Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
PaymentReciptInvoce00180423.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PaymentReciptInvoce00180423.exe
Resource
win10v2004-20230220-en
General
-
Target
PaymentReciptInvoce00180423.exe
-
Size
1.0MB
-
MD5
b5d151bb4861ef37f6a7196217d219fe
-
SHA1
6dd795268a7f84ad8beda42cc58ce30f02bbd451
-
SHA256
839af94fe56cfd10e4e5e524c5e656170a8f5cb6a285bc1838386f7000b431a9
-
SHA512
6286af0cfee2564cf9ca68067d2f9ed7113d0c042b7bc9206c8b18bd67f94de599a6ee44739cc67f693922426c5f5db803ea3c289160e182f800eabd46da51ec
-
SSDEEP
12288:aq+gtQtCm4yiiguuR3uq+CjCk8feoFgAXuRs2/B6T8H3+H+5CA2G:VIT4i0CkO5HkB6gX+H+57B
Malware Config
Extracted
warzonerat
jeffdfehjhsda.ddns.net:5200
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
resource yara_rule behavioral1/memory/1592-54-0x00000000004C0000-0x000000000061C000-memory.dmp warzonerat behavioral1/memory/1592-60-0x00000000004C0000-0x000000000061C000-memory.dmp warzonerat behavioral1/memory/1592-61-0x00000000021F0000-0x0000000002BF0000-memory.dmp warzonerat behavioral1/memory/752-65-0x0000000002570000-0x00000000025B0000-memory.dmp warzonerat behavioral1/memory/1592-66-0x00000000004C0000-0x000000000061C000-memory.dmp warzonerat behavioral1/memory/1592-67-0x00000000004C0000-0x000000000061C000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat PaymentReciptInvoce00180423.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start PaymentReciptInvoce00180423.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Order = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PaymentReciptInvoce00180423.exe" PaymentReciptInvoce00180423.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\Documents\Documents:ApplicationData PaymentReciptInvoce00180423.exe File opened for modification C:\Users\Admin\Documents\Documents:ApplicationData PaymentReciptInvoce00180423.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 752 powershell.exe Token: 33 1280 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1280 AUDIODG.EXE Token: 33 1280 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1280 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1592 wrote to memory of 752 1592 PaymentReciptInvoce00180423.exe 29 PID 1592 wrote to memory of 752 1592 PaymentReciptInvoce00180423.exe 29 PID 1592 wrote to memory of 752 1592 PaymentReciptInvoce00180423.exe 29 PID 1592 wrote to memory of 752 1592 PaymentReciptInvoce00180423.exe 29 PID 1592 wrote to memory of 616 1592 PaymentReciptInvoce00180423.exe 31 PID 1592 wrote to memory of 616 1592 PaymentReciptInvoce00180423.exe 31 PID 1592 wrote to memory of 616 1592 PaymentReciptInvoce00180423.exe 31 PID 1592 wrote to memory of 616 1592 PaymentReciptInvoce00180423.exe 31 PID 1592 wrote to memory of 616 1592 PaymentReciptInvoce00180423.exe 31 PID 1592 wrote to memory of 616 1592 PaymentReciptInvoce00180423.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PaymentReciptInvoce00180423.exe"C:\Users\Admin\AppData\Local\Temp\PaymentReciptInvoce00180423.exe"1⤵
- Drops startup file
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:616
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280