Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 02:49

General

  • Target

    08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe

  • Size

    1.9MB

  • MD5

    14f6f2650e4115f846437a021780ad79

  • SHA1

    11825457804c1aec20dfb7049bc9d21e409e8094

  • SHA256

    08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14

  • SHA512

    97b6237d078fde08a90dfd6d30f6196c17bf1b5ed02e5114d51fd0800e77dea5a27868dcea011347f79b6d19c3dd854fa8de118cedb61708d5e124e6e337ebf8

  • SSDEEP

    24576:2TbBv5rUyXVHz9DD003FvrxyYsw14gO8clrAVwMsxeCXEaSmzFN4DKIaUfReHUBr:IBJTBn1UrAVslhPFN6mcMUB+OZwfu5Xl

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Detects executables packed with unregistered version of .NET Reactor 2 IoCs
  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe
    "C:\Users\Admin\AppData\Local\Temp\08740960051185e079e88d77f1f416e05fb944a345863ce9182316dc3c0aab14.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4560
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:3844
        • C:\chainCrt\ComContainerServercomponentDll.exe
          "C:\chainCrt/ComContainerServercomponentDll.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zZzZ568Pmt.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4264
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:1240
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:4948
              • C:\Windows\Panther\setup.exe\csrss.exe
                "C:\Windows\Panther\setup.exe\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:3372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\zZzZ568Pmt.bat

      Filesize

      166B

      MD5

      4365ebf6f637bfa2f624db69b063bab6

      SHA1

      0a5972cbf68f5eeaea79fa86f3616bd299a92f3e

      SHA256

      c2626dbddc1a5d7aa66d4988878fa6d0e230c209df6f6b437f85e0064fdf03b8

      SHA512

      86c3aa39197f293644997de1bc91df8eaba9819952a765305938730e7cd1a2ef92939524c0bbdb593800d09f7f52d51c13c66ab5aa3efa3e5b7196e8290d3ac9

    • C:\chainCrt\2goA7iMauCLLFvlqdbFwLWtOroqqUhdI3rb.bat

      Filesize

      219B

      MD5

      2c6552d7067705b8adc060be796cc726

      SHA1

      f1f4ca6df3799590d29048d8c0ef8c377b72b29a

      SHA256

      8f6048c3efd9407d6e5503aa6d2bc17b0c9c73ea883e5567f30ee15c39af7034

      SHA512

      969bb134f916e45c9f899ccaca82b1e5b5ad9859c758d5f0a514fa0b4d40c079ac14684d2066dbc29eca7e5d9271c3400d6b6fb9bb2707a85ce23edb7065c75d

    • C:\chainCrt\ComContainerServercomponentDll.exe

      Filesize

      1.6MB

      MD5

      c85bd715ac92063c07314d1ce33bb5a1

      SHA1

      36d690ccafaf3bcf312cb6055b1c33d18631cc01

      SHA256

      a4bf8ca2423567b154b8938d825125d86763fc6cade00de52e90af39e17b366b

      SHA512

      d5ab6661b7d00c54d486276e7744df1e55dac9e44c498c93ecac4e7250634be38be826ff5dbe3be8176fe32750e98e7b8525e6eb388473bd46ae946c3bf32fe0

    • C:\chainCrt\uO160iKFaqIee6ZiL0PaNpxC7NYj1k2S.vbe

      Filesize

      222B

      MD5

      864c2b2879ddb78e052cd8710b7c74e2

      SHA1

      065354d8ea5079825a29f4f9fb5a8f9fdddd660e

      SHA256

      fe19dff47eb716ff953aadbc4db9de1925f2c082c0030171687b925a5de56360

      SHA512

      08610b687b5eddd01eb77fcd18e1ad9098a471d2ed366b4c244c9a973eaef76e1b5dd8a4c1f0e65d71734f0412a228360fe2f110128ff3b191c37a4527f2d11f

    • memory/1640-12-0x0000000000450000-0x00000000005EA000-memory.dmp

      Filesize

      1.6MB

    • memory/1640-13-0x00007FF8C50E0000-0x00007FF8C5BA1000-memory.dmp

      Filesize

      10.8MB

    • memory/1640-14-0x0000000002630000-0x0000000002631000-memory.dmp

      Filesize

      4KB

    • memory/1640-15-0x000000001B370000-0x000000001B380000-memory.dmp

      Filesize

      64KB

    • memory/1640-32-0x00007FF8C50E0000-0x00007FF8C5BA1000-memory.dmp

      Filesize

      10.8MB

    • memory/3372-36-0x00007FF8C5030000-0x00007FF8C5AF1000-memory.dmp

      Filesize

      10.8MB

    • memory/3372-37-0x000000001BAF0000-0x000000001BAF1000-memory.dmp

      Filesize

      4KB

    • memory/3372-38-0x00007FF8C5030000-0x00007FF8C5AF1000-memory.dmp

      Filesize

      10.8MB