Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2023, 05:36

General

  • Target

    ESCO-PO-Q10056286.exe

  • Size

    793KB

  • MD5

    ea6118b2fe55e3acc84115be3edaa2f5

  • SHA1

    c712674a10c04c03271635c51db9fd38f62dac0e

  • SHA256

    0749beb8fd852d4d82f7e2917f861ac4d8ec36b1363b6df47b202e3120aebd12

  • SHA512

    a5a2337045e7f95dd7dd00d06f7f08da9202b528c1f4532d48a7b5f994daa953355631dd643334e86a4bbd6517df239dcbc3d189e555df05fb4986ff5fa6b618

  • SSDEEP

    24576:r92LKyG5+emhIIiE3ZPbXJ/hMe25Whpw8P:gFG/lQJDVhk5WHfP

Malware Config

Extracted

Family

warzonerat

C2

jabsgu.kozow.com:6186

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 8 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Modifies WinLogon 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe
    "C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe
      "C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe"
      2⤵
      • Sets DLL path for service in the registry
      • Checks QEMU agent file
      • Checks computer location settings
      • Modifies WinLogon
      • Drops file in System32 directory
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\76.exe
        "C:\Users\Admin\AppData\Local\Temp\76.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
          4⤵
          • Modifies Windows Firewall
          PID:3464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 236
          4⤵
          • Program crash
          PID:4904
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -s TermService
    1⤵
      PID:1472
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -s TermService
      1⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2860 -ip 2860
      1⤵
        PID:3216

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft DN1\sqlmap.dll

        Filesize

        114KB

        MD5

        461ade40b800ae80a40985594e1ac236

        SHA1

        b3892eef846c044a2b0785d54a432b3e93a968c8

        SHA256

        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

        SHA512

        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

      • C:\Users\Admin\AppData\Local\Temp\76.exe

        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

      • C:\Users\Admin\AppData\Local\Temp\76.exe

        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

      • C:\Users\Admin\AppData\Local\Temp\76.exe

        Filesize

        70KB

        MD5

        ca96229390a0e6a53e8f2125f2c01114

        SHA1

        a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

        SHA256

        0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

        SHA512

        e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

      • C:\Users\Admin\AppData\Local\Temp\nsrE48A.tmp\System.dll

        Filesize

        11KB

        MD5

        be2621a78a13a56cf09e00dd98488360

        SHA1

        75f0539dc6af200a07cdb056cddddec595c6cfd2

        SHA256

        852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5

        SHA512

        b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1

      • \??\c:\program files\microsoft dn1\rdpwrap.ini

        Filesize

        321KB

        MD5

        5c2160799c3fc664c83bbc9958eede94

        SHA1

        7d39f7d2fb2a302779a28efd0f1c85589cfef066

        SHA256

        d91ae65f689c4f70b27de6941f81e9b1600447a920162a3e69ad734bac62ecd5

        SHA512

        681d697f1a79baa6892e1a8da03ca9b63d118cbc587784db9ed4664e49e10731b9ab0d6e0379fd65325ae586f7afb2a2f839f8c3a8ec9ebdbe1a045a26f229df

      • \??\c:\program files\microsoft dn1\sqlmap.dll

        Filesize

        114KB

        MD5

        461ade40b800ae80a40985594e1ac236

        SHA1

        b3892eef846c044a2b0785d54a432b3e93a968c8

        SHA256

        798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

        SHA512

        421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

      • memory/2040-180-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-179-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-154-0x0000000001660000-0x000000000465A000-memory.dmp

        Filesize

        48.0MB

      • memory/2040-153-0x0000000001660000-0x000000000465A000-memory.dmp

        Filesize

        48.0MB

      • memory/2040-152-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-183-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-159-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-182-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-158-0x0000000001660000-0x000000000465A000-memory.dmp

        Filesize

        48.0MB

      • memory/2040-177-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-181-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2040-155-0x0000000000400000-0x0000000001654000-memory.dmp

        Filesize

        18.3MB

      • memory/2164-151-0x00000000041B0000-0x00000000071AA000-memory.dmp

        Filesize

        48.0MB

      • memory/2164-150-0x00000000041B0000-0x00000000071AA000-memory.dmp

        Filesize

        48.0MB

      • memory/2860-173-0x00000000006D0000-0x00000000006FD000-memory.dmp

        Filesize

        180KB