Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/04/2024, 02:27
240406-cxlmyahb6x 306/04/2024, 02:26
240406-cwvjfshb5t 306/04/2024, 02:25
240406-cwkn9ahb4y 1006/04/2024, 02:21
240406-cszc8shb2v 706/04/2024, 02:19
240406-cr7cfshg29 306/04/2024, 02:18
240406-crp36shg25 1006/04/2024, 02:17
240406-cq78csha81 3Analysis
-
max time kernel
582s -
max time network
597s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
Launcher.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Launcher.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
compiler.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
compiler.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
lua51.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
lua51.dll
Resource
win10v2004-20240226-en
General
-
Target
Launcher.bat
-
Size
544B
-
MD5
17033b44988e812ebade9022cba3584f
-
SHA1
3c98c9f36212cfeec679057cabb1ea5d4bffb1a1
-
SHA256
deda21bef6613c01484a7c219070f1c510d96a31373a9561e31a8e45b3c94473
-
SHA512
9f54c72cafeedb4b332e8c4d438e88475d1757ea4ffdf23d13d0f1bae55806b3fe58cf48002085f5a867c5d8906c4b7674584c4070288e35026037cdc33eb282
Malware Config
Extracted
lumma
https://birdpenallitysydw.shop/api
Signatures
-
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral2/files/0x000700000002324d-344.dat family_zgrat_v1 behavioral2/memory/1508-347-0x0000000000240000-0x0000000000696000-memory.dmp family_zgrat_v1 -
Executes dropped EXE 1 IoCs
pid Process 1508 dma.exe -
Loads dropped DLL 1 IoCs
pid Process 1508 dma.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1508 set thread context of 4364 1508 dma.exe 111 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Setup\Scripts\ErrorHandler.cmd compiler.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4244 powershell.exe 4244 powershell.exe 4364 MsBuild.exe 4364 MsBuild.exe 4364 MsBuild.exe 4364 MsBuild.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4244 powershell.exe Token: SeIncreaseQuotaPrivilege 4244 powershell.exe Token: SeSecurityPrivilege 4244 powershell.exe Token: SeTakeOwnershipPrivilege 4244 powershell.exe Token: SeLoadDriverPrivilege 4244 powershell.exe Token: SeSystemProfilePrivilege 4244 powershell.exe Token: SeSystemtimePrivilege 4244 powershell.exe Token: SeProfSingleProcessPrivilege 4244 powershell.exe Token: SeIncBasePriorityPrivilege 4244 powershell.exe Token: SeCreatePagefilePrivilege 4244 powershell.exe Token: SeBackupPrivilege 4244 powershell.exe Token: SeRestorePrivilege 4244 powershell.exe Token: SeShutdownPrivilege 4244 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeSystemEnvironmentPrivilege 4244 powershell.exe Token: SeRemoteShutdownPrivilege 4244 powershell.exe Token: SeUndockPrivilege 4244 powershell.exe Token: SeManageVolumePrivilege 4244 powershell.exe Token: 33 4244 powershell.exe Token: 34 4244 powershell.exe Token: 35 4244 powershell.exe Token: 36 4244 powershell.exe Token: SeIncreaseQuotaPrivilege 4244 powershell.exe Token: SeSecurityPrivilege 4244 powershell.exe Token: SeTakeOwnershipPrivilege 4244 powershell.exe Token: SeLoadDriverPrivilege 4244 powershell.exe Token: SeSystemProfilePrivilege 4244 powershell.exe Token: SeSystemtimePrivilege 4244 powershell.exe Token: SeProfSingleProcessPrivilege 4244 powershell.exe Token: SeIncBasePriorityPrivilege 4244 powershell.exe Token: SeCreatePagefilePrivilege 4244 powershell.exe Token: SeBackupPrivilege 4244 powershell.exe Token: SeRestorePrivilege 4244 powershell.exe Token: SeShutdownPrivilege 4244 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeSystemEnvironmentPrivilege 4244 powershell.exe Token: SeRemoteShutdownPrivilege 4244 powershell.exe Token: SeUndockPrivilege 4244 powershell.exe Token: SeManageVolumePrivilege 4244 powershell.exe Token: 33 4244 powershell.exe Token: 34 4244 powershell.exe Token: 35 4244 powershell.exe Token: 36 4244 powershell.exe Token: SeIncreaseQuotaPrivilege 4244 powershell.exe Token: SeSecurityPrivilege 4244 powershell.exe Token: SeTakeOwnershipPrivilege 4244 powershell.exe Token: SeLoadDriverPrivilege 4244 powershell.exe Token: SeSystemProfilePrivilege 4244 powershell.exe Token: SeSystemtimePrivilege 4244 powershell.exe Token: SeProfSingleProcessPrivilege 4244 powershell.exe Token: SeIncBasePriorityPrivilege 4244 powershell.exe Token: SeCreatePagefilePrivilege 4244 powershell.exe Token: SeBackupPrivilege 4244 powershell.exe Token: SeRestorePrivilege 4244 powershell.exe Token: SeShutdownPrivilege 4244 powershell.exe Token: SeDebugPrivilege 4244 powershell.exe Token: SeSystemEnvironmentPrivilege 4244 powershell.exe Token: SeRemoteShutdownPrivilege 4244 powershell.exe Token: SeUndockPrivilege 4244 powershell.exe Token: SeManageVolumePrivilege 4244 powershell.exe Token: 33 4244 powershell.exe Token: 34 4244 powershell.exe Token: 35 4244 powershell.exe Token: 36 4244 powershell.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4760 wrote to memory of 1896 4760 cmd.exe 86 PID 4760 wrote to memory of 1896 4760 cmd.exe 86 PID 4760 wrote to memory of 3248 4760 cmd.exe 87 PID 4760 wrote to memory of 3248 4760 cmd.exe 87 PID 4760 wrote to memory of 3248 4760 cmd.exe 87 PID 3248 wrote to memory of 3568 3248 compiler.exe 101 PID 3248 wrote to memory of 3568 3248 compiler.exe 101 PID 3248 wrote to memory of 3568 3248 compiler.exe 101 PID 3248 wrote to memory of 4244 3248 compiler.exe 102 PID 3248 wrote to memory of 4244 3248 compiler.exe 102 PID 3248 wrote to memory of 4244 3248 compiler.exe 102 PID 1508 wrote to memory of 4032 1508 dma.exe 105 PID 1508 wrote to memory of 4032 1508 dma.exe 105 PID 1508 wrote to memory of 4032 1508 dma.exe 105 PID 1508 wrote to memory of 4420 1508 dma.exe 106 PID 1508 wrote to memory of 4420 1508 dma.exe 106 PID 1508 wrote to memory of 4420 1508 dma.exe 106 PID 1508 wrote to memory of 4928 1508 dma.exe 107 PID 1508 wrote to memory of 4928 1508 dma.exe 107 PID 1508 wrote to memory of 4928 1508 dma.exe 107 PID 1508 wrote to memory of 1316 1508 dma.exe 108 PID 1508 wrote to memory of 1316 1508 dma.exe 108 PID 1508 wrote to memory of 1316 1508 dma.exe 108 PID 1508 wrote to memory of 692 1508 dma.exe 109 PID 1508 wrote to memory of 692 1508 dma.exe 109 PID 1508 wrote to memory of 692 1508 dma.exe 109 PID 1508 wrote to memory of 4408 1508 dma.exe 110 PID 1508 wrote to memory of 4408 1508 dma.exe 110 PID 1508 wrote to memory of 4408 1508 dma.exe 110 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111 PID 1508 wrote to memory of 4364 1508 dma.exe 111
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\compiler.execompiler.exe config2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 12:58 /f /tn WindowsSetup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest3⤵
- Creates scheduled task(s)
PID:3568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Register-ScheduledTask -TaskName 'ZG1hNzc3' -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\sys\http\tcp\dma.exe') -Trigger (New-ScheduledTaskTrigger -At (Get-Date).AddMinutes(1) -Once) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable) -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
-
-
C:\Users\Admin\AppData\Roaming\sys\http\tcp\dma.exeC:\Users\Admin\AppData\Roaming\sys\http\tcp\dma.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:4032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:4420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:4928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵PID:4408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4400
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:4004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
742KB
MD5544cd51a596619b78e9b54b70088307d
SHA14769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1024.3MB
MD51ecc53444cf7ff8f8c3d8635fe8cfa36
SHA17c5f36a85f9edaab7a17f21ec37f006d2444fb2f
SHA256c31659597021e4d8d768817270eb47db15ba4749df91219b9131692dae14138c
SHA51285db38e470feb70950937a2fe45ded6ca0b857b7da565106fee552706a67cdf974f47675402de9785ada25fe4c03013a7b031a90cdbbece282b8d494524acb3e