Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Ezxotfkmz.exe

windows7-x64

9

Ezxotfkmz.exe

windows10-1703-x64

10

Ezxotfkmz.exe

windows10-2004-x64

10

Ezxotfkmz.exe

windows11-21h2-x64

10

Resubmissions

09/04/2024, 03:49 UTC

240409-edcl2adf68 10

09/04/2024, 03:48 UTC

240409-ec33ladf59 10

09/04/2024, 03:47 UTC

240409-ecqr9sdf46 10

09/04/2024, 03:47 UTC

240409-eb8xfshb7t 10

03/04/2024, 12:14 UTC

240403-peb21add42 10

Analysis

  • max time kernel
    425s
  • max time network
    1147s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/04/2024, 03:49 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ezxotfkmz.exe

  • Size

    451KB

  • MD5

    0d34f2b095cbff0be00eb45758929907

  • SHA1

    3fa3b5e296d49c4d8e6dfc5d4b775a48609aca78

  • SHA256

    89d511c97a4e0f4bf48a72fe764adb6d3de9007859c7632dc07477f2062c2b20

  • SHA512

    6965e9d2c2b9a11bb428ba8ac47202b7d0d4aaf826f905fb0afee903b2ae4b85cec446b536721b84237aeeb08f03ff413a67c75c36ba78d85a6727831e7b6340

  • SSDEEP

    6144:xpHC550+1KYQ2JRpK3SRgadBU9RwfqUKDPi5xo/nY:xpis+S2JRpK3SRgKQ/n

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ezxotfkmz.exe
    "C:\Users\Admin\AppData\Local\Temp\Ezxotfkmz.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\Ezxotfkmz.exe
      "C:\Users\Admin\AppData\Local\Temp\Ezxotfkmz.exe"
      2⤵
        PID:2956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 200
          3⤵
          • Program crash
          PID:3096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2956 -ip 2956
      1⤵
        PID:2460

      Network

      • flag-us
        DNS
        cdn.discordapp.com
        Ezxotfkmz.exe
        Remote address:
        8.8.8.8:53
        Request
        cdn.discordapp.com
        IN A
        Response
        cdn.discordapp.com
        IN A
        162.159.129.233
        cdn.discordapp.com
        IN A
        162.159.134.233
        cdn.discordapp.com
        IN A
        162.159.135.233
        cdn.discordapp.com
        IN A
        162.159.133.233
        cdn.discordapp.com
        IN A
        162.159.130.233
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        Ezxotfkmz.exe
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        19.229.111.52.in-addr.arpa
        Ezxotfkmz.exe
        Remote address:
        8.8.8.8:53
        Request
        19.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        91.16.208.104.in-addr.arpa
        Ezxotfkmz.exe
        Remote address:
        8.8.8.8:53
        Request
        91.16.208.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        ocsp.digicert.com
        Ezxotfkmz.exe
        Remote address:
        8.8.8.8:53
        Request
        ocsp.digicert.com
        IN A
        Response
        ocsp.digicert.com
        IN CNAME
        ocsp.edge.digicert.com
        ocsp.edge.digicert.com
        IN CNAME
        fp2e7a.wpc.2be4.phicdn.net
        fp2e7a.wpc.2be4.phicdn.net
        IN CNAME
        fp2e7a.wpc.phicdn.net
        fp2e7a.wpc.phicdn.net
        IN A
        192.229.221.95
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Ezxotfkmz.exe
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        233.129.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        233.129.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        nexusrules.officeapps.live.com
        Remote address:
        8.8.8.8:53
        Request
        nexusrules.officeapps.live.com
        IN A
        Response
        nexusrules.officeapps.live.com
        IN CNAME
        prod.nexusrules.live.com.akadns.net
        prod.nexusrules.live.com.akadns.net
        IN A
        52.111.229.19
      • flag-us
        DNS
        self.events.data.microsoft.com
        Remote address:
        8.8.8.8:53
        Request
        self.events.data.microsoft.com
        IN A
        Response
        self.events.data.microsoft.com
        IN CNAME
        self-events-data.trafficmanager.net
        self-events-data.trafficmanager.net
        IN CNAME
        onedscolprdcus17.centralus.cloudapp.azure.com
        onedscolprdcus17.centralus.cloudapp.azure.com
        IN A
        104.208.16.91
      • flag-us
        DNS
        ctldl.windowsupdate.com
        Remote address:
        8.8.8.8:53
        Request
        ctldl.windowsupdate.com
        IN A
        Response
        ctldl.windowsupdate.com
        IN CNAME
        wu-bg-shim.trafficmanager.net
        wu-bg-shim.trafficmanager.net
        IN CNAME
        download.windowsupdate.com.edgesuite.net
        download.windowsupdate.com.edgesuite.net
        IN CNAME
        a767.dspw65.akamai.net
        a767.dspw65.akamai.net
        IN A
        2.17.197.240
      • flag-us
        DNS
        240.197.17.2.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.197.17.2.in-addr.arpa
        IN PTR
        Response
        240.197.17.2.in-addr.arpa
        IN PTR
        a2-17-197-240deploystaticakamaitechnologiescom
      • flag-us
        DNS
        ctldl.windowsupdate.com
        Remote address:
        8.8.8.8:53
        Request
        ctldl.windowsupdate.com
        IN A
        Response
        ctldl.windowsupdate.com
        IN CNAME
        wu-bg-shim.trafficmanager.net
        wu-bg-shim.trafficmanager.net
        IN CNAME
        download.windowsupdate.com.edgesuite.net
        download.windowsupdate.com.edgesuite.net
        IN CNAME
        a767.dspw65.akamai.net
        a767.dspw65.akamai.net
        IN A
        2.17.197.240
      • 162.159.129.233:443
        cdn.discordapp.com
        tls
        Ezxotfkmz.exe
        134.5kB
         4.2MB
         2348
        3030
      • 8.8.8.8:53
        cdn.discordapp.com
        dns
        Ezxotfkmz.exe
        410 B
         850 B
         6
        6

        DNS Request

        cdn.discordapp.com

        DNS Response

        162.159.129.233
        162.159.134.233
        162.159.135.233
        162.159.133.233
        162.159.130.233

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        19.229.111.52.in-addr.arpa

        DNS Request

        91.16.208.104.in-addr.arpa

        DNS Request

        ocsp.digicert.com

        DNS Response

        192.229.221.95

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        233.129.159.162.in-addr.arpa
        dns
        435 B
         1.0kB
         6
        6

        DNS Request

        233.129.159.162.in-addr.arpa

        DNS Request

        nexusrules.officeapps.live.com

        DNS Response

        52.111.229.19

        DNS Request

        self.events.data.microsoft.com

        DNS Response

        104.208.16.91

        DNS Request

        ctldl.windowsupdate.com

        DNS Response

        2.17.197.240

        DNS Request

        240.197.17.2.in-addr.arpa

        DNS Request

        ctldl.windowsupdate.com

        DNS Response

        2.17.197.240

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2044-0-0x0000000074AC0000-0x0000000075271000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2044-1-0x0000000000050000-0x00000000000C6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2044-2-0x0000000004B70000-0x0000000004B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2044-3-0x00000000054D0000-0x00000000058B4000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-4-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-5-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-7-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-9-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-11-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-13-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-15-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-17-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-19-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-21-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-23-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-25-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-27-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-29-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-31-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-33-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-35-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-37-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-39-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-41-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-43-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-45-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-47-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-49-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-51-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-53-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-55-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-57-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-59-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-61-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-63-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-65-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-67-0x00000000054D0000-0x00000000058AF000-memory.dmp

        Filesize

        3.9MB

        Download

      • memory/2044-1228-0x0000000074AC0000-0x0000000075271000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2044-1400-0x0000000004B70000-0x0000000004B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2044-4886-0x00000000007A0000-0x00000000007A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-4887-0x0000000006B80000-0x0000000006DA0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2044-4888-0x0000000000A20000-0x0000000000A6C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2044-4889-0x0000000007350000-0x00000000078F6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2044-4890-0x0000000000B10000-0x0000000000B64000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2044-4899-0x0000000074AC0000-0x0000000075271000-memory.dmp

        Filesize

        7.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.