Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a036a9b545...0c.exe

windows7-x64

10

a036a9b545...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12/05/2024, 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe

  • Size

    2.1MB

  • MD5

    d86ddf1a6b51159906020e5efbe1ba92

  • SHA1

    4cae49c47e8bd1a0a945ab076bfbe2917ccc64b4

  • SHA256

    a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c

  • SHA512

    09db2385b34eca95a23cc19ce58a8945705662bfc817f836437bbe260986ea507fa0739da90f9c18d16c3cdf08f33a32bb8332fc11084f5f10df90f74ba9de21

  • SSDEEP

    24576:2TbBv5rUyXVYnL4FjYmL0J1HlbR6a2BbVgnTQcj+7nanx3GWFQjCDl5E85qcMeL9:IBJYEFbLbMnTQZanxSjC3v5+jml

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe
    "C:\Users\Admin\AppData\Local\Temp\a036a9b545279b459cdecc58373e87c881683548c000c0aaa58ed552a1c10e0c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SavesMonitor\RmK92.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\SavesMonitor\Blockcontainerproviderdhcp.exe
          "C:\SavesMonitor/Blockcontainerproviderdhcp.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2732
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tn7napX3i5.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2656
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2504
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2512
                • C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe
                  "C:\Recovery\ed850442-d104-11ee-9c57-c695cbc44580\lsm.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2244

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\SavesMonitor\Blockcontainerproviderdhcp.exe
        Filesize

        1.8MB

        MD5

        6c43270f19233761545141a2175d00bc

        SHA1

        2af739400dd238badc0b7e9ce3d45e1eb0023e48

        SHA256

        27b5ff20a635463564a1b19868af62916c29453654d703aee7482b391b554de4

        SHA512

        b43a8964c58fb933a80bcdd8b688d8ffda33a832e831ae8c2b54323908c5fe7c87953f24836ee987802d9429f1cd313947d3df988a90817f651edcf89c6586d6

        Download Submit

      • C:\SavesMonitor\CXb1cErhNTIpSAGADF.bat
        Filesize

        92B

        MD5

        a65e78a870380ac9c4ba083569959d4a

        SHA1

        8d6c9d55106b4ac275b873db16c069a27b79609f

        SHA256

        d82e913f336059d8b7e9adf0832357d82b746230c75a997613b00714e86ddf30

        SHA512

        9021e5dc54bff72ccb2b62d6c13f44dbb90c04f4b88513bbee04b559290bf93f149cdfb574cc8ce6d645237e9f7effb0b5e267d33db1d0ecafe2da7a159e2b44

        Download Submit

      • C:\SavesMonitor\RmK92.vbe
        Filesize

        208B

        MD5

        252c8a936c61108036239630f110d0b9

        SHA1

        765fa5076b12b640ab968cc5279b540e9f161341

        SHA256

        d16aa2383787258cc998e0f6a1d48f62ceb3c11068355c2eed26cdd74dc97b34

        SHA512

        d333fa3186c904c52b5685bb3e9197f25a0a4980955d973e1e99a84433821ebf5dcdb1faad21e5554eea940bd219fb92cf92e77e6be72d187692ae22e3856de5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tn7napX3i5.bat
        Filesize

        232B

        MD5

        e69bfad2ef5d8da31d2b9b0928bca7e4

        SHA1

        8588338e1b0911657992e2da070a9d093aeb76a7

        SHA256

        a29cf03bec012545e1e5b3596a66bb1901b6fce0fc9e548918a439a46c35ad85

        SHA512

        cd8f948741c602f5890e6684670575ffb28e09aed940e1230d18312dee1c19394773a7d24d6cded4b7570ea0764fd1cbc3aacdbd7af1646d512771076d1f63bc

        Download Submit

      • memory/2244-40-0x00000000008D0000-0x0000000000AAA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2732-13-0x0000000001060000-0x000000000123A000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2732-15-0x00000000004F0000-0x00000000004FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2732-19-0x0000000000540000-0x0000000000558000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2732-21-0x0000000000500000-0x000000000050C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2732-17-0x0000000000520000-0x000000000053C000-memory.dmp

        Filesize

        112KB

        Download