Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16/04/2024, 01:34
Behavioral task
behavioral1
Sample
fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe
Resource
win7-20240215-en
General
-
Target
fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe
-
Size
9.8MB
-
MD5
946f9875958c6ff0a4ccbcc8717068a0
-
SHA1
229484accad0a2f744b0f7c857b12de1c2896f38
-
SHA256
fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a
-
SHA512
5171ade7f004baf4c59da167eb9357e97744eb34e012bf6a2baa5c411488f56a011019cf53b994e26f18c92ebfbf66184779d9908e7bd35afd44132188466ada
-
SSDEEP
196608:VFg/KSH4rynHHiJrWnfossDb9NfwSdcvTP5AUewGUeF1w:VK/ZH4OniJrcOfwSdcv1A02w
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2228-1-0x0000000000D20000-0x00000000016EE000-memory.dmp family_zgrat_v1 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.bat fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 SysInitVal.exe -
Loads dropped DLL 9 IoCs
pid Process 2600 cmd.exe 2680 SysInitVal.exe 2680 SysInitVal.exe 2680 SysInitVal.exe 2680 SysInitVal.exe 2680 SysInitVal.exe 2680 SysInitVal.exe 2680 SysInitVal.exe 2680 SysInitVal.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 SysInitVal.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2600 2228 fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe 28 PID 2228 wrote to memory of 2600 2228 fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe 28 PID 2228 wrote to memory of 2600 2228 fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe 28 PID 2228 wrote to memory of 2600 2228 fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe 28 PID 2600 wrote to memory of 2680 2600 cmd.exe 30 PID 2600 wrote to memory of 2680 2600 cmd.exe 30 PID 2600 wrote to memory of 2680 2600 cmd.exe 30 PID 2600 wrote to memory of 2680 2600 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe"C:\Users\Admin\AppData\Local\Temp\fd643dfa49e7411994295979b06bf68659ddb28f1942fe80f6149696d4aa0d2a.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start C:\Users\Public\Release\SysInitVal.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Public\Release\SysInitVal.exeC:\Users\Public\Release\SysInitVal.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a74256b68260055729cdd9f6d433b415
SHA1701496a7079b97b0c83dfaf507192ff0667a2a9b
SHA256d9e7ab5caf93bd457cda27ed1d80286f3f3608a9cbf9268d2fb6e140fdf12f34
SHA512a31ae75f5c260b8a6c09c532ba4d03dbfc23bd3be1ec1b4ac786b73dbfb2096a9b566d06312e41a38727ed24a9233d0de24fae7016180cae32acd01fc8d8c4ea
-
Filesize
28KB
MD5fa4c682cbc8333cc045650b307e2cd63
SHA15431ee0769349e94534121afca8d0e58c6450631
SHA256a244e538ea0b6e2a2bfc01cf8991e4a1e5a55b3cda7c48d309ee15c026c1fc24
SHA5128819b61a86f0603fb82860618d58594bc607093c550d4bc5ab02d3b1d30e5b116a31307f53175731058f1b8ed583f0df1a34a07c123c2f9049e617d076167b6a
-
Filesize
2KB
MD5cb2b2c25a6efc8c10164aaa77148efda
SHA1cc4284f4d485cc0f40b787125ae131447d82d2fc
SHA2566e759f77ebb07aa3646743769c49f91572441ee6e9c6e26514a664feaf0fe00e
SHA5129ee774ed948d02976242bbc839daba30a3719cbeb4fd7fa284f3769ca9b549c8ed1c19d7126b0f47739da14b8931e298a4ee59684c4cdc948a65887817084af9
-
Filesize
51KB
MD59f087c3757ea5c64e0a30fe07d7f3edc
SHA13326279f827a99d93ccc8dc3db573adb10a05612
SHA25600e1686201e50ccaf8c42cb0879fbd00a43aa94306589406f2ad5a508c8b4e6d
SHA5125ce566a1101fb5cae5870dfd93f566a29810b4aa96d189aaa86c09cfdf84af378d138b7e9fb64b0222c06aa5815d04ccfe9b10871a0c8cfaeab9583dbd7f691c
-
Filesize
8.5MB
MD57271f7ec23174fd688b8f5afd183ce18
SHA14e8ababdf1f7d423fa93597811abea2eb763f836
SHA256f7291844c409b4622f324072353497120a6b12ec7c9c2d82edfa3c5048f8fc8e
SHA5123d66cb0e04d7d5c53fc414302bded0f6505f052f625722f4f735b9ae3b9b556fadf18318117bc2ca4cb0f2d783ca4308be2c5df503811ce0bc066c91d6b53d23