Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0817cf34b0...ad.exe

windows7-x64

10

0817cf34b0...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe

  • Size

    8.8MB

  • MD5

    0bba32660d3323f8cdf71a4b2ae25738

  • SHA1

    48ad23aa2767d45fd51c00ee165cef4dd1f9e7ae

  • SHA256

    0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad

  • SHA512

    535ad86843a0a1807117e7cd059bc6565fa20685aa0a14ded789e6df42f0467242fbb85cf7b17a5e98eb3c9ba34c46b4b9fa65350c6730092e905bef9f6738c5

  • SSDEEP

    196608:ymfI8mgWLU16Uwg55LasSW4yIK1ni4+YW/3T9xU:ykmlw4mL/SNKdPMbU

Score
10/10
zgratpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe
    "C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMAA4ADEANwBjAGYAMwA0AGIAMABkAGQANwBiAGUAYwA3ADMAOAA4ADEANQA5AGEAYwA5AGIANgBhADEANgBhAGMANwA4ADkAOABjAGYAMgA0ADMAYwAwADAAOQAwAGQAOQAzADUAYgBmADgAOQAyADQANwAyADkANAAzAGEAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAMAA4ADEANwBjAGYAMwA0AGIAMABkAGQANwBiAGUAYwA3ADMAOAA4ADEANQA5AGEAYwA5AGIANgBhADEANgBhAGMANwA4ADkAOABjAGYAMgA0ADMAYwAwADAAOQAwAGQAOQAzADUAYgBmADgAOQAyADQANwAyADkANAAzAGEAZAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVgBkAHQAaQB5AHQAZABsAHMAZwBqAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABWAGQAdABpAHkAdABkAGwAcwBnAGoALgBlAHgAZQA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:112
    • C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe
      C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2448
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Drops file in Windows directory
          PID:780
      • C:\Windows\explorer.exe
        explorer.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    05fd41011d5ec0d88daaba95af8e1de8

    SHA1

    6d9d1e99d8d18a3038d24998916ededde8d96dc5

    SHA256

    7fc50bb6d6b1f0747e47511e93da00a108315c1700fd88b9aa3e3d07244bd9f0

    SHA512

    a06076e6eb3874470e8ca174747f8af08983976400f60ec6403338ad8fa972ce71ef14bf9be9d196d5bfabef8c3a11f2c604d86f10a1aa9121356dbb8907e5d8

    Download Submit

  • memory/112-949-0x0000000002900000-0x0000000002980000-memory.dmp

    Filesize

    512KB

    Download

  • memory/112-952-0x000007FEEF570000-0x000007FEEFF0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/112-951-0x000007FEEF570000-0x000007FEEFF0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/112-950-0x0000000002900000-0x0000000002980000-memory.dmp

    Filesize

    512KB

    Download

  • memory/112-945-0x000000001B2B0000-0x000000001B592000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/112-948-0x0000000002900000-0x0000000002980000-memory.dmp

    Filesize

    512KB

    Download

  • memory/112-947-0x000007FEEF570000-0x000007FEEFF0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/112-946-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1728-994-0x0000000140000000-0x0000000140C9E000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1728-973-0x0000000140000000-0x0000000140C9E000-memory.dmp

    Filesize

    12.6MB

    Download

  • memory/1820-1003-0x00000000001E0000-0x0000000000200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1820-1004-0x00000000001E0000-0x0000000000200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2220-27-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-937-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2220-25-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-0-0x00000000003A0000-0x0000000000C6E000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2220-29-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-31-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-33-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-35-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-37-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-39-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-41-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-43-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-45-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-47-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-49-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-51-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-53-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-55-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-57-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-59-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-61-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-63-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-65-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-67-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-936-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2220-23-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-938-0x000000001E320000-0x000000001EB7A000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/2220-939-0x0000000001170000-0x00000000011BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2220-944-0x0000000000300000-0x0000000000380000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2220-21-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-19-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-17-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-15-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-13-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-11-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-9-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-7-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-966-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2220-5-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-4-0x000000001CC90000-0x000000001D54E000-memory.dmp

    Filesize

    8.7MB

    Download

  • memory/2220-1-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2220-2-0x0000000000300000-0x0000000000380000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2220-3-0x000000001CC90000-0x000000001D554000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2448-974-0x00000000025E0000-0x0000000002660000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2448-978-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2448-979-0x00000000025E0000-0x0000000002660000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2448-980-0x00000000025E0000-0x0000000002660000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2448-981-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2448-977-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2448-976-0x0000000002420000-0x0000000002428000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2448-975-0x000000001B310000-0x000000001B5F2000-memory.dmp

    Filesize

    2.9MB

    Download