Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a10d2a2335...3a.exe

windows7-x64

10

a10d2a2335...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a.exe

  • Size

    6.1MB

  • MD5

    5186cafa1e8ce4e242411acc52996aaa

  • SHA1

    c14b7773f62bb601e4f910ae595cbc8d1f641c32

  • SHA256

    a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a

  • SHA512

    a351d17942033364fe8e8e48673c25a1b7988c83432961e35a036d54ab08c9a3b095b5784de9d7442e31f42e41401aaec79b3facd96fcd9a9fa93afd283eb42b

  • SSDEEP

    196608:ZwHfJ12mWXFSrOyruZ1e1l+Sc6Z2Fd6GymVVdq:QIFSrOwk0m3a9hMA

Score
10/10
zgratevasionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 6 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 6 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a.exe
    "C:\Users\Admin\AppData\Local\Temp\a10d2a23354cf0130e15d2bf55148e7c34131033b62500615a60bb6f13f0c53a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe
      "C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:564
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:636
          • C:\Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe
            "C:\Users\Admin\AppData\Roaming\componentRuntimehost/BridgeChainportWebInto.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ONt7i6u8S.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2412
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:2700
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2744
                  • C:\Program Files\VideoLAN\VLC\lua\System.exe
                    "C:\Program Files\VideoLAN\VLC\lua\System.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1036

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\VideoLAN\VLC\lua\System.exe
        Filesize

        1.2MB

        MD5

        4daa6418e407f8357916b02dc665c5a0

        SHA1

        11a70eb3a617bb14398ea0998d43aa336082232f

        SHA256

        505a811646b2dceaf90092c38b1ff0dd71745c1a876d8d3feba49276307800a6

        SHA512

        b50ec4b06f0b4a1ca07431d50bcaf73c0aff9423271a4f96fba3f1802c49beec0ef94c936d9e183c6f199ca57f579f25fe23081f37e3cd8288163245fde914ab

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\6ONt7i6u8S.bat
        Filesize

        220B

        MD5

        37e29bb5e3b92806134e6e877e893519

        SHA1

        8e4bcfb072f952e7c8f770ad4fc176918d825ae0

        SHA256

        0459bcf60cbc01cb8b09693faccd2944ff2f2297d4213d3df20267d126c0d205

        SHA512

        1e9bc39c69fe8855d7338890b83c09b72dfc573dd72594e2a5365c707270fbc477b3fd8151242c03b45abb9555c6dab5b08be81c8ded21b4acfdf014f9c2d0f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MoonHack cfg helper.exe
        Filesize

        2.1MB

        MD5

        7909ebef4dcca4c12310ea3acd8f53f7

        SHA1

        d5e5c0210bd384378f24e9f9209124d4af6d3da7

        SHA256

        8eabb7d40887e02b4aa9933fdca0d5ee1d46a5a26a69a4da9279b6819742121a

        SHA512

        ec85375ea50bfa391120f6e8402bf8bfe34afefebfec8616dad3a76becbd73e1eca8bbaed1fb010de76d0e8f0ba34641ad4cb8f8a7a234050a13fca5bf1131cb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\componentRuntimehost\ZSAMlm727VnRbcACh79Hay0D7R9lrDKrBu.bat
        Filesize

        212B

        MD5

        f4846b111f4c8ced35bf1ed60502270f

        SHA1

        625bb8296688ca9cde0c60c60cc17ed83383050c

        SHA256

        2b20a48f281b60176569332a9e56f5aa7911ba9793f87f9729aafc81aab5a6cd

        SHA512

        ef77a850b15f988754eb17c48ce84e15bcf824c4bcc64ac7f5f372f86fee5738de67417fd0cf56271d1701b5256edcf4ad8603b5fab28016af8e28359967df67

        Download Submit

      • C:\Users\Admin\AppData\Roaming\componentRuntimehost\qJhC.vbe
        Filesize

        240B

        MD5

        cf441f15daf3339180706cf594e97131

        SHA1

        ca5663745d79bd9196fea24b51d6061f79355d3c

        SHA256

        9a2afde59f2326a4cfbc827e87c7270da20d4a6e19e8d00b5b3a479c26f8ad13

        SHA512

        37d2b08ca78ee06fbcc93577a31a243670fd4efce506449e2e4e3b33c2319081e1f905f8651a642112386620f6551c1a598cdc7f69e682ee252fddc2fa9cde74

        Download Submit

      • C:\Windows\Downloaded Program Files\csrss.exe
        Filesize

        2.8MB

        MD5

        6dc9114e994d3772fdb05caa7a1a41ab

        SHA1

        1cad245e2a1382953284a34ec7a4d58aa33a5b83

        SHA256

        0fe07459060e3fb8c153c76536eae3d7b7f4cfb62389225517411b0e5263940e

        SHA512

        4c3b38f18e9602afeb6aa42cdedbf40e01ad3da45e4e9637544e442576091e1a8b7c0a3059e302676f8f32fe6f46b1e4c4f97dd69fbd78822b8dc153f040049b

        Download Submit

      • \Users\Admin\AppData\Roaming\componentRuntimehost\BridgeChainportWebInto.exe
        Filesize

        3.4MB

        MD5

        51a33d556ce031ad0a5e752f10b00a13

        SHA1

        f05e11e3034481de8590ee4afd912628cacfde9a

        SHA256

        eab0d35dc956885b222e69fde419f3974db712c98bbb23f41325388bde0cc341

        SHA512

        c27a18ebee3e32854e4ad136c3af7de753764a9b44fc024487eb4a197a3f68b506f8578c4beab63e23c64b4e8ce10d63d2987b78175a9691e9aec9fc13887356

        Download Submit

      • memory/1036-82-0x0000000000090000-0x00000000003FA000-memory.dmp

        Filesize

        3.4MB

        Download

      • memory/1284-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1284-1-0x00000000009C0000-0x0000000000FE6000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1284-3-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1284-11-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2408-41-0x00000000008E0000-0x00000000008EE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2408-51-0x0000000002300000-0x0000000002310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-37-0x00000000007B0000-0x00000000007C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-39-0x00000000008D0000-0x00000000008E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-33-0x0000000000770000-0x0000000000780000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-43-0x0000000002390000-0x00000000023A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2408-45-0x00000000022F0000-0x0000000002300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-47-0x00000000024D0000-0x00000000024E6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2408-49-0x00000000024F0000-0x0000000002502000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2408-35-0x0000000000AB0000-0x0000000000AC8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2408-53-0x00000000023B0000-0x00000000023C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-55-0x000000001AE40000-0x000000001AE9A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/2408-57-0x00000000023C0000-0x00000000023CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2408-59-0x000000001ADE0000-0x000000001ADF8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2408-61-0x0000000002510000-0x000000000251C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2408-63-0x000000001AFF0000-0x000000001B03E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/2408-31-0x0000000000A90000-0x0000000000AAC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2408-29-0x0000000000760000-0x000000000076E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2408-27-0x0000000000780000-0x00000000007A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2408-25-0x0000000000060000-0x00000000003CA000-memory.dmp

        Filesize

        3.4MB

        Download