Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
18/01/2024, 01:27
General
-
Target
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe
-
Size
2.2MB
-
MD5
506cd587919d4bb571795ea1c1e64d80
-
SHA1
c04c19373251eb40197975fbf901ff802e92e22d
-
SHA256
1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256
-
SHA512
ab9577410cb2eb1e0fd3e71c2c5d3d13a38563db70e7017734f5067171442b561b1297bf339ddfa54ae266c720a383c7e4c7a63b23a6cdb433651b7ed8cbc30b
-
SSDEEP
24576:2TbBv5rUyXVl6fDEs25370/5lJHI2cxaSzXykO0eW66f3XEWpEmEQ/2VmCthZ2yt:IBJEECrHjxdXZsUWzuUQME46LMEQ70
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"C:\Users\Admin\AppData\Local\Temp\1991d51d2e2c4d278e49edbfc045461bb208504d759e91eb9c14f26ad4ac6256.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperchainserverRefBroker\15rdJvHs8fLqyO2NujCXYGmVvYkYhVqPlDU.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HyperchainserverRefBroker\aChfOVIZNk46BVBd6tQOJDuZO9i8SfzQwF1KcbSw3gaIMh1jz.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
-
C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"C:\HyperchainserverRefBroker/hyperportServerFontdhcp.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gvruf24u\gvruf24u.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC4.tmp" "c:\Windows\System32\CSC49505DBA1C7F4E5C8295467BA5ADD.TMP"6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdrrHire7S.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\HyperchainserverRefBroker\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcp" /sc ONLOGON /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 5 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperportServerFontdhcph" /sc MINUTE /mo 9 /tr "'C:\HyperchainserverRefBroker\hyperportServerFontdhcp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\DiagTrack\Settings\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\chcp.comchcp 650011⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252B
MD54a61f0d242786b7e9caa34fa552a0791
SHA147a7114f25574bf8ba482e561c395c2d942f40d8
SHA2565db96d7ae442161d7e6b12f9bd1380030d7e951cdebfb198bdd3bf76ce514c2f
SHA5124262524a95b9a7756d327ae338d065565c38dd3548679b21ed7593293f2e8703084439dff9fb44d7c8667115adeda4f262ccbbe43dd39e215d77e51369ddd042
-
Filesize
210B
MD5bdec11d125abfe788f5249bd9f8e8453
SHA1e5850a47337f36270fdc5bb49c57a4f81358730b
SHA256836e8052513d49530612a8f405e1eeef196834e6431b345eaebd09dc23693c50
SHA5129c8418bec2565a82f200d40cf9254d3219f9f81da1a55e1d4c88bab0de3947986c94168c4db53c6e49191030c81c9284ecb4c3429d3d0cfe48421a26de7c623f
-
Filesize
412KB
MD53a4f6040758ab110510d0394c69a15cf
SHA117aab858dfaf1aca771c95cd1cda6cfa1a464b7c
SHA256f5f402ea1a46680dfe81dccc757c24da05b411b66e10bc45cd0ae4ef65baa129
SHA51228f987cd0341f52237d53aef2efaa1fa3662a1e982d6f4b3ae2f3944ef6e3a8c207cf70a6aca50f57954dbf3c8b0f4922552b1789f84d327ca06594c9ad3f0e0
-
Filesize
399KB
MD52afbfe897f8baf58dc2c6a4bd4cfc918
SHA1ca8102cb40ec5eac8ad3c35243cabc3ab286656a
SHA2560b1c50c3a0a4c7045b7e427a76dd8fac5b5d5d04dd2dc1c781c3072b42a8c5ed
SHA5122c6943ab0468e7dbaa15a2f302e1c0360bb47044a308c12c2419d3e7919a8f72250c0df2a9953f1b3486a2b1f471e02dae7d0f6f6564a00b0e5c72894b44262f
-
Filesize
406KB
MD58c357fefc799b17ab591e2ed9a1a25da
SHA16d54f3b1c85615a6407f00501f1cf35bd0be68e0
SHA2569616f8c7d5fd6e85c9ea2fc214830324b137236c152e2def75297548317ebcb7
SHA512a1a2bf500874afef2b58d49f3f63556ec0d311c53f75b5103e702f807a8440d29e6ba8d545506d88686fb72d0a188f87d956a6c9d04e34fff754c235650eab40
-
Filesize
424KB
MD54f9c20cbcc54f92d48b8b93657ce536d
SHA103d87bc44a6debc93d531c842b0af0960e6a0e84
SHA2567c1dfef42365e412be181a04391143b707d0b5d2113c39804faa07404487ef3b
SHA5128ed757c140ad1bc16ed25d1a33f715d4aed1ab056b30de31361198d40ad3cd3b17e903a75f0d546fa4f24aa20a7f7a2f2930a6e926b6a17ab5341b7bec58f349
-
Filesize
1KB
MD5af6acd95d59de87c04642509c30e81c1
SHA1f9549ae93fdb0a5861a79a08f60aa81c4b32377b
SHA2567521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6
SHA51293ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a
-
Filesize
1KB
MD54deda59dc214656e93b7a83296e37499
SHA1bb0f8dc9c03dc728b8517d32d8df1881fa80c5c8
SHA256995de7014dbe3c924ef35f923bc9de7c483991bc5fe45ad8eebbf28e7fbcd1f6
SHA5120f6c6a9dde35f4e91e42701646eb47c42f5b03582a567dcece675a2a2792fbb27a9285e9a5bc90d479fb1c36fd25f31d19033b17d107b983e5915a5968c96530
-
Filesize
232B
MD5d3399ccb3dc4ceab7d158ffb06bb9a5c
SHA10b9cbfeda68430712d67d5edff7cf35c510de68d
SHA25621ca6ef3266ebc7a667f01eff6d33264915710a4e0d3b465574372d96a8dd1a4
SHA512408ff37deb7b4682210df6b1f48f0d0303ecffefd9e2a3478d575c3a970021ccfcb854dda318c9d218fbd57c0679507c9c1c4d5cf7453db68ff401cf64965ad5
-
Filesize
412B
MD5a57269c8170ac8313d9a29456b442b03
SHA1a9ac1dcc033ddff745f0fa1d4e18dade56f1b14e
SHA256ffc05f9adfa7e0709fd7dc3da58a74d344e283610ec4e2e8ceb21e891375c24c
SHA512a0832a9cf25ad09c5b8f8a83bdfdf1d24711ef02d202d1b84be4845dfbd0c16ba6445815030e9133d03be8881b8587c846dbb6bfb96e2ade1ba36d7d7802807d
-
Filesize
235B
MD578fd2e419c844d4d736c78e4fe8e5e7c
SHA16414a5f4cd1936c5eec76aee93f90370305ea077
SHA25661a0b0309788d610849070d33d8ec95ae8633a4b13a24156e6545f41bf6106a9
SHA512153bc7f81e59d1eb3d83e01c8e74c14d7c1b8d7f2b0dd6d96edfe925199498a99e58da15e45e038b67037bbc46c20bd055d61f077c91c1b14017dfce1f809f6b
-
Filesize
1KB
MD55bc7fffeb74f6ba57a2071934d353745
SHA1fb8fae919b698ac12d3ec7d66cdb691f5763c146
SHA2565146249f8fbc8b152593329b29ba45f4c96ff5eef3c1885dd4f2c4ed36804285
SHA512e053f2d895ffc4324bca69ead2366f51f94e1dcd9bd43ed712068f73a45df02d39bdf29699b8401b03d7f2d5646d779197d027af21e0f317f232bf3e05526ac8
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
760KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
760KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB