Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
574e031a4747d5e6315b894f983d3001.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
574e031a4747d5e6315b894f983d3001.exe
Resource
win10v2004-20220812-en
General
-
Target
574e031a4747d5e6315b894f983d3001.exe
-
Size
2.3MB
-
MD5
574e031a4747d5e6315b894f983d3001
-
SHA1
30222efc71057a20e085b757c7eadb75ee50b155
-
SHA256
842fc15b363a849a21ce37a22bd237371576a0a92adc3718adce933dfbb16f83
-
SHA512
7a204e8f508e5e0d0f798f996d53e301d8bc330b86f26dab55ed22495c4ed09c0bc149c2e7857cc1fa68f0e118092b8c9f1ab8d321540c8277fcfd52b76226a1
-
SSDEEP
12288:2YSJAsjzCjawSIIgH8n7XAW76XcpjvV653IDqYheWiYWZaQKjYD:6JAsjvI
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 2 IoCs
resource yara_rule behavioral2/memory/3580-132-0x0000000002C50000-0x0000000003650000-memory.dmp warzonerat behavioral2/memory/3580-133-0x0000000002AD0000-0x0000000002C38000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 574e031a4747d5e6315b894f983d3001.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 574e031a4747d5e6315b894f983d3001.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Documents\Documents:ApplicationData 574e031a4747d5e6315b894f983d3001.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData 574e031a4747d5e6315b894f983d3001.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4012 powershell.exe 4012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4012 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3580 wrote to memory of 4012 3580 574e031a4747d5e6315b894f983d3001.exe 82 PID 3580 wrote to memory of 4012 3580 574e031a4747d5e6315b894f983d3001.exe 82 PID 3580 wrote to memory of 4012 3580 574e031a4747d5e6315b894f983d3001.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\574e031a4747d5e6315b894f983d3001.exe"C:\Users\Admin\AppData\Local\Temp\574e031a4747d5e6315b894f983d3001.exe"1⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-