Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Purchase O...33.exe

windows7-x64

10

Purchase O...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order #PO-RBL-156502125498590-0333.exe

  • Size

    86KB

  • MD5

    535f5cf42f36a22ffa738a56a4fdf161

  • SHA1

    c3578651fb4f0720b4d14ecd5d9427aaff60b4fc

  • SHA256

    0654a66a1584a3924f5020f6bf641d1cd3a93864e040a15e13f3e5a07290817f

  • SHA512

    0eb296089610afd75dcf60197df0a4b063c81cc2aa5c4763ef1f5f988653c46f643c8bb3969f42a938d1c0408d3423ef6bf4885e80ccffff6548753cbc8933a8

  • SSDEEP

    1536:8w1IXWFN5/V7LVV9zaaavghKd9QzGBa+/bVGpGR1T:8w1IXW5/V3z9zHAOnQ7T

Score
10/10
warzoneratinfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

84.38.132.126:63030

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzone RAT payload 4 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO-RBL-156502125498590-0333.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO-RBL-156502125498590-0333.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3384
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Purchase Order #PO-RBL-156502125498590-0333" /t REG_SZ /F /D "C:\Users\Admin\Documents\Purchase Order #PO-RBL-156502125498590-0333.pif"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4736
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Purchase Order #PO-RBL-156502125498590-0333" /t REG_SZ /F /D "C:\Users\Admin\Documents\Purchase Order #PO-RBL-156502125498590-0333.pif"
        3⤵
        • Adds Run key to start application
        PID:1800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO-RBL-156502125498590-0333.exe" "C:\Users\Admin\Documents\Purchase Order #PO-RBL-156502125498590-0333.pif"
      2⤵
        PID:1996
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO-RBL-156502125498590-0333.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO-RBL-156502125498590-0333.exe"
        2⤵
          PID:3792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3384-8-0x0000000006D40000-0x0000000006DB2000-memory.dmp

        Filesize

        456KB

        Download

      • memory/3384-10-0x0000000006F40000-0x0000000006FDC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3384-2-0x0000000005980000-0x0000000005F24000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3384-9-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3384-4-0x00000000055C0000-0x0000000005914000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3384-5-0x00000000055B0000-0x00000000055C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3384-6-0x0000000005540000-0x000000000554A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3384-7-0x0000000006100000-0x0000000006176000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3384-1-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3384-0-0x0000000000A90000-0x0000000000AAC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3384-3-0x0000000005470000-0x0000000005502000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3384-11-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3384-12-0x00000000055B0000-0x00000000055C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3384-13-0x00000000070E0000-0x0000000007146000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3384-16-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3792-14-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3792-19-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3792-20-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3792-21-0x0000000000400000-0x000000000055E000-memory.dmp

        Filesize

        1.4MB

        Download