Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:57
Static task
static1
Behavioral task
behavioral1
Sample
Scanned008907.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Scanned008907.exe
Resource
win10v2004-20230220-en
General
-
Target
Scanned008907.exe
-
Size
1.0MB
-
MD5
0b5c131ce6f6ba1e86293ac0b16317b1
-
SHA1
10b03b58dceedfd1c99f04200d9692ef846a8030
-
SHA256
396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e
-
SHA512
729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb
-
SSDEEP
12288:aq+gtQtCm4yiiguuR3uq+CjCk8feoFgAXuRs2AB6T8H3+H+5CA2G:VIT4i0CkO5HXB6gX+H+57B
Malware Config
Extracted
warzonerat
155.94.150.100:6473
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
resource yara_rule behavioral1/memory/1120-54-0x0000000002A00000-0x0000000002B5C000-memory.dmp warzonerat behavioral1/memory/1120-60-0x0000000002A00000-0x0000000002B5C000-memory.dmp warzonerat behavioral1/memory/1120-61-0x0000000002000000-0x0000000002A00000-memory.dmp warzonerat behavioral1/memory/1120-71-0x0000000002A00000-0x0000000002B5C000-memory.dmp warzonerat behavioral1/memory/1740-72-0x0000000000950000-0x0000000000AAC000-memory.dmp warzonerat behavioral1/memory/1740-78-0x0000000000950000-0x0000000000AAC000-memory.dmp warzonerat -
Executes dropped EXE 1 IoCs
pid Process 1740 images.exe -
Loads dropped DLL 1 IoCs
pid Process 1120 Scanned008907.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe" Scanned008907.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 748 powershell.exe 1792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 1792 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1120 wrote to memory of 748 1120 Scanned008907.exe 28 PID 1120 wrote to memory of 748 1120 Scanned008907.exe 28 PID 1120 wrote to memory of 748 1120 Scanned008907.exe 28 PID 1120 wrote to memory of 748 1120 Scanned008907.exe 28 PID 1120 wrote to memory of 1740 1120 Scanned008907.exe 30 PID 1120 wrote to memory of 1740 1120 Scanned008907.exe 30 PID 1120 wrote to memory of 1740 1120 Scanned008907.exe 30 PID 1120 wrote to memory of 1740 1120 Scanned008907.exe 30 PID 1740 wrote to memory of 1792 1740 images.exe 32 PID 1740 wrote to memory of 1792 1740 images.exe 32 PID 1740 wrote to memory of 1792 1740 images.exe 32 PID 1740 wrote to memory of 1792 1740 images.exe 32 PID 1740 wrote to memory of 660 1740 images.exe 34 PID 1740 wrote to memory of 660 1740 images.exe 34 PID 1740 wrote to memory of 660 1740 images.exe 34 PID 1740 wrote to memory of 660 1740 images.exe 34 PID 1740 wrote to memory of 660 1740 images.exe 34 PID 1740 wrote to memory of 660 1740 images.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scanned008907.exe"C:\Users\Admin\AppData\Local\Temp\Scanned008907.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
C:\Users\Admin\Documents\images.exe"C:\Users\Admin\Documents\images.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:660
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7QYHWV8HSR13FL51XQMA.temp
Filesize7KB
MD5196bae27146f36ed7b61cb56e39f798c
SHA1062dc58cb68f662c308fb4e631e0d5b06263270c
SHA256e2991926f4e3ce6a85eb92b58bdacca739eb824469579d92896bb72d46fc7cb0
SHA5122d149cd792ba5680b6de333d4baedab5df1588c767ddc5e2578a97b726834ee0529547202bb10d5f3cb96ec511804492c2938d160f42f9ba967eef34de793dd7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5196bae27146f36ed7b61cb56e39f798c
SHA1062dc58cb68f662c308fb4e631e0d5b06263270c
SHA256e2991926f4e3ce6a85eb92b58bdacca739eb824469579d92896bb72d46fc7cb0
SHA5122d149cd792ba5680b6de333d4baedab5df1588c767ddc5e2578a97b726834ee0529547202bb10d5f3cb96ec511804492c2938d160f42f9ba967eef34de793dd7
-
Filesize
1.0MB
MD50b5c131ce6f6ba1e86293ac0b16317b1
SHA110b03b58dceedfd1c99f04200d9692ef846a8030
SHA256396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e
SHA512729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb
-
Filesize
1.0MB
MD50b5c131ce6f6ba1e86293ac0b16317b1
SHA110b03b58dceedfd1c99f04200d9692ef846a8030
SHA256396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e
SHA512729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb
-
Filesize
1.0MB
MD50b5c131ce6f6ba1e86293ac0b16317b1
SHA110b03b58dceedfd1c99f04200d9692ef846a8030
SHA256396346640d472168f07c041e8dfb3648050e2d36f16e93416cafc2354f3a857e
SHA512729880fd1553e154b0180ef7c19f00092511ae9dac6560a5b53365ca93f6fd78ed2bd1f52968fa5b5325591214a96140948b70525b0b76bbbd9f1bfad32b62cb