Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/06/2023, 05:36
Static task
static1
Behavioral task
behavioral1
Sample
ESCO-PO-Q10056286.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ESCO-PO-Q10056286.exe
Resource
win10v2004-20230220-en
General
-
Target
ESCO-PO-Q10056286.exe
-
Size
793KB
-
MD5
ea6118b2fe55e3acc84115be3edaa2f5
-
SHA1
c712674a10c04c03271635c51db9fd38f62dac0e
-
SHA256
0749beb8fd852d4d82f7e2917f861ac4d8ec36b1363b6df47b202e3120aebd12
-
SHA512
a5a2337045e7f95dd7dd00d06f7f08da9202b528c1f4532d48a7b5f994daa953355631dd643334e86a4bbd6517df239dcbc3d189e555df05fb4986ff5fa6b618
-
SSDEEP
24576:r92LKyG5+emhIIiE3ZPbXJ/hMe25Whpw8P:gFG/lQJDVhk5WHfP
Malware Config
Extracted
warzonerat
jabsgu.kozow.com:6186
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 8 IoCs
resource yara_rule behavioral2/memory/2040-155-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-159-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-177-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-179-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-180-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-181-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-182-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat behavioral2/memory/2040-183-0x0000000000400000-0x0000000001654000-memory.dmp warzonerat -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3464 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" ESCO-PO-Q10056286.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ESCO-PO-Q10056286.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ESCO-PO-Q10056286.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation ESCO-PO-Q10056286.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 76.exe -
Loads dropped DLL 2 IoCs
pid Process 2164 ESCO-PO-Q10056286.exe 3556 svchost.exe -
resource yara_rule behavioral2/files/0x0006000000022fa6-165.dat upx behavioral2/files/0x0006000000022fa6-168.dat upx behavioral2/files/0x0006000000022fa6-169.dat upx behavioral2/memory/2860-173-0x00000000006D0000-0x00000000006FD000-memory.dmp upx -
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" ESCO-PO-Q10056286.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList ESCO-PO-Q10056286.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts ESCO-PO-Q10056286.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\C.f.kBw = "0" ESCO-PO-Q10056286.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll ESCO-PO-Q10056286.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2040 ESCO-PO-Q10056286.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2164 ESCO-PO-Q10056286.exe 2040 ESCO-PO-Q10056286.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2040 2164 ESCO-PO-Q10056286.exe 89 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Udyderne\Nonterminable\Dithionate.ini ESCO-PO-Q10056286.exe File created C:\Program Files (x86)\Common Files\Ploce50\Underkjolers\Cetes.lnk ESCO-PO-Q10056286.exe File created C:\Program Files\Microsoft DN1\sqlmap.dll ESCO-PO-Q10056286.exe File created C:\Program Files\Microsoft DN1\rdpwrap.ini ESCO-PO-Q10056286.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4904 2860 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3556 svchost.exe 3556 svchost.exe 3556 svchost.exe 3556 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 672 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2164 ESCO-PO-Q10056286.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1064 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1064 AUDIODG.EXE Token: SeDebugPrivilege 2040 ESCO-PO-Q10056286.exe Token: SeAuditPrivilege 3556 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2040 2164 ESCO-PO-Q10056286.exe 89 PID 2164 wrote to memory of 2040 2164 ESCO-PO-Q10056286.exe 89 PID 2164 wrote to memory of 2040 2164 ESCO-PO-Q10056286.exe 89 PID 2164 wrote to memory of 2040 2164 ESCO-PO-Q10056286.exe 89 PID 2040 wrote to memory of 2860 2040 ESCO-PO-Q10056286.exe 92 PID 2040 wrote to memory of 2860 2040 ESCO-PO-Q10056286.exe 92 PID 2040 wrote to memory of 2860 2040 ESCO-PO-Q10056286.exe 92 PID 2860 wrote to memory of 3464 2860 76.exe 93 PID 2860 wrote to memory of 3464 2860 76.exe 93 PID 2860 wrote to memory of 3464 2860 76.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe"C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe"C:\Users\Admin\AppData\Local\Temp\ESCO-PO-Q10056286.exe"2⤵
- Sets DLL path for service in the registry
- Checks QEMU agent file
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\76.exe"C:\Users\Admin\AppData\Local\Temp\76.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=33894⤵
- Modifies Windows Firewall
PID:3464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 2364⤵
- Program crash
PID:4904
-
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:1472
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2860 -ip 28601⤵PID:3216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
70KB
MD5ca96229390a0e6a53e8f2125f2c01114
SHA1a54b1081cf58724f8cb292b4d165dfee2fb1c9f6
SHA2560df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c
SHA512e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef
-
Filesize
11KB
MD5be2621a78a13a56cf09e00dd98488360
SHA175f0539dc6af200a07cdb056cddddec595c6cfd2
SHA256852047023ba0cae91c7a43365878613cfb4e64e36ff98c460e113d5088d68ef5
SHA512b80cf1f678e6885276b9a1bfd9227374b2eb9e38bb20446d52ebe2c3dba89764aa50cb4d49df51a974478f3364b5dbcbc5b4a16dc8f1123b40c89c01725be3d1
-
Filesize
321KB
MD55c2160799c3fc664c83bbc9958eede94
SHA17d39f7d2fb2a302779a28efd0f1c85589cfef066
SHA256d91ae65f689c4f70b27de6941f81e9b1600447a920162a3e69ad734bac62ecd5
SHA512681d697f1a79baa6892e1a8da03ca9b63d118cbc587784db9ed4664e49e10731b9ab0d6e0379fd65325ae586f7afb2a2f839f8c3a8ec9ebdbe1a045a26f229df
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26