Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2023, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe
Resource
win10v2004-20221111-en
General
-
Target
5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe
-
Size
323KB
-
MD5
4521c3419b829108204529c88f4ca21a
-
SHA1
a50140d0578559219c60af7171238f62055b3a92
-
SHA256
5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407
-
SHA512
51c7888274ecc08b70dc00a27f4d9f4d3f1b3901c1d541e9baeb362a06b491bb0f57bbf4a345d5ab6656df3b3e45e246fecb068d44ebc116112f383639b748ad
-
SSDEEP
3072:5PgtxA/n5RF2p8b91/XXrB6pcTpYK236nYklNsWQDiuLpOdYfUBjdgvG:5Ced2891f7IpkYKTnDqLiqOdYf+WvG
Malware Config
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 images.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Documents\Documents:ApplicationData 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4556 powershell.exe 4556 powershell.exe 4192 powershell.exe 4192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 4192 powershell.exe Token: 33 4480 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4480 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4556 4456 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe 82 PID 4456 wrote to memory of 4556 4456 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe 82 PID 4456 wrote to memory of 4556 4456 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe 82 PID 4456 wrote to memory of 2064 4456 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe 86 PID 4456 wrote to memory of 2064 4456 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe 86 PID 4456 wrote to memory of 2064 4456 5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe 86 PID 2064 wrote to memory of 4192 2064 images.exe 87 PID 2064 wrote to memory of 4192 2064 images.exe 87 PID 2064 wrote to memory of 4192 2064 images.exe 87 PID 2064 wrote to memory of 4292 2064 images.exe 89 PID 2064 wrote to memory of 4292 2064 images.exe 89 PID 2064 wrote to memory of 4292 2064 images.exe 89 PID 2064 wrote to memory of 4292 2064 images.exe 89 PID 2064 wrote to memory of 4292 2064 images.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe"C:\Users\Admin\AppData\Local\Temp\5767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:4292
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD542e3933695ea152424221c440a6da7a0
SHA106d56b87d903f3808b5a53abf1845bd99e61884e
SHA256c2354c245f25210dddb4467259cbd244955310efd6f1b63e04c8c512b4bbe086
SHA512b8b2913b1cfb1a84c28834f057e601397eb118c3da614a749288cbafcac7b03578eb1954e1038b70f883f9f1e0fe8aeca0e0af12f4cec4e2b2acadcfa39d5f10
-
Filesize
323KB
MD54521c3419b829108204529c88f4ca21a
SHA1a50140d0578559219c60af7171238f62055b3a92
SHA2565767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407
SHA51251c7888274ecc08b70dc00a27f4d9f4d3f1b3901c1d541e9baeb362a06b491bb0f57bbf4a345d5ab6656df3b3e45e246fecb068d44ebc116112f383639b748ad
-
Filesize
323KB
MD54521c3419b829108204529c88f4ca21a
SHA1a50140d0578559219c60af7171238f62055b3a92
SHA2565767630484ddb02009fb82e7fbc23857a5b032fcbdca4b10bcd5abd3c1be1407
SHA51251c7888274ecc08b70dc00a27f4d9f4d3f1b3901c1d541e9baeb362a06b491bb0f57bbf4a345d5ab6656df3b3e45e246fecb068d44ebc116112f383639b748ad