Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Reservation.exe

windows7-x64

10

Reservation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2023, 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Reservation.exe

  • Size

    203KB

  • MD5

    c3d2671ab969fd347e6e0b81c777fc48

  • SHA1

    43d9902d2a7b0583be43ef8d4023c81e9a776e52

  • SHA256

    02ef992b9a587c6cdc382995b5dcfff0367554ec581a6fa28d08c70444f9e0d9

  • SHA512

    588524f48b47f32b1d412a43a3f376bcfd717db8d8a74c85bf4823c1af51ccbffbd76579544620587c84e2fea1e7ede4e2d361fb348758d8572ee7345eccfc07

  • SSDEEP

    6144:/Ya66WOW6k4nLUfQzcGg6Zwaidc8J1CQC:/YgWOE4EQIhairI

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

plazzasecretballeronline.onedumb.com:14977

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 5 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Reservation.exe
    "C:\Users\Admin\AppData\Local\Temp\Reservation.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\Reservation.exe
      "C:\Users\Admin\AppData\Local\Temp\Reservation.exe"
      2⤵
        PID:2996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsyCE10.tmp\jxsmdidxxm.dll
      Filesize

      35KB

      MD5

      c9915e219a2d249f9b1f062b6a41530c

      SHA1

      9d230c9ea12189f5f351d864537108f32e7e7c0d

      SHA256

      83f19467ccf72ef1f39f298f2f91a512cce6021e8f81bc98a249225640cb29b8

      SHA512

      0be72a569a30155ec9c8ae389e867834063ca18c28ce529ce5ecce5e6552d536f9ffd3b28e6e3cb99a70c2c0d5548bf6331ec46ff90da1ee3a92c626110551ec

      Download Submit

    • memory/2996-140-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2996-142-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2996-143-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2996-144-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2996-146-0x0000000000400000-0x000000000055C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4076-138-0x0000000003300000-0x0000000003302000-memory.dmp

      Filesize

      8KB

      Download