Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

satınalma...90.exe

windows7-x64

10

satınalma...90.exe

windows10-2004-x64

10

Resubmissions

29/11/2022, 08:08

221129-j12xnabb58 10

Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    satınalma siparişi 2310190.exe

  • Size

    400.0MB

  • MD5

    b9c62ad26109e6399a35b356b617f9bf

  • SHA1

    6a072c9b3ed98f1de2d78507243ec92a0f54bcb1

  • SHA256

    5017e949a8d2d34130e294840a09efaf5e2798f86a57d6d34e5f512fe9ae4daf

  • SHA512

    3d6904a769ed9c1de2728082759773d26bf6767cf4c8e1b04f39364cbf11f2d34ab8bea17fc48ce23480d8e2b3e4c6a8c2956097321bd86b7260c759294aadb5

  • SSDEEP

    384:IaRWJcgLYn79k8/mf7E++ptYcFmVc03K9t:UckU79k8mTKtYcFmVc6Kf

Score
10/10
warzoneratinfostealerpersistenceratspywarestealer

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 8 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\satınalma siparişi 2310190.exe
    "C:\Users\Admin\AppData\Local\Temp\satınalma siparişi 2310190.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-Date
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:788
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
        PID:1244
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        2⤵
          PID:1480

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        c433032a62b9f1c6d8a153a2ca218457

        SHA1

        3d31ae9170ce113a566d962e14061261822e8121

        SHA256

        d8285b1f5d1c55abbb1b6ababd67462877a99ba0de9bc04fbded720285b7685b

        SHA512

        fd1d42331583f09222f400fddc9166013c2706b584ed76279d0d116f3086bd9bdf317fb5aaa26663806239c085aa662b67734c06ff45983c35bbe25748b30092

        Download Submit

      • memory/788-65-0x000000006E510000-0x000000006EABB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/788-66-0x000000006E510000-0x000000006EABB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/788-64-0x000000006E510000-0x000000006EABB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/940-56-0x0000000076461000-0x0000000076463000-memory.dmp

        Filesize

        8KB

        Download

      • memory/940-58-0x000000006F790000-0x000000006FD3B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/940-59-0x000000006F790000-0x000000006FD3B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1480-70-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-75-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-67-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-68-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-73-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-72-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-85-0x0000000008200000-0x0000000008284000-memory.dmp

        Filesize

        528KB

        Download

      • memory/1480-84-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-77-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-78-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1480-82-0x0000000000400000-0x0000000000568000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/1604-60-0x0000000005F10000-0x000000000612E000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/1604-54-0x0000000000E90000-0x0000000000E98000-memory.dmp

        Filesize

        32KB

        Download