Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 02:51 UTC

General

  • Target

    00d1ab5309b9fa1fd4a03ee45cf68b7c.exe

  • Size

    150KB

  • MD5

    00d1ab5309b9fa1fd4a03ee45cf68b7c

  • SHA1

    a42e1cbb962f50e08d65bc4720d343da917324ce

  • SHA256

    0c79b94bb739d4770b3fc803a83dffeea129db0b293b4ff5ca923fc5597785a4

  • SHA512

    53edc178e98e45e8338995f3548aac3107b5da32352a27cdb6d271426fd46e8ca3af0a8b0611dac3a235efd7a19ff92a82577c6be2fcd68cc12ec3614931fc1d

  • SSDEEP

    3072:3fY/TU9fE9PEtu6xbXI5XYXsjQeNYGGzzfbe1IKKbpSjfxCcY4e/75XBhsFJzb78:vYa6cIYXsjQeNYGGnbelcpOxCcLS9xhD

Malware Config

Extracted

Family

warzonerat

C2

healings.duckdns.org:7722

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
    "C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
      "C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:3820

Network

  • flag-us
    DNS
    healings.duckdns.org
    00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
    Remote address:
    8.8.8.8:53
    Request
    healings.duckdns.org
    IN A
    Response
    healings.duckdns.org
    IN A
    77.220.215.70
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    70.215.220.77.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    70.215.220.77.in-addr.arpa
    IN PTR
    Response
    70.215.220.77.in-addr.arpa
    IN PTR
    vm446319825ssdhadwf
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.254.224.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.254.224.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.36.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.36.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • 77.220.215.70:7722
    healings.duckdns.org
    00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
    760 B
    828 B
    11
    18
  • 40.125.122.176:443
    260 B
    5
  • 20.54.89.15:443
    260 B
    5
  • 93.184.220.29:80
    322 B
    7
  • 173.223.113.164:443
    322 B
    7
  • 173.223.113.131:80
    322 B
    7
  • 204.79.197.203:80
    322 B
    7
  • 8.8.8.8:53
    healings.duckdns.org
    dns
    00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
    66 B
    82 B
    1
    1

    DNS Request

    healings.duckdns.org

    DNS Response

    77.220.215.70

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    70.215.220.77.in-addr.arpa
    dns
    72 B
    108 B
    1
    1

    DNS Request

    70.215.220.77.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    73.254.224.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.254.224.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    2.36.159.162.in-addr.arpa
    dns
    71 B
    133 B
    1
    1

    DNS Request

    2.36.159.162.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsi8350.tmp\fdxxk.dll

    Filesize

    4KB

    MD5

    00967f769ee377f027bb48733a19a3a8

    SHA1

    2cda5fcec2df7e41ff668b0dc41df285940de5c7

    SHA256

    0c2e7f4e19b7a5254ae364b18dd803a3d46b3678fd93740dbd7fdfbf421028a0

    SHA512

    c99ac18a0e00c82ffa1469bcd67aa0d36122d7feaf10942c1b78ca96640a0ab1beb95651a1f79108199616312bf1d7119cbcbf6af9a08ae09c277c02f9d32876

  • memory/3820-141-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/3820-143-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/3820-144-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

  • memory/3820-145-0x0000000000400000-0x000000000041D000-memory.dmp

    Filesize

    116KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.