Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 20:54

General

  • Target

    PaymentReciptInvoce00180423.exe

  • Size

    1.0MB

  • MD5

    b5d151bb4861ef37f6a7196217d219fe

  • SHA1

    6dd795268a7f84ad8beda42cc58ce30f02bbd451

  • SHA256

    839af94fe56cfd10e4e5e524c5e656170a8f5cb6a285bc1838386f7000b431a9

  • SHA512

    6286af0cfee2564cf9ca68067d2f9ed7113d0c042b7bc9206c8b18bd67f94de599a6ee44739cc67f693922426c5f5db803ea3c289160e182f800eabd46da51ec

  • SSDEEP

    12288:aq+gtQtCm4yiiguuR3uq+CjCk8feoFgAXuRs2/B6T8H3+H+5CA2G:VIT4i0CkO5HkB6gX+H+57B

Malware Config

Extracted

Family

warzonerat

C2

jeffdfehjhsda.ddns.net:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 6 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PaymentReciptInvoce00180423.exe
    "C:\Users\Admin\AppData\Local\Temp\PaymentReciptInvoce00180423.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      2⤵
        PID:616
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x51c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1280

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/616-72-0x00000000000B0000-0x00000000000B1000-memory.dmp

      Filesize

      4KB

    • memory/616-71-0x00000000000B0000-0x00000000000B1000-memory.dmp

      Filesize

      4KB

    • memory/752-64-0x0000000002570000-0x00000000025B0000-memory.dmp

      Filesize

      256KB

    • memory/752-65-0x0000000002570000-0x00000000025B0000-memory.dmp

      Filesize

      256KB

    • memory/1592-54-0x00000000004C0000-0x000000000061C000-memory.dmp

      Filesize

      1.4MB

    • memory/1592-60-0x00000000004C0000-0x000000000061C000-memory.dmp

      Filesize

      1.4MB

    • memory/1592-61-0x00000000021F0000-0x0000000002BF0000-memory.dmp

      Filesize

      10.0MB

    • memory/1592-66-0x00000000004C0000-0x000000000061C000-memory.dmp

      Filesize

      1.4MB

    • memory/1592-67-0x00000000004C0000-0x000000000061C000-memory.dmp

      Filesize

      1.4MB