Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
8988b694b9df9186d686b9479984c675.exe
Resource
win7-20231215-en
General
-
Target
8988b694b9df9186d686b9479984c675.exe
-
Size
908KB
-
MD5
8988b694b9df9186d686b9479984c675
-
SHA1
d54c8e34344c3b86cc883c2ffa89d020c0911755
-
SHA256
0e9b75e527544aa8db9880eb423b73f0edfb79995be585eb2d69c735068d082e
-
SHA512
72352807711c2a1799920fdc934ab3aaa1730b718447c8c70fefebb3c7243941feeb9c05f2eced48358ca114df789e97ad3be160b766e773312535de27d6e4c6
-
SSDEEP
12288:Y7KAD7WCSbo4N2So9pGwINUbKbSZTlWxYGNhCJh7EW58M8zOGcbq1TT6ygvhNwEc:eK+Ms9fAkvhS+c9
Malware Config
Extracted
matiex
https://api.telegram.org/bot1395392888:AAFrJovDdZICOFB0gX0eGWrAUzEKCRpv8xo/sendMessage?chat_id=1300181783
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1216-4-0x0000000000490000-0x00000000004A6000-memory.dmp family_zgrat_v1 -
Matiex Main payload 7 IoCs
resource yara_rule behavioral1/memory/2756-9-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/2756-10-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/2756-13-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/2756-15-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/2756-17-0x0000000000400000-0x0000000000476000-memory.dmp family_matiex behavioral1/memory/2756-20-0x0000000004FC0000-0x0000000005000000-memory.dmp family_matiex behavioral1/memory/2756-22-0x0000000004FC0000-0x0000000005000000-memory.dmp family_matiex -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1216 set thread context of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 8988b694b9df9186d686b9479984c675.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28 PID 1216 wrote to memory of 2756 1216 8988b694b9df9186d686b9479984c675.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"C:\Users\Admin\AppData\Local\Temp\8988b694b9df9186d686b9479984c675.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-