Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 14:19
Behavioral task
behavioral1
Sample
a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
Resource
win7-20240221-en
General
-
Target
a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
-
Size
2.1MB
-
MD5
d86ddf1a6b51159906020e5efbe1ba92
-
SHA1
4cae49c47e8bd1a0a945ab076bfbe2917ccc64b4
-
SHA256
a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c
-
SHA512
09db2385b34eca95a23cc19ce58a8945705662bfc817f836437bbe260986ea507fa0739da90f9c18d16c3cdf08f33a32bb8332fc11084f5f10df90f74ba9de21
-
SSDEEP
24576:2TbBv5rUyXVYnL4FjYmL0J1HlbR6a2BbVgnTQcj+7nanx3GWFQjCDl5E85qcMeL9:IBJYEFbLbMnTQZanxSjC3v5+jml
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral1/files/0x0034000000013f21-12.dat family_zgrat_v1 behavioral1/memory/2732-13-0x0000000001060000-0x000000000123A000-memory.dmp family_zgrat_v1 behavioral1/memory/2244-40-0x00000000008D0000-0x0000000000AAA000-memory.dmp family_zgrat_v1 -
Executes dropped EXE 2 IoCs
pid Process 2732 Blockcontainerproviderdhcp.exe 2244 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 2692 cmd.exe 2692 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Windows NT\Accessories\ja-JP\lsm.exe Blockcontainerproviderdhcp.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\101b941d020240 Blockcontainerproviderdhcp.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\authman\csrss.exe Blockcontainerproviderdhcp.exe File created C:\Windows\Microsoft.NET\authman\886983d96e3d3e Blockcontainerproviderdhcp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2732 Blockcontainerproviderdhcp.exe 2244 lsm.exe 2244 lsm.exe 2244 lsm.exe 2244 lsm.exe 2244 lsm.exe 2244 lsm.exe 2244 lsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2244 lsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2732 Blockcontainerproviderdhcp.exe Token: SeDebugPrivilege 2244 lsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2432 1724 a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe 28 PID 1724 wrote to memory of 2432 1724 a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe 28 PID 1724 wrote to memory of 2432 1724 a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe 28 PID 1724 wrote to memory of 2432 1724 a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe 28 PID 2432 wrote to memory of 2692 2432 WScript.exe 29 PID 2432 wrote to memory of 2692 2432 WScript.exe 29 PID 2432 wrote to memory of 2692 2432 WScript.exe 29 PID 2432 wrote to memory of 2692 2432 WScript.exe 29 PID 2692 wrote to memory of 2732 2692 cmd.exe 31 PID 2692 wrote to memory of 2732 2692 cmd.exe 31 PID 2692 wrote to memory of 2732 2692 cmd.exe 31 PID 2692 wrote to memory of 2732 2692 cmd.exe 31 PID 2732 wrote to memory of 2656 2732 Blockcontainerproviderdhcp.exe 32 PID 2732 wrote to memory of 2656 2732 Blockcontainerproviderdhcp.exe 32 PID 2732 wrote to memory of 2656 2732 Blockcontainerproviderdhcp.exe 32 PID 2656 wrote to memory of 2504 2656 cmd.exe 34 PID 2656 wrote to memory of 2504 2656 cmd.exe 34 PID 2656 wrote to memory of 2504 2656 cmd.exe 34 PID 2656 wrote to memory of 2512 2656 cmd.exe 35 PID 2656 wrote to memory of 2512 2656 cmd.exe 35 PID 2656 wrote to memory of 2512 2656 cmd.exe 35 PID 2656 wrote to memory of 2244 2656 cmd.exe 36 PID 2656 wrote to memory of 2244 2656 cmd.exe 36 PID 2656 wrote to memory of 2244 2656 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe"C:\Users\Admin\AppData\Local\Temp\a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\SavesMonitor\Blockcontainerproviderdhcp.exe"C:\SavesMonitor/Blockcontainerproviderdhcp.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tn7napX3i5.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2504
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2512
-
-
C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe"C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD56c43270f19233761545141a2175d00bc
SHA12af739400dd238badc0b7e9ce3d45e1eb0023e48
SHA25627b5ff20a635463564a1b19868af62916c29453654d703aee7482b391b554de4
SHA512b43a8964c58fb933a80bcdd8b688d8ffda33a832e831ae8c2b54323908c5fe7c87953f24836ee987802d9429f1cd313947d3df988a90817f651edcf89c6586d6
-
Filesize
92B
MD5a65e78a870380ac9c4ba083569959d4a
SHA18d6c9d55106b4ac275b873db16c069a27b79609f
SHA256d82e913f336059d8b7e9adf0832357d82b746230c75a997613b00714e86ddf30
SHA5129021e5dc54bff72ccb2b62d6c13f44dbb90c04f4b88513bbee04b559290bf93f149cdfb574cc8ce6d645237e9f7effb0b5e267d33db1d0ecafe2da7a159e2b44
-
Filesize
208B
MD5252c8a936c61108036239630f110d0b9
SHA1765fa5076b12b640ab968cc5279b540e9f161341
SHA256d16aa2383787258cc998e0f6a1d48f62ceb3c11068355c2eed26cdd74dc97b34
SHA512d333fa3186c904c52b5685bb3e9197f25a0a4980955d973e1e99a84433821ebf5dcdb1faad21e5554eea940bd219fb92cf92e77e6be72d187692ae22e3856de5
-
Filesize
232B
MD5e69bfad2ef5d8da31d2b9b0928bca7e4
SHA18588338e1b0911657992e2da070a9d093aeb76a7
SHA256a29cf03bec012545e1e5b3596a66bb1901b6fce0fc9e548918a439a46c35ad85
SHA512cd8f948741c602f5890e6684670575ffb28e09aed940e1230d18312dee1c19394773a7d24d6cded4b7570ea0764fd1cbc3aacdbd7af1646d512771076d1f63bc