Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
03/05/2024, 20:57
240503-zrnlnseh9z 803/05/2024, 20:55
240503-zqlqpahh32 703/05/2024, 20:38
240503-zexntahf66 7Analysis
-
max time kernel
57s -
max time network
40s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
03/05/2024, 20:57
General
-
Target
Zif.Interface.OpcDa.4.16.4.exe
-
Size
5.0MB
-
MD5
76c8248c5ea0c43c13bfc599b8c8c52c
-
SHA1
e52826239f56871fa201c05b69e75f378f0b5320
-
SHA256
e41f23cb5f8bfc98bc4724859d0a28ec4b747e6022ae76f01bbf0e6afbbcf6cf
-
SHA512
35fcee8501135dc5321f805fe1346b21702908a02980bc5cf3bc30975da36360f52867f0bc1d2ecbd03cb5f1d8dae05c8d648fb98675fcf5fa1d22c89b09b0a9
-
SSDEEP
98304:ZOWwlEr4eijEBfjymyC0L/AVob9LXXn/fY3DiKj6DVprSRDMy+1X:EWwlEr4ecmB0L/++XXHW27reRDMTB
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 14 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zif.Interface.OpcDa.4.16.4.exe"C:\Users\Admin\AppData\Local\Temp\Zif.Interface.OpcDa.4.16.4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-8IL8H.tmp\Zif.Interface.OpcDa.4.16.4.tmp"C:\Users\Admin\AppData\Local\Temp\is-8IL8H.tmp\Zif.Interface.OpcDa.4.16.4.tmp" /SL5="$80062,4955460,58368,C:\Users\Admin\AppData\Local\Temp\Zif.Interface.OpcDa.4.16.4.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Zyfra\Zif.Interface.OpcDa\install.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc create Zif.Interface.OpcDa BinPath= "C:\Program Files (x86)\Zyfra\Zif.Interface.OpcDa\Zif.Interface.OpcDa.exe"4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc start Zif.Interface.OpcDa4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -w 1000 -n 54⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\sc.exesc stop Zif.Interface.OpcDa4⤵
- Launches sc.exe
-
-
-
-
C:\Program Files (x86)\Zyfra\Zif.Interface.OpcDa\Zif.Interface.OpcDa.exe"C:\Program Files (x86)\Zyfra\Zif.Interface.OpcDa\Zif.Interface.OpcDa.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD50cf454b6ed4d9e46bc40306421e4b800
SHA19611aa929d35cbd86b87e40b628f60d5177d2411
SHA256e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
SHA51285262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048
-
Filesize
4KB
MD5f1a78175a5b231afba46396863fb7757
SHA16e0add3124e28741405b822229c7789e088fd4c4
SHA256b84c0c300c45cafc756cfdfa1776e4bb050e81810d1e9f752b2c6b974d37e155
SHA51280674a585cbeb0ab096b4f76437f2cbb4b798af193f6343b621c8ed0180dbd1f039209806794daa7336578b28680c9fa1ba31e546348bd6f5242a8bab5e96ba1
-
Filesize
275KB
MD52c57857a672e57e79790c4324ce62fe5
SHA18974ea0171b1c9d561504f6926c2783147b8623c
SHA25679036662c985cd2ce60ea2573bd155e65b46ba65f47a62e82ba503643d56fcce
SHA5122bcd8b4500d6bfe2dad73fd41b7bc5dfac29ad7d38bcf393513f25ed4c2626e127f82156b55e35070d042657a51e472a0792dd87befa00b702258ff3f1dfc805
-
Filesize
12KB
MD5cd3a1344eecdbbd7ce8091b5feea8a05
SHA12a225ab2435d9fac9cf10ccbfcaa54ad636184cc
SHA256e471e77a44fcaa385000d0f31bce4cda6f82a26fb06a79421b2567f777b4406b
SHA512c1787e2de85bb2de4aaec96f85dde2d26d31843210f19f190fbf9e956d67b3d3bb0c51e883cd610855c443be1de15699ac7188e9a73a2161109adb981328d856
-
Filesize
23KB
MD517a7eb7acf240c8957b8148050910e03
SHA1f449252b05caaf104d4e86004b3e8b21de4fb9a7
SHA256b7edef4d5b936c19aa424725d9234be9981d292386d8e4c925f633abc71339c5
SHA512aab0c5e5604e3cd3c0c62cbb902ac699599efa61769898b6cc75e7c3f2074da354c9f641aa7e7a19a603db4803dadef0e0d3517f327336f39caf6569f83389ad
-
Filesize
179KB
MD514b828ea075b29af9441d95245eda54a
SHA151a7ff0fd3a432ff3a6e40df240bc893ab801229
SHA256637163d1cdfbe65aa4c1fb005ac65912733c06c0e01fd953b918b88c02007bee
SHA51228785471e0be5d305ff716f93eec725291e41c6be98f6dc713f2ea7ae7de6f25427c775c1a5c221fdef9ec33d20962d4b5420805ed7aece1747541b3291e48ea
-
Filesize
27KB
MD543d35ab8225712dfe721033be97da5c4
SHA108772deec3e0f113926ca4d097503c9fb528ac15
SHA256cc03789520ce7adb9c8ad98b246a6e8113f1c4e14c51dd86b2b361506dd8903d
SHA512909796fbfa004494f39fd688f8c167494d43c77cdff9c7051dfa0f70e4c0aabbab5a86ecd163ed4e6212ecf59c61eb3f2c42a82a6e7aed5b536dda99f14e2b4a
-
Filesize
9KB
MD5021599076bceb4b6b99101d61b5c3f4e
SHA1f947d36560a28ad5c48a09447ff4c0c3ba284513
SHA25650985b4964d17f380fab77d7adc0afd61710c1dd35880c89f036c45daee6e36f
SHA5120729b1739fc2be1b4fb570b97cc296534bbd0edddcc73065c9f2723811bd449843e2e260fd42cc7d2b072e9517fceefef9376bd78a695a5f1395eecdc1f71493
-
Filesize
12KB
MD55fcc71eeb407abc5ed6fce6f7e6b7ad6
SHA12f3df394f0a1c6af61ce50fabb115d76225086f2
SHA256601bfe42f509e161fb531c962fb755a25bdc3ff74446c99695c2d26925b3ae39
SHA512bfa1efd381e8d9822cd6c6b99345c55617218c12a83c75acb0636a4066372c4c0d485499d3c792da9e76572fc632ca09723ae27f85c7f96d3fb619b72836d214
-
Filesize
48KB
MD5cf166de9d85294263401edb17c5df6d3
SHA1e4fe413e1d742a339722eddf3a58e54cd5662ad8
SHA2565f207964a19c81c864cd51c1adfc9554697e6bc3467c09bbd24eb28432da60c7
SHA512360e05e5dc3f741be0c974ce20d67714d68123740198858f90c1e057d06a060b3f53e298fb2801ab59147a8bc2f3e35d44d886ccb2b09a32c87462a3b8a264a2
-
Filesize
163B
MD5cbc84c1511bf62de51f839b6373bb51f
SHA192ac231c2d15e6b0667bbd841e3c4438549b765c
SHA256adf8cc62f36328651543fdeb6f8171db94d4cb1e6426bb1707c7b1ade0588c17
SHA5120c8108d59625ddfc297b872061b099175540b1276a7f90eb7302184691a88856ac3604537af26d5942ef960aaed21639de8549414e98fba6d77b8917f1220382
-
Filesize
702KB
MD51afbd25db5c9a90fe05309f7c4fbcf09
SHA1baf330b5c249ca925b4ea19a52fe8b2c27e547fa
SHA2563bb0ee5569fe5453c6b3fa25aa517b925d4f8d1f7ba3475e58fa09c46290658c
SHA5123a448f06862c6d163fd58b68b836d866ae513e04a69774abf5a0c5b7df74f5b9ee37240083760185618c5068bf93e7fd812e76b3e530639111fb1d74f4d28419
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
32KB
-
Filesize
208KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
3.2MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
84KB
-
Filesize
44KB
-
Filesize
84KB
-
Filesize
84KB