Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/02/2024, 02:49
Behavioral task
behavioral1
Sample
08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Resource
win7-20231129-en
General
-
Target
08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
-
Size
1.9MB
-
MD5
14f6f2650e4115f846437a021780ad79
-
SHA1
11825457804c1aec20dfb7049bc9d21e409e8094
-
SHA256
08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14
-
SHA512
97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8
-
SSDEEP
24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/files/0x000e0000000122e0-10.dat family_zgrat_v1 behavioral1/memory/2708-13-0x0000000000E40000-0x0000000000FDA000-memory.dmp family_zgrat_v1 behavioral1/memory/2496-35-0x0000000001330000-0x00000000014CA000-memory.dmp family_zgrat_v1 -
Detects executables packed with unregistered version of .NET Reactor 3 IoCs
resource yara_rule behavioral1/files/0x000e0000000122e0-10.dat INDICATOR_EXE_Packed_DotNetReactor behavioral1/memory/2708-13-0x0000000000E40000-0x0000000000FDA000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor behavioral1/memory/2496-35-0x0000000001330000-0x00000000014CA000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
pid Process 2708 ComContainerServercomponentDll.exe 2496 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2088 cmd.exe 2088 cmd.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Windows Portable Devices\System.exe ComContainerServercomponentDll.exe File opened for modification C:\Program Files\Windows Portable Devices\System.exe ComContainerServercomponentDll.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 ComContainerServercomponentDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2628 reg.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe 2708 ComContainerServercomponentDll.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2708 ComContainerServercomponentDll.exe Token: SeDebugPrivilege 2496 System.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2792 2252 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 28 PID 2252 wrote to memory of 2792 2252 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 28 PID 2252 wrote to memory of 2792 2252 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 28 PID 2252 wrote to memory of 2792 2252 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 28 PID 2792 wrote to memory of 2088 2792 WScript.exe 29 PID 2792 wrote to memory of 2088 2792 WScript.exe 29 PID 2792 wrote to memory of 2088 2792 WScript.exe 29 PID 2792 wrote to memory of 2088 2792 WScript.exe 29 PID 2088 wrote to memory of 2628 2088 cmd.exe 31 PID 2088 wrote to memory of 2628 2088 cmd.exe 31 PID 2088 wrote to memory of 2628 2088 cmd.exe 31 PID 2088 wrote to memory of 2628 2088 cmd.exe 31 PID 2088 wrote to memory of 2708 2088 cmd.exe 32 PID 2088 wrote to memory of 2708 2088 cmd.exe 32 PID 2088 wrote to memory of 2708 2088 cmd.exe 32 PID 2088 wrote to memory of 2708 2088 cmd.exe 32 PID 2708 wrote to memory of 2704 2708 ComContainerServercomponentDll.exe 33 PID 2708 wrote to memory of 2704 2708 ComContainerServercomponentDll.exe 33 PID 2708 wrote to memory of 2704 2708 ComContainerServercomponentDll.exe 33 PID 2704 wrote to memory of 2648 2704 cmd.exe 35 PID 2704 wrote to memory of 2648 2704 cmd.exe 35 PID 2704 wrote to memory of 2648 2704 cmd.exe 35 PID 2704 wrote to memory of 2780 2704 cmd.exe 36 PID 2704 wrote to memory of 2780 2704 cmd.exe 36 PID 2704 wrote to memory of 2780 2704 cmd.exe 36 PID 2704 wrote to memory of 2496 2704 cmd.exe 37 PID 2704 wrote to memory of 2496 2704 cmd.exe 37 PID 2704 wrote to memory of 2496 2704 cmd.exe 37 PID 2496 wrote to memory of 2236 2496 System.exe 38 PID 2496 wrote to memory of 2236 2496 System.exe 38 PID 2496 wrote to memory of 2236 2496 System.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2628
-
-
C:\chainCrt\ComContainerServercomponentDll.exe"C:\chainCrt/ComContainerServercomponentDll.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0FDpY6TP3Y.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2648
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2780
-
-
C:\Program Files\Windows Portable Devices\System.exe"C:\Program Files\Windows Portable Devices\System.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2496 -s 11247⤵PID:2236
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD5810c026cbf6259bcc761f640bdb39bf6
SHA1ae706c0ff27025803051d4e2c72c9c1e42ce7632
SHA256eaf9b2b501516bf6e98a839d33ae690a42de4c43c405de30093b2df1068b1c1e
SHA512b2e548da0a2e9b5cfe8769113758225d71b039e74bb0aeccce6660631ce11c16fa9233e7826eb512659dd7e86c9e28ce8a8316e72fa0442a97e8ff1b98c2489f
-
Filesize
219B
MD52c6552d7067705b8adc060be796cc726
SHA1f1f4ca6df3799590d29048d8c0ef8c377b72b29a
SHA2568f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034
SHA512969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d
-
Filesize
1.6MB
MD5c85bd715ac92063c07314d1ce33bb5a1
SHA136d690ccafaf3bcf312cb6055b1c33d18631cc01
SHA256a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b
SHA512d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0
-
Filesize
222B
MD5864c2b2879ddb78e052cd8710b7c74e2
SHA1065354d8ea5079825a29f4f9fb5a8f9fdddd660e
SHA256fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360
SHA51208610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f