Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/02/2024, 02:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe
Resource
win7-20231215-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe
-
Size
8.8MB
-
MD5
0bba32660d3323f8cdf71a4b2ae25738
-
SHA1
48ad23aa2767d45fd51c00ee165cef4dd1f9e7ae
-
SHA256
0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad
-
SHA512
535ad86843a0a1807117e7cd059bc6565fa20685aa0a14ded789e6df42f0467242fbb85cf7b17a5e98eb3c9ba34c46b4b9fa65350c6730092e905bef9f6738c5
-
SSDEEP
196608:ymfI8mgWLU16Uwg55LasSW4yIK1ni4+YW/3T9xU:ykmlw4mL/SNKdPMbU
Score
10/10
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2276-3-0x000000001CA30000-0x000000001D2F4000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-4-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-5-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-7-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-9-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-11-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-13-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-15-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-17-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-19-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-21-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-23-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-25-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-27-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-29-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-31-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-33-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-35-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-37-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-39-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-41-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-43-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-45-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-47-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-49-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-51-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-53-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-55-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-57-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-59-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-61-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-63-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-65-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 behavioral1/memory/2276-67-0x000000001CA30000-0x000000001D2EE000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vdtiytdlsgj = "C:\\Users\\Admin\\AppData\\Roaming\\Vdtiytdlsgj.exe" 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2276 set thread context of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 1628 set thread context of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1416 powershell.exe 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 1064 powershell.exe 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeLockMemoryPrivilege 1900 explorer.exe Token: SeLockMemoryPrivilege 1900 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe 1900 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1416 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 28 PID 2276 wrote to memory of 1416 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 28 PID 2276 wrote to memory of 1416 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 28 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 2276 wrote to memory of 1628 2276 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 32 PID 1992 wrote to memory of 2536 1992 cmd.exe 35 PID 1992 wrote to memory of 2536 1992 cmd.exe 35 PID 1992 wrote to memory of 2536 1992 cmd.exe 35 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38 PID 1628 wrote to memory of 1900 1628 0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe"C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMAA4ADEANwBjAGYAMwA0AGIAMABkAGQANwBiAGUAYwA3ADMAOAA4ADEANQA5AGEAYwA5AGIANgBhADEANgBhAGMANwA4ADkAOABjAGYAMgA0ADMAYwAwADAAOQAwAGQAOQAzADUAYgBmADgAOQAyADQANwAyADkANAAzAGEAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAMAA4ADEANwBjAGYAMwA0AGIAMABkAGQANwBiAGUAYwA3ADMAOAA4ADEANQA5AGEAYwA5AGIANgBhADEANgBhAGMANwA4ADkAOABjAGYAMgA0ADMAYwAwADAAOQAwAGQAOQAzADUAYgBmADgAOQAyADQANwAyADkANAAzAGEAZAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVgBkAHQAaQB5AHQAZABsAHMAZwBqAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABWAGQAdABpAHkAdABkAGwAcwBnAGoALgBlAHgAZQA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exeC:\Users\Admin\AppData\Local\Temp\0817cf34b0dd7bec7388159ac9b6a16ac7898cf243c0090d935bf892472943ad.exe2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:1992
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1900
-
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ddb4898dc5863fa5110b3dd733c4a325
SHA1c16b364d05faad380a1ecda52422b80c70e8eb82
SHA256e44cef2ab5803cd9ecda4c8f16a018a7200ef9f45aae40fbfd1bdf7b1674e837
SHA5121a8d0f0f059e9dd3d368eb5791be7fcb9bf55baf33148082e480735e1fef4d8c96beb2be2f6188a37beb1f9a50cc2e0e8dc0d9845d3a519d043812ee03081347