Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

NEAS.92b49...00.exe

windows7-x64

10

NEAS.92b49...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2023, 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.92b4986bc8e2e6631dbfa1e09fb95300.exe

  • Size

    576KB

  • MD5

    92b4986bc8e2e6631dbfa1e09fb95300

  • SHA1

    15207ba5bbaef76321752be90dba3ebcdc6b685c

  • SHA256

    134601a3fa4dd4f8acd601bd1fd03f0f2acfbfc75e98731e140f9f0a362c017f

  • SHA512

    e65b2d9712435a85a2d50f6c292d857ad7b3e04e0553b23d0d32526c3ede03ffab4667e9d899bc11c012bef018666645e97727a65fda5d0e02679a9e906659d0

  • SSDEEP

    12288:el3zhdaE/jMRSrv0BNTMZtTQhm/iBjhrtDUnjP7Gu72JDl9gNaS:i31QEoRSrv0BNT8ehm6ROjiu7aD

Score
10/10
warzoneratevasioninfostealerpersistencerat

Malware Config

Extracted

Family

warzonerat

C2

kraldeli.linkpc.net:5200

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Nirsoft 2 IoCs
  • Warzone RAT payload 3 IoCs
    rat
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.92b4986bc8e2e6631dbfa1e09fb95300.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.92b4986bc8e2e6631dbfa1e09fb95300.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sgmventv.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\','C:\Users\Admin\AppData\Local\Google\chrome.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2856
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" stop WinDefend
        3⤵
        • Launches sc.exe
        PID:4932
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3436
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      PID:3404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 628
        3⤵
        • Program crash
        PID:884
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3404 -ip 3404
    1⤵
      PID:2268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Sgmventv.vbs
      Filesize

      143B

      MD5

      ee500187eaa9dfd1faf31f1b45228c9d

      SHA1

      9c9bfddd57764e1e8f8a658ccece154f5613494b

      SHA256

      44c8d430eb949f280542b3ea90f736164afe16fcdd92ae8da8ae44d8661dcab1

      SHA512

      9a795cc68ca9a5f16dc77820c2d445e1fe98cda44b39983a29758dce62c38e46d63b9436b5af8ff493dfc5165e07d74bf92331123c5592762630455dbbc6aae8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsnezjud.4gx.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1312-68-0x0000000007500000-0x0000000007532000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1312-87-0x0000000007A80000-0x0000000007A8E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1312-13-0x0000000002BE0000-0x0000000002C16000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1312-14-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1312-93-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1312-19-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-17-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-16-0x0000000005600000-0x0000000005C28000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1312-20-0x00000000055D0000-0x00000000055F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1312-90-0x0000000007B70000-0x0000000007B78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1312-21-0x0000000005E20000-0x0000000005E86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1312-31-0x0000000005E90000-0x0000000005EF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1312-89-0x0000000007B90000-0x0000000007BAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1312-36-0x0000000006040000-0x0000000006394000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1312-88-0x0000000007A90000-0x0000000007AA4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1312-67-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-86-0x0000000007A50000-0x0000000007A61000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1312-85-0x0000000007AD0000-0x0000000007B66000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1312-84-0x00000000078C0000-0x00000000078CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1312-82-0x0000000007E90000-0x000000000850A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1312-83-0x0000000007850000-0x000000000786A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1312-81-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-80-0x0000000007740000-0x00000000077E3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1312-79-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1312-60-0x00000000052A0000-0x00000000052BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1312-61-0x00000000065C0000-0x000000000660C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1312-69-0x0000000071AF0000-0x0000000071B3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1312-65-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-66-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2512-33-0x0000000005B80000-0x0000000005C12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2512-2-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2512-4-0x0000000005950000-0x0000000005960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2512-0-0x0000000000D30000-0x0000000000DC6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2512-3-0x0000000005720000-0x000000000577C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/2512-59-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2512-5-0x0000000005950000-0x0000000005960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2512-1-0x0000000075370000-0x0000000075B20000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3404-47-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3404-38-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3404-43-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3436-53-0x000002263E190000-0x000002263E1B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3436-44-0x00007FFB7E570000-0x00007FFB7F031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3436-46-0x000002263E220000-0x000002263E230000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3436-58-0x000002263E220000-0x000002263E230000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3436-64-0x00007FFB7E570000-0x00007FFB7F031000-memory.dmp

      Filesize

      10.8MB

      Download