Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

memez valorant.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    memez valorant.exe

  • Size

    6.0MB

  • MD5

    8b79741f93dfe2a98005fcedb8cc9e09

  • SHA1

    e5b9ae63c045248ee3e0810e73b80f5f853e8574

  • SHA256

    7fdc605f25e5374bad102386657bc0189ffa5ab62c3a9cb0fb35f1cf95befafc

  • SHA512

    a3b3831a1993544253ae966b08f6976be286cdfa8d8a26816ea1dda1b2ae22f91018ce0c3772615bf9679c684dadb13a629f4e4dfafaff2f3ebf3a17c1f66bf9

  • SSDEEP

    24576:aTbBv5rUleX5BM3YIzE0+l8T8/7Vzy8/PoUNjmo59k1UWAaL511wElDeQpx1Kh:sBnX5BWt8j9hdvKDfucz2

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\memez valorant.exe
    "C:\Users\Admin\AppData\Local\Temp\memez valorant.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc\OwAS3ElMz3sl8CiEcBXAKJJu9viU7wMG8nRST90KHZpLy5Zk.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc\seUT6SF2g6LubjHj.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc\WebSvc.exe
          "C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc/WebSvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CnAga65Iu2.bat"
            5⤵
              PID:1936
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1564
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:2348
                • C:\Users\Default\cmd.exe
                  "C:\Users\Default\cmd.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WebSvcW" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\WebSvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WebSvc" /sc ONLOGON /tr "'C:\Windows\addins\WebSvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4852
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WebSvcW" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\WebSvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4060
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1740
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1528
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2124
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\dwm.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1136
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc\OwAS3ElMz3sl8CiEcBXAKJJu9viU7wMG8nRST90KHZpLy5Zk.vbe
        Filesize

        222B

        MD5

        6a3ee7dcfc0c1f8053c0d24d74dafd90

        SHA1

        3bb9d75f6c6628760941e0b3a54810195cc67485

        SHA256

        c48f0935f2db9a7260830834018fd7afebf39c4e9d7c4cad8aa4676008dd7715

        SHA512

        62b36d115ece66b8aa107c1befe78d1707cb2e80ca03288d9f62c3cbb7925d472cf479a89aec4bb29068c376629f119cfb6fdd2c69ed2e249cc16815fdda5496

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc\WebSvc.exe
        Filesize

        5.7MB

        MD5

        f120ba47fc16392df01b1e947c7bd6d9

        SHA1

        4bf7e0d57c6aab657a2f93d7c66670b4d0d0ca21

        SHA256

        afa08d81487ba3c82f2b672aa340d78f7841090804de82846e3c6ec5244f239c

        SHA512

        f7ee529db6aca5525626b74cbe2eacc6871f58e6c41742c4d47cbf61ba6a7dc74d828b3b0f039a234f5560e8f53348104e6f182cf61656775f00d73769a9cdb6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\MsServerBrokerDhcpSvc\seUT6SF2g6LubjHj.bat
        Filesize

        82B

        MD5

        cfb98ea195917bd9644b184e9c25a675

        SHA1

        a29083644d06efd7badb63b4a9f66451b3fa996d

        SHA256

        cdb06f3da2a27af06b3b1376f29899349ddb427d6777e70690c9bc4b9d3f8784

        SHA512

        433e0bbb68d1cbbc7148a77681f255bcb03aae2a41f958f3707e5f7a09878539b5186c8cd008e2c25448e8968f4bfd36eb138fdc8f0b7e56a4ac16e480a83dfc

        Download Submit

      • memory/1164-45-0x000000001CC60000-0x000000001CD2D000-memory.dmp

        Filesize

        820KB

        Download

      • memory/1896-13-0x00007FFB08253000-0x00007FFB08255000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1896-12-0x0000000000EB0000-0x000000000108C000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1896-15-0x0000000003150000-0x000000000315E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1896-17-0x00000000032E0000-0x00000000032FC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1896-18-0x000000001C910000-0x000000001C960000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1896-20-0x0000000003300000-0x0000000003318000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1896-22-0x00000000031A0000-0x00000000031AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1896-38-0x000000001CFA0000-0x000000001D06D000-memory.dmp

        Filesize

        820KB

        Download