Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2024, 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be.exe

  • Size

    3.9MB

  • MD5

    0d28c308c7d3af1f50a24cd98d59adbe

  • SHA1

    617eb940a77fffe2e8363f9a11430ebb56b4c988

  • SHA256

    f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be

  • SHA512

    d71da6edef67bc977ac8564f75cc0e8cdd31c0a9b37253017122f522c4d2f1ece5d8a56642dab40e3d8651ad1d1233ba0a27f78a536ddf897ddd392dbebb5ae8

  • SSDEEP

    49152:/YQ9p/TMILu3UAJvYIJ7PBJw47zI8gFEtYnEZhNa+uOTapp5pP7eoi:DpgQEZPPT4Yj

Score
10/10
xmrigzgratevasionminerpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be.exe
    "C:\Users\Admin\AppData\Local\Temp\f917cbb00490f27691097081db77cc38d0f776d374b2fbd40e4b592eeef578be.exe"
    1⤵
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 185.196.10.233:35662 -u ZEPHs72fKDmidnGGBpgHXJHNdpe49PRJa1tvHRycwAPy9VLQpybiQf527biDskd3jSJyDZY5UbzexC3Fnoxu4rBvgyx1b5vnkJf.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wibb3yh4.en0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3632-5-0x00000208D87C0000-0x00000208D87E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3632-10-0x00007FFA81A10000-0x00007FFA824D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3632-11-0x00000208F0C20000-0x00000208F0C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3632-12-0x00000208F0C20000-0x00000208F0C30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3632-15-0x00007FFA81A10000-0x00007FFA824D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-20-0x0000025872DD0000-0x0000025872DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4056-19-0x00007FFA81770000-0x00007FFA82231000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-36-0x00007FFA81770000-0x00007FFA82231000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-18-0x0000025872BE0000-0x0000025872CE2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4056-22-0x0000025872CE0000-0x0000025872D2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4056-21-0x000002585A450000-0x000002585A4A6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4056-23-0x0000025872DD0000-0x0000025872DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4056-24-0x0000025872DD0000-0x0000025872DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4056-39-0x0000025872DD0000-0x0000025872DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4056-38-0x0000025872DD0000-0x0000025872DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4056-17-0x0000000140000000-0x00000001400A2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4056-37-0x0000025872DD0000-0x0000025872DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4296-27-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-31-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-29-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-32-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-33-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-34-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-35-0x0000028185A60000-0x0000028185A80000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4296-30-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-28-0x0000028185900000-0x0000028185920000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4296-26-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-25-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-40-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-41-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-42-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4296-43-0x0000028185A80000-0x0000028185AA0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4296-44-0x0000028185A80000-0x0000028185AA0000-memory.dmp

    Filesize

    128KB

    Download