Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2023, 02:51 UTC
Static task
static1
Behavioral task
behavioral1
Sample
00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
Resource
win10v2004-20230221-en
General
-
Target
00d1ab5309b9fa1fd4a03ee45cf68b7c.exe
-
Size
150KB
-
MD5
00d1ab5309b9fa1fd4a03ee45cf68b7c
-
SHA1
a42e1cbb962f50e08d65bc4720d343da917324ce
-
SHA256
0c79b94bb739d4770b3fc803a83dffeea129db0b293b4ff5ca923fc5597785a4
-
SHA512
53edc178e98e45e8338995f3548aac3107b5da32352a27cdb6d271426fd46e8ca3af0a8b0611dac3a235efd7a19ff92a82577c6be2fcd68cc12ec3614931fc1d
-
SSDEEP
3072:3fY/TU9fE9PEtu6xbXI5XYXsjQeNYGGzzfbe1IKKbpSjfxCcY4e/75XBhsFJzb78:vYa6cIYXsjQeNYGGnbelcpOxCcLS9xhD
Malware Config
Extracted
warzonerat
healings.duckdns.org:7722
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral2/memory/3820-141-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3820-143-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3820-144-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat behavioral2/memory/3820-145-0x0000000000400000-0x000000000041D000-memory.dmp warzonerat -
Loads dropped DLL 1 IoCs
pid Process 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtdmirbwgcluqa = "C:\\Users\\Admin\\AppData\\Roaming\\ktdyienw\\sclhmmvfajso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe\"" 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1728 set thread context of 3820 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3820 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1728 wrote to memory of 3820 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe 84 PID 1728 wrote to memory of 3820 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe 84 PID 1728 wrote to memory of 3820 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe 84 PID 1728 wrote to memory of 3820 1728 00d1ab5309b9fa1fd4a03ee45cf68b7c.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"C:\Users\Admin\AppData\Local\Temp\00d1ab5309b9fa1fd4a03ee45cf68b7c.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3820
-
Network
-
Remote address:8.8.8.8:53Requesthealings.duckdns.orgIN AResponsehealings.duckdns.orgIN A77.220.215.70
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request70.215.220.77.in-addr.arpaIN PTRResponse70.215.220.77.in-addr.arpaIN PTRvm446319825ssdhadwf
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.254.224.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
760 B 828 B 11 18
-
260 B 5
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
66 B 82 B 1 1
DNS Request
healings.duckdns.org
DNS Response
77.220.215.70
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 108 B 1 1
DNS Request
70.215.220.77.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.254.224.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
2.36.159.162.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD500967f769ee377f027bb48733a19a3a8
SHA12cda5fcec2df7e41ff668b0dc41df285940de5c7
SHA2560c2e7f4e19b7a5254ae364b18dd803a3d46b3678fd93740dbd7fdfbf421028a0
SHA512c99ac18a0e00c82ffa1469bcd67aa0d36122d7feaf10942c1b78ca96640a0ab1beb95651a1f79108199616312bf1d7119cbcbf6af9a08ae09c277c02f9d32876