039d35699cc7e462f29d957df2b1abf0f00bf0254746
-
SSDEEP
12288:IgAhV0VWCDxtMsxaSY86xdYiditORC+k8HPCK+ooJFqgvSXikzXnN2NGtioeRJv:BMYSitORdTnAsgvdkDnNqXDM
Malware Config
Extracted
Protocol: smtp- Host:
198.23.221.13 - Port:
587 - Username:
[email protected] - Password:
admin2
Extracted
agenttesla
Protocol: smtp- Host:
198.23.221.13 - Port:
587 - Username:
[email protected] - Password:
admin2 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2820-2-0x00000000055C0000-0x000000000566A000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-4-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-5-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-7-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-9-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-11-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-13-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-15-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-17-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-19-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-27-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-25-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-23-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-29-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-21-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-31-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-35-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-37-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-33-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-39-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-41-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-51-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-57-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-59-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-61-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-55-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-53-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-63-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-65-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-49-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-67-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-47-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-45-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 behavioral1/memory/2820-43-0x00000000055C0000-0x0000000005664000-memory.dmp family_zgrat_v1 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sopejhnluae = "C:\\Users\\Admin\\AppData\\Roaming\\Sopejhnluae.exe" Zecdtuorders.exe Set value (str) \REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\mPUyX = "C:\\Users\\Admin\\AppData\\Roaming\\mPUyX\\mPUyX.exe" Zecdtuorders.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2820 set thread context of 2532 2820 Zecdtuorders.exe 71 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2532 Zecdtuorders.exe 2532 Zecdtuorders.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2820 Zecdtuorders.exe Token: SeDebugPrivilege 2532 Zecdtuorders.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71 PID 2820 wrote to memory of 2532 2820 Zecdtuorders.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exe"C:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exeC:\Users\Admin\AppData\Local\Temp\Zecdtuorders.exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
927B
MD5536cab636369af6e580d95bfdc11c573
SHA18a41a39758475ae0e08bc74f42f898ad2272aca1
SHA25684012832b818435c678ed4d0a9970e9e0dc3c94d3906035fdf84330e16474626
SHA51234abac8aa79bd9d889fe8ca73d91aede83307a533a513d8b8e46d5a22f22dad53a4a9557cc64c94d79e21ef3929348ca4b6ef27f6cbdf7b341f615d2f9df8fa7