Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 01:26
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
rock9980jjfur.exe
Resource
win7-20240221-en
11 signatures
150 seconds
General
-
Target
rock9980jjfur.exe
-
Size
1.1MB
-
MD5
3a4cf3e0afc19c30d0192f8b5141d76d
-
SHA1
b2a966b36f800565ba82f827917310fb127a9969
-
SHA256
041a39cb5700e4016b93e3e42efd80d3042adf5ecd96e4aa8b25635dd87df221
-
SHA512
6fe562840c94d9321f29d510e197f9c7cf2da94fbb2f3b013a70eb0d8b7b35074076ee595f29f1fe20d22fb6cf14e8e9b65e53870b5929a8c18a1e92cee49588
-
SSDEEP
24576:atb20pkaCqT5TBWgNQ7agT6bTngAJOa6A:HVg5tQ7ag48AJN5
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral1/memory/2588-15-0x00000000003B0000-0x0000000000406000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-19-0x0000000000E00000-0x0000000000E54000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-20-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-21-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-23-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-25-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-27-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-29-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-31-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-33-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-35-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-37-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-39-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-41-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-43-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-45-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-47-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-49-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-51-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-53-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-55-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-57-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-59-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-63-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-61-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-65-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-67-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-75-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-73-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-71-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-79-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-77-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 behavioral1/memory/2588-69-0x0000000000E00000-0x0000000000E4E000-memory.dmp family_zgrat_v1 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2244 set thread context of 2588 2244 rock9980jjfur.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2588 RegSvcs.exe 2588 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2244 rock9980jjfur.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2588 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2244 rock9980jjfur.exe 2244 rock9980jjfur.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2244 rock9980jjfur.exe 2244 rock9980jjfur.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28 PID 2244 wrote to memory of 2588 2244 rock9980jjfur.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\rock9980jjfur.exe"C:\Users\Admin\AppData\Local\Temp\rock9980jjfur.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\rock9980jjfur.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-