Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
7z.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7z.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
TORONTO.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
TORONTO.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
opengl32sw.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
opengl32sw.dll
Resource
win10v2004-20240426-en
General
-
Target
TORONTO.exe
-
Size
428KB
-
MD5
f01b98fc5d24395dbc3219624758fe94
-
SHA1
4ebcbbec3c980d5d8a03be926dbb2608f0163861
-
SHA256
20577a99d6c3fa639447096644f66fcb1b55b808de87a686749cfc7a658d3c38
-
SHA512
7fe5c3732657cc6140ff1c53437f43ede9399c2bd2a59722f0f5c59dd8ec064e877f185574236192a219db497febcadc72ac69d9cf931f1fa775cdea36a23f51
-
SSDEEP
6144:bJollhS4qdxjPxUUsDI6NioQMKNU3dnzeMutErZf5/9B9tuEwnlMLHt/kTpOgsme:9m/SNRuSNU35LyEJfBKEPLHt/q+KU
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral4/memory/4472-1-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral4/memory/4472-1-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4976 set thread context of 4472 4976 TORONTO.exe 84 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4472 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4472 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84 PID 4976 wrote to memory of 4472 4976 TORONTO.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\TORONTO.exe"C:\Users\Admin\AppData\Local\Temp\TORONTO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4840