Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 03:13
Behavioral task
behavioral1
Sample
8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
Resource
win7-20231215-en
General
-
Target
8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe
-
Size
1.6MB
-
MD5
a2546c042f4e31597a83d5d0732d4730
-
SHA1
214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
-
SHA256
8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
-
SHA512
af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
-
SSDEEP
24576:dpvTQJAutjYcQt3icthumBbD73S8GW1VMuAK/vfgGx7Dxeylmwv4SvOnJxKISR:vkqR7CpW1auAufgGFDxeKv/WKV
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/memory/3616-0-0x0000000000290000-0x0000000000428000-memory.dmp family_zgrat_v1 behavioral2/files/0x000600000002322c-13.dat family_zgrat_v1 -
Detects executables packed with unregistered version of .NET Reactor 2 IoCs
resource yara_rule behavioral2/memory/3616-0-0x0000000000290000-0x0000000000428000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor behavioral2/files/0x000600000002322c-13.dat INDICATOR_EXE_Packed_DotNetReactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe -
Executes dropped EXE 1 IoCs
pid Process 3636 spoolsv.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\55b276f4edf653 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe File created C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe File created C:\Program Files\Reference Assemblies\Microsoft\f3b6ecef712a24 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 3636 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe 3636 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3636 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe Token: SeDebugPrivilege 3636 spoolsv.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3616 wrote to memory of 5104 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 82 PID 3616 wrote to memory of 5104 3616 8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe 82 PID 5104 wrote to memory of 3640 5104 cmd.exe 84 PID 5104 wrote to memory of 3640 5104 cmd.exe 84 PID 5104 wrote to memory of 1528 5104 cmd.exe 85 PID 5104 wrote to memory of 1528 5104 cmd.exe 85 PID 5104 wrote to memory of 3636 5104 cmd.exe 86 PID 5104 wrote to memory of 3636 5104 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"C:\Users\Admin\AppData\Local\Temp\8aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ClIATBb7pK.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3640
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1528
-
-
C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"C:\Program Files\Reference Assemblies\Microsoft\spoolsv.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5a2546c042f4e31597a83d5d0732d4730
SHA1214f01f4ef0c65e17fb3a42e43b1315c55c3f0c3
SHA2568aec0333a0b42c6a717c8a2dc6a2ce2b76dc806c6e1a4816cb51af9c5af55731
SHA512af5c23994c9a174efd1ac694dbc4aa2649eb8bb795701c8531d4b53d23a7d14ec9b1470b5250429771e8788c6fe7bf77bde549ee0655318777dc9b4ac7213215
-
Filesize
235B
MD595e715032ef99b0028d877f5738a0650
SHA1c7bfb7de9912ef9a2bebe41eea72c1acbcd4172b
SHA256fa3e83cc89224e0175b471999c4c3af4ccad0814b4fd06e6ca5dce95f93854bd
SHA5129090f0f5128a18de8d7ccd231deb7b9d081ca12ac7ab336d3261cb093160db578d646d8c5358da40d60cad41499897a0eef49e5cfb5bd74c09b2f96627b2119d