Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
07/01/2024, 22:20
Behavioral task
behavioral1
Sample
5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe
Resource
win7-20231129-en
General
-
Target
5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe
-
Size
4.9MB
-
MD5
128336fc5848c43484a2d28800a7ab39
-
SHA1
7f986fa0926c17166dfc69c1bca76d6bb52a07c2
-
SHA256
5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792
-
SHA512
7a3702c3452c994403e3da938a8486191d68f9417ec1d0fb2d29e0260d0cd3cfecfa4f14f1ccb81be7bf283b4dbe54df4c551a0ac84c57f7aa5699d8feaf52f9
-
SSDEEP
49152:JLSOMmC3NTiA/vtm228spvc5kY7ZPR6cYuBe52I+Dh/aTjr9N3/AdylBzLFlp05m:JLSOygA/TmiW5RPr9iktlp0T+R0TL2
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/3312-0-0x00000000003F0000-0x00000000008D8000-memory.dmp family_zgrat_v1 -
Detects Arechclient2 RAT 1 IoCs
Arechclient2.
resource yara_rule behavioral2/memory/3744-21-0x0000000000400000-0x00000000004D2000-memory.dmp MALWARE_Win_Arechclient -
SectopRAT payload 3 IoCs
resource yara_rule behavioral2/memory/3744-21-0x0000000000400000-0x00000000004D2000-memory.dmp family_sectoprat behavioral2/memory/3312-20-0x00000000081D0000-0x00000000082D0000-memory.dmp family_sectoprat behavioral2/memory/3312-19-0x00000000081D0000-0x00000000082D0000-memory.dmp family_sectoprat -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/3312-0-0x00000000003F0000-0x00000000008D8000-memory.dmp net_reactor -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Program_for_businesscard_and_booklet_designers.lnk 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe -
Loads dropped DLL 1 IoCs
pid Process 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3312 set thread context of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3744 InstallUtil.exe Token: SeDebugPrivilege 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74 PID 3312 wrote to memory of 3744 3312 5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe"C:\Users\Admin\AppData\Local\Temp\5c4d929f90342a1c19f11253e884490ed5cf14fc4f31f772c92097dc62169792.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58da37ed9237689b55cdb9445b7e64397
SHA11add2a793e94ee2878f8b811ec959ac6d308e115
SHA256c1492255b0c79ee639ac39ed22cc9ff119c5b81cc16300134077517cc24c40ce
SHA512b07cb0821f0324e7d96c2277e93ca6b56e15879818d7d4698bd9c11debf40d9fd41be01c0583776e631efdfc84969609b0e4cddab3b66e7af194b8a9ce76caaf
-
Filesize
52KB
MD54f1d1f799d0eff934129e89ae82ecd16
SHA1eff96e03146e661fc5ed33dd6f06846eeb806820
SHA2561ec9063da530e64262a1fea8b6ea0fae51c5b3e79dda8e49c15737b064167e0b
SHA51231e0d480623532f461e6972cdf825782210e4cfcbaa1ee11456dcd7db83ac696bb00c04bc9f47483a6658e49278e6cde252c6a13149b33c0df804fbd6345ca5a