Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    HyperSpoof (2024).rar

  • Size

    57KB

  • Sample

    240316-c2bzashh7v

  • MD5

    4b99599c0946da5a5fb5d62aed8c9319

  • SHA1

    008c6d784073a5bf9466de026f4baa46abcef253

  • SHA256

    21ec1141e55d4c21b89fb4be9e7692bf61681868f17cc78a9e691f44b911157c

  • SHA512

    0ec00a4bdcbcd3d28f198e932b24305a2f90d6623d87c0d62af1b35873f02eba51f64ae23b4d15c34a14456cf4fef85d9dc838a0b2290554c3e158ca2b4330f9

  • SSDEEP

    1536:mqcYnM1m8fFzUsLvfxi4QvPawWeTgI2m/fB:mq/Mc8fFzdvg4uFTN2w

Malware Config

Targets

    • Target

      HyperSpoof (2024).rar

    • Size

      57KB

    • MD5

      4b99599c0946da5a5fb5d62aed8c9319

    • SHA1

      008c6d784073a5bf9466de026f4baa46abcef253

    • SHA256

      21ec1141e55d4c21b89fb4be9e7692bf61681868f17cc78a9e691f44b911157c

    • SHA512

      0ec00a4bdcbcd3d28f198e932b24305a2f90d6623d87c0d62af1b35873f02eba51f64ae23b4d15c34a14456cf4fef85d9dc838a0b2290554c3e158ca2b4330f9

    • SSDEEP

      1536:mqcYnM1m8fFzUsLvfxi4QvPawWeTgI2m/fB:mq/Mc8fFzdvg4uFTN2w

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Nirsoft

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks