Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 03:21
Static task
static1
Behavioral task
behavioral1
Sample
dzaisizs.exe
Resource
win7-20240903-en
General
-
Target
dzaisizs.exe
-
Size
82.5MB
-
MD5
04bfd3d2646cc147337e0aeab839b62c
-
SHA1
92a45be66aea19d35280164c362b7b17476c9b8c
-
SHA256
82014edd40e79420edf3563f1d669f5e95804d95b56aa88e5e50257cc8558f75
-
SHA512
b700a5100b6e64b1d1b630e405b6a2438af9723ee5acdbc8cb1417ab07437da74837761e0a46675ec67810fd1a62603d616ba76c52169a0fbca9fb05020fa2de
-
SSDEEP
1572864:esFmG/LCRZCLYQUux91mt46TpmSHGErH5y0oBO/rWZqyKjVnQTnP+:ef0sQr1mt4WpmSzQBFyO+
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2732-0-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2732-0-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: dzaisizs.exe File opened (read-only) \??\H: dzaisizs.exe File opened (read-only) \??\U: dzaisizs.exe File opened (read-only) \??\Z: dzaisizs.exe File opened (read-only) \??\X: dzaisizs.exe File opened (read-only) \??\I: dzaisizs.exe File opened (read-only) \??\K: dzaisizs.exe File opened (read-only) \??\M: dzaisizs.exe File opened (read-only) \??\N: dzaisizs.exe File opened (read-only) \??\S: dzaisizs.exe File opened (read-only) \??\P: dzaisizs.exe File opened (read-only) \??\R: dzaisizs.exe File opened (read-only) \??\T: dzaisizs.exe File opened (read-only) \??\E: dzaisizs.exe File opened (read-only) \??\G: dzaisizs.exe File opened (read-only) \??\J: dzaisizs.exe File opened (read-only) \??\L: dzaisizs.exe File opened (read-only) \??\O: dzaisizs.exe File opened (read-only) \??\W: dzaisizs.exe File opened (read-only) \??\Y: dzaisizs.exe File opened (read-only) \??\Q: dzaisizs.exe File opened (read-only) \??\V: dzaisizs.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dzaisizs.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dzaisizs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dzaisizs.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe 2732 dzaisizs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 dzaisizs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dzaisizs.exe"C:\Users\Admin\AppData\Local\Temp\dzaisizs.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2732