Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 03:13

General

  • Target

    8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe

  • Size

    1.6MB

  • MD5

    a2546c042f4e31597a83d5d0732d4730

  • SHA1

    214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3

  • SHA256

    8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

  • SHA512

    af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215

  • SSDEEP

    24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV

Score
10/10

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Detects executables packed with unregistered version of .NET Reactor 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
    "C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ClIATBb7pK.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3640
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1528
          • C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe
            "C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3636

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\fontdrvhost.exe

        Filesize

        1.6MB

        MD5

        a2546c042f4e31597a83d5d0732d4730

        SHA1

        214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3

        SHA256

        8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731

        SHA512

        af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215

      • C:\Users\Admin\AppData\Local\Temp\ClIATBb7pK.bat

        Filesize

        235B

        MD5

        95e715032ef99b0028d877f5738a0650

        SHA1

        c7bfb7de9912ef9a2bebe41eea72c1acbcd4172b

        SHA256

        fa3e83cc89224e0175b471999c4c3af4ccad0814b4fd06e6ca5dce95f93854bd

        SHA512

        9090f0f5128a18de8d7ccd231deb7b9d081ca12ac7ab336d3261cb093160db578d646d8c5358da40d60cad41499897a0eef49e5cfb5bd74c09b2f96627b2119d

      • memory/3616-21-0x00007FF88F3D0000-0x00007FF88FE91000-memory.dmp

        Filesize

        10.8MB

      • memory/3616-3-0x000000001AF90000-0x000000001AFA0000-memory.dmp

        Filesize

        64KB

      • memory/3616-2-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

        Filesize

        4KB

      • memory/3616-1-0x00007FF88F3D0000-0x00007FF88FE91000-memory.dmp

        Filesize

        10.8MB

      • memory/3616-0-0x0000000000290000-0x0000000000428000-memory.dmp

        Filesize

        1.6MB

      • memory/3636-25-0x00007FF88F0A0000-0x00007FF88FB61000-memory.dmp

        Filesize

        10.8MB

      • memory/3636-27-0x0000000002100000-0x0000000002101000-memory.dmp

        Filesize

        4KB

      • memory/3636-26-0x000000001AD90000-0x000000001ADA0000-memory.dmp

        Filesize

        64KB

      • memory/3636-28-0x000000001AD90000-0x000000001ADA0000-memory.dmp

        Filesize

        64KB

      • memory/3636-29-0x00007FF88F0A0000-0x00007FF88FB61000-memory.dmp

        Filesize

        10.8MB

      • memory/3636-30-0x000000001AD90000-0x000000001ADA0000-memory.dmp

        Filesize

        64KB

      • memory/3636-31-0x000000001AD90000-0x000000001ADA0000-memory.dmp

        Filesize

        64KB