Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    216s
  • max time network
    203s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    08/05/2024, 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73cf32b2f6aff72dc11d609f61ebaae2d5827f18c97b48d71fd724c19f394771.exe

  • Size

    372KB

  • MD5

    9f712ea5a04bfae2238764f668305642

  • SHA1

    864debdeec4d00430661070fc1dab479cfc8a6ef

  • SHA256

    73cf32b2f6aff72dc11d609f61ebaae2d5827f18c97b48d71fd724c19f394771

  • SHA512

    25ff360b96fd99abf9e0a6afbd489e3efdf76685b246384cd61ab692a828a1ee7cc508afd95273c10b45c5b7d358bee142a860b134f75375358045bf3b1363d3

  • SSDEEP

    6144:pl+08UGGfdzF7qxvwcB793ituNKkzXwGZTapV:p808UGgdtqrhauN3XwwapV

Score
10/10
stealczgratdiscoveryratstealer

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73cf32b2f6aff72dc11d609f61ebaae2d5827f18c97b48d71fd724c19f394771.exe
    "C:\Users\Admin\AppData\Local\Temp\73cf32b2f6aff72dc11d609f61ebaae2d5827f18c97b48d71fd724c19f394771.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\urk.0.exe
      "C:\Users\Admin\AppData\Local\Temp\urk.0.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2488
    • C:\Users\Admin\AppData\Local\Temp\urk.1.exe
      "C:\Users\Admin\AppData\Local\Temp\urk.1.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\cb82900d7c0d19605a9c1adc1be5fc0aee77ab3bfdbb4ee40526b56ef2d7a2ce\abece7e37fe14b0183258def0f13236d.tmp
    Filesize

    1KB

    MD5

    581ab6417e85beabf59bdb020fed14ef

    SHA1

    6b2d8280aad27b6eadc0e1686b67b182866c3a4a

    SHA256

    92946a1a0b33dd01fb44f9cff4fbc9a5dc6e85a045a20b7fe198739e7fce7978

    SHA512

    7a278128ee2e583c68ad336da85544085710de329b782664b2f5abad2578578e349ccf5a32c8e1820e00d21a0598422957022a757a880e56280e9b0f7d15cfc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
    Filesize

    2KB

    MD5

    7f3bb1ddf8117d41972150e8a2458ffb

    SHA1

    4bea59e788a2c283996cdbcc7a8883f0e772052c

    SHA256

    9d146c48317e8a05d34027e15b8fd6edee892cf27597655e3eead9fe9b961206

    SHA512

    5dc34df0568b93ed98e1c0eeea29bedf97a52b3b5a1bebc45a274fc802464a8d537e84299470794f242fdab34472fe97edec60077ae558d40a6753ba83fdd215

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
    Filesize

    3KB

    MD5

    ac9ba5cf23fe94a623d1afed9cc5edb5

    SHA1

    838fd1df09361587c6a0b9d5c86bcabe8db2fa42

    SHA256

    b35a1c6989cddfa2c7ed053526d1b9123ef42c19b8a21398904fc8118944e8cf

    SHA512

    efc82146386c884af8b1222adfcfdeeb90874cee77198166d841578d94551530145df30dae5f9fdf7b86370a873d38779f0e71d69fee9da53f7673df1d84f693

    Download Submit

  • \Users\Admin\AppData\Local\Temp\urk.0.exe
    Filesize

    223KB

    MD5

    280229b137b0f36f2b18b9bc7841995d

    SHA1

    d800c8ecc758ccacfe9a91efd45904efcc17b84a

    SHA256

    49533fc0ca008e430d35fdabab4b200a70e629e62f5b16f9157b5a82b6494536

    SHA512

    aeb7566ad83b6b1a01e2d8f6e557a18a75a8bd4229f72cc9e1b1ffe9dd86d14469937eea221e0d436274d4444d4f1732098b98ca3ddc3c7aec65867107fbdec5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\urk.1.exe
    Filesize

    4.6MB

    MD5

    397926927bca55be4a77839b1c44de6e

    SHA1

    e10f3434ef3021c399dbba047832f02b3c898dbd

    SHA256

    4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

    SHA512

    cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

    Download Submit

  • memory/992-2-0x0000000000400000-0x0000000001A27000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/992-34-0x0000000000400000-0x0000000001A27000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/992-1-0x0000000000400000-0x0000000001A27000-memory.dmp

    Filesize

    22.2MB

    Download

  • memory/2488-58-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/2488-139-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/2488-125-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/2488-121-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/2488-112-0x0000000000400000-0x0000000002574000-memory.dmp

    Filesize

    33.5MB

    Download

  • memory/2716-70-0x0000000000400000-0x00000000008AD000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2776-79-0x000000001E660000-0x000000001E68A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2776-90-0x0000000005810000-0x0000000005832000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2776-76-0x0000000005C00000-0x0000000005C24000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2776-80-0x000000001E690000-0x000000001E742000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2776-81-0x0000000000870000-0x000000000087A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2776-85-0x000000001FEB0000-0x00000000201B0000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2776-87-0x0000000000890000-0x000000000089A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2776-88-0x0000000000920000-0x000000000092A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2776-89-0x000000001ECB0000-0x000000001ED12000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2776-78-0x000000001E130000-0x000000001E13A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2776-93-0x0000000005830000-0x000000000583C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2776-99-0x0000000000890000-0x000000000089A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2776-98-0x0000000000890000-0x000000000089A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2776-75-0x0000000000930000-0x0000000000944000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2776-74-0x0000000005860000-0x000000000586C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2776-73-0x0000000000450000-0x0000000000460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2776-72-0x000000001EE30000-0x000000001EF3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2776-71-0x0000000000940000-0x0000000004174000-memory.dmp

    Filesize

    56.2MB

    Download