Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 02:49
Behavioral task
behavioral1
Sample
08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
Resource
win7-20231129-en
General
-
Target
08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
-
Size
1.9MB
-
MD5
14f6f2650e4115f846437a021780ad79
-
SHA1
11825457804c1aec20dfb7049bc9d21e409e8094
-
SHA256
08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14
-
SHA512
97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8
-
SSDEEP
24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/files/0x00080000000231fa-10.dat family_zgrat_v1 behavioral2/memory/1640-12-0x0000000000450000-0x00000000005EA000-memory.dmp family_zgrat_v1 -
Detects executables packed with unregistered version of .NET Reactor 2 IoCs
resource yara_rule behavioral2/files/0x00080000000231fa-10.dat INDICATOR_EXE_Packed_DotNetReactor behavioral2/memory/1640-12-0x0000000000450000-0x00000000005EA000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation ComContainerServercomponentDll.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 1640 ComContainerServercomponentDll.exe 3372 csrss.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\56085415360792 ComContainerServercomponentDll.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\wininit.exe ComContainerServercomponentDll.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Panther\setup.exe\csrss.exe ComContainerServercomponentDll.exe File created C:\Windows\Panther\setup.exe\886983d96e3d3e ComContainerServercomponentDll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings ComContainerServercomponentDll.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3844 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4948 PING.EXE -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 1640 ComContainerServercomponentDll.exe 3372 csrss.exe 3372 csrss.exe 3372 csrss.exe 3372 csrss.exe 3372 csrss.exe 3372 csrss.exe 3372 csrss.exe 3372 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3372 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1640 ComContainerServercomponentDll.exe Token: SeDebugPrivilege 3372 csrss.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4844 wrote to memory of 4552 4844 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 85 PID 4844 wrote to memory of 4552 4844 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 85 PID 4844 wrote to memory of 4552 4844 08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe 85 PID 4552 wrote to memory of 4560 4552 WScript.exe 91 PID 4552 wrote to memory of 4560 4552 WScript.exe 91 PID 4552 wrote to memory of 4560 4552 WScript.exe 91 PID 4560 wrote to memory of 3844 4560 cmd.exe 93 PID 4560 wrote to memory of 3844 4560 cmd.exe 93 PID 4560 wrote to memory of 3844 4560 cmd.exe 93 PID 4560 wrote to memory of 1640 4560 cmd.exe 94 PID 4560 wrote to memory of 1640 4560 cmd.exe 94 PID 1640 wrote to memory of 4264 1640 ComContainerServercomponentDll.exe 97 PID 1640 wrote to memory of 4264 1640 ComContainerServercomponentDll.exe 97 PID 4264 wrote to memory of 1240 4264 cmd.exe 99 PID 4264 wrote to memory of 1240 4264 cmd.exe 99 PID 4264 wrote to memory of 4948 4264 cmd.exe 100 PID 4264 wrote to memory of 4948 4264 cmd.exe 100 PID 4264 wrote to memory of 3372 4264 cmd.exe 101 PID 4264 wrote to memory of 3372 4264 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:3844
-
-
C:\chainCrt\ComContainerServercomponentDll.exe"C:\chainCrt/ComContainerServercomponentDll.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zZzZ568Pmt.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1240
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:4948
-
-
C:\Windows\Panther\setup.exe\csrss.exe"C:\Windows\Panther\setup.exe\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD54365ebf6f637bfa2f624db69b063bab6
SHA10a5972cbf68f5eeaea79fa86f3616bd299a92f3e
SHA256c2626dbddc1a5d7aa66d4988878fa6d0e230c209df6f6b437f85e0064fdf03b8
SHA51286c3aa39197f293644997de1bc91df8eaba9819952a765305938730e7cd1a2ef92939524c0bbdb593800d09f7f52d51c13c66ab5aa3efa3e5b7196e8290d3ac9
-
Filesize
219B
MD52c6552d7067705b8adc060be796cc726
SHA1f1f4ca6df3799590d29048d8c0ef8c377b72b29a
SHA2568f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034
SHA512969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d
-
Filesize
1.6MB
MD5c85bd715ac92063c07314d1ce33bb5a1
SHA136d690ccafaf3bcf312cb6055b1c33d18631cc01
SHA256a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b
SHA512d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0
-
Filesize
222B
MD5864c2b2879ddb78e052cd8710b7c74e2
SHA1065354d8ea5079825a29f4f9fb5a8f9fdddd660e
SHA256fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360
SHA51208610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f