Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    RUN.exe

  • Size

    25.5MB

  • Sample

    240122-xrc4tsdaa4

  • MD5

    f559e8fbcaf4bf3decd0e959883674b8

  • SHA1

    a0bde63feed25ed365ba4bacccfc2e20fff3972d

  • SHA256

    f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063

  • SHA512

    4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a

  • SSDEEP

    393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip

Targets

    • Target

      RUN.exe

    • Size

      25.5MB

    • MD5

      f559e8fbcaf4bf3decd0e959883674b8

    • SHA1

      a0bde63feed25ed365ba4bacccfc2e20fff3972d

    • SHA256

      f4f8f06d721e990735ac49cd219c8039b4f43d919305aee5282249e8d4db9063

    • SHA512

      4c65ed26ae899189ef65ac9d36757405e5cb9220e62bb4a4d3fca91e21b9ba9a2d7cd495fe2998d25488025bfeacc299a3bf5a323832f9e3cd3ab4ef74e97d7a

    • SSDEEP

      393216:XOIAa2nR1/+ryDP5YKgoWWCdffSwObQFmSLeLVpevjpsJaxkFrphpLo6baYByTK4:oao/x5XWWKo7SLe7e9iBrhdNmYByTLP

    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks