Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

0e09cd29aa...2c.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    856s
  • max time network
    1612s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/05/2024, 00:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe

  • Size

    1.1MB

  • MD5

    0c2885a542e3657e075c1293204f663d

  • SHA1

    33c0b535333dbdfb18da6798945c3ab2e992c2bc

  • SHA256

    0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c

  • SHA512

    1376c53fad25020a9227652905eb15c44fb0eece475bc528186b067e3143e2acf5764b8231e39515cf9e9ad0edbf83461c4f16331fde1a097d1de0462a1dedf5

  • SSDEEP

    24576:U4lavt0LkLL9IMixoEgeaIDVROzFnw+198UCsq9MmCS:jkwkn9IMHeaIDuFnwyjaPCS

Score
10/10
agentteslazgratkeyloggerratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe
    "C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"
        3⤵
          PID:4732
        • C:\Users\Admin\AppData\Local\directory\name.exe
          "C:\Users\Admin\AppData\Local\directory\name.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\directory\name.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\aut34C1.tmp
      Filesize

      9KB

      MD5

      f71a0a1a58dc6390331cc56629d406dc

      SHA1

      2fe32e196eb40cfcc34b6004d353252b1afc9e77

      SHA256

      246898bca4fcdfa86e1c4f6e26fd298e9955a2f37c95c4e14c32bbeccc693196

      SHA512

      f84ab89907390c5e38311f41439ca0dc0a950577997af001355ef849b8eee08bb33c402d5885d5d25890f01b5ec15f77ece4e3214d21a068017d0512f8ac2934

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\autE416.tmp
      Filesize

      262KB

      MD5

      79ed92f60cb4cf94ab17f9e34d2bc976

      SHA1

      db5bf6a36e3b0a8734b9d2bc62ad1769d142de6f

      SHA256

      52e40c5543fb6d12f0ccf41b4473f32734fdcadb24a33fcb1deeec3c5d1d0322

      SHA512

      7a4b1cc21094a278d29cd477f613cdc882c260f2c1fc1ea47ba7c8ea37c6adf0bb9d89c12aada9e431065e606fade96ee04afa38ce78a26b4d523a4838e2dcbb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rhombiform
      Filesize

      29KB

      MD5

      71a1a397de0241edb69ba26e4d1a6de2

      SHA1

      f1ef83f74085c7b2afebed1542c5bc0a406c29cf

      SHA256

      5bd9f63f66ee056a1ac8307a72c42bc3d4af5167a2b6a8bc69271cbb6b3433c3

      SHA512

      4b157a9a62c4296395fa7a664a548b3ce89450591fb51d257b077878cc5ba8f8cea294031a76ae4b71b7c57e9cc100cdf7a24b1657109f79934990cb73a4ea4b

      Download Submit

    • memory/1944-85-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-77-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-75-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-49-0x0000000002B90000-0x0000000002BE4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1944-50-0x0000000005A10000-0x0000000005F0E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1944-51-0x0000000002F20000-0x0000000002F74000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1944-87-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-93-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-113-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-109-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-107-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-105-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-103-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-102-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-99-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-97-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-91-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-89-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-1107-0x00000000067A0000-0x00000000067AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1944-83-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-47-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1944-81-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-48-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1944-71-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-69-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-65-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-63-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-61-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-59-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-57-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-111-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-95-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-79-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-73-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-67-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-55-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-53-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-52-0x0000000002F20000-0x0000000002F6D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1944-1104-0x0000000005580000-0x00000000055E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1944-1105-0x00000000067C0000-0x0000000006810000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1944-1106-0x00000000068B0000-0x0000000006942000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4512-12-0x0000000000CA0000-0x0000000000CA4000-memory.dmp

      Filesize

      16KB

      Download