Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2024, 03:08

General

  • Target

    13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe

  • Size

    532KB

  • MD5

    bac1beef11c340ae6632b50d2ce1fb80

  • SHA1

    eed74625db691bb0d498afec7b5b376e83bf5ff1

  • SHA256

    13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310

  • SHA512

    1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6

  • SSDEEP

    12288:XePFLVoq3FMItDhVug2npXPCqCAVzDU17u+vpBze+kkNSLy5eZ870W:XePRVoMFMIt/+FxM7le+3NJi

Malware Config

Extracted

Family

warzonerat

C2

173.249.202.75:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
    "C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tstbRYA.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tstbRYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF211.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2488
    • C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe
      "C:\Users\Admin\AppData\Local\Temp\13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Add-MpPreference -ExclusionPath C:\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
      • C:\ProgramData\images.exe
        "C:\ProgramData\images.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tstbRYA.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1132
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tstbRYA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4810.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3728
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          PID:1116
        • C:\ProgramData\images.exe
          "C:\ProgramData\images.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3552
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe"
            5⤵
              PID:1936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\images.exe

      Filesize

      532KB

      MD5

      bac1beef11c340ae6632b50d2ce1fb80

      SHA1

      eed74625db691bb0d498afec7b5b376e83bf5ff1

      SHA256

      13a1de911837a6848b57e4e794892372e0d19339448f9075958e21c1071cf310

      SHA512

      1486f2cf857b0f2dbd4717adebe266b86d8efd0d5554751349606d51844bb77e59d85dda5246c414902d2029ef5d6c895ac417fd7d47556978f7f3fd063ac8b6

    • C:\ProgramData\images.exe

      Filesize

      364KB

      MD5

      a057c9836cbeb61ad633d50a004a2ae2

      SHA1

      dd53d87b0250350172d4ba0627672d65187b4fc4

      SHA256

      3771eac470685b323e64c4ffba4c9d81216efe2d173e7a792616f7da021df8e8

      SHA512

      cffeac0ae4047afff66c8aea6b55c37abfdcf013a05a96287b08f83b09b708696e4898413cb8c2905fe4a209e744aa6bbbde2723b660f4803e419801141ef857

    • C:\ProgramData\images.exe

      Filesize

      311KB

      MD5

      c13c22ff9ee9482229aa352be27c5871

      SHA1

      6b018c338372d7a4cfa38c87f2704094fa77383d

      SHA256

      c5439d2cfd60078e15886cb69ab2fd11edff4ea0866f1c84d58cc14262fea890

      SHA512

      a94e9766cd58737db961e61bcdcedbf3b45c5eed2e849a03da66e6838d866af88961f65346660483583784760e84ac2ef0a61d93301c019fd8f4b48cfdb621c6

    • C:\ProgramData\images.exe

      Filesize

      352KB

      MD5

      4a5f0e6918cd5cc59a6ebd46287d2f1f

      SHA1

      063c634c239c16bb3c1544b5c699f125a9c8a073

      SHA256

      c09d26f99d415ae75a08f7a4f9ece34ef9b50a9b855fc75c5fb7170fa9690bb1

      SHA512

      5eb1653a4b375711fcbbe936c55ae29ae4e3c43ae0b078a49fdff451dd2ca04a45e9936926846b2e5024764c53ef6e7e21450088aca007cdb0df597d83554c07

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      578db4856977a132b7cddaaf6192b6e9

      SHA1

      bcc4d470a16085c4f350318b2e47414040010180

      SHA256

      efb9471b297a8a06038987edaeb9b9805371df29645082e045795bec9df8f58f

      SHA512

      cae96b407133df05a8f9cb780b522b4ee0c528898605508d71446160a6391ba7989441e36419d9735a3e45908a13222eb0da0dde112def3df45a84c099f0becd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      8e527ffb25afc4617ab2176e0de6dd3f

      SHA1

      70d373f10a9eba0ef64c4e08e2e898d77db2b5f7

      SHA256

      4f9a771b740ebed0491a93b0825bcca17336b0015dbfff9e258de8b526058e03

      SHA512

      3b84c0f0015e90390d666ab431bd50ee4a4484fb0110b711e418d2260f64cbf7eb6a428916ef6e48a912412b3aed5ef2b12fb9431fd47acb7de49538040f9a91

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntaeustu.mkk.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpF211.tmp

      Filesize

      1KB

      MD5

      4a513cc34e99b08fbca474db739c7fb5

      SHA1

      fc3c35919980e0f3befbce6c8143c170b7e55a8e

      SHA256

      84ef5ce60a5445a507253c18215eae9ef482d5b44de72b78e5d428b971816109

      SHA512

      1249e6f02cae4f065136e371786eda1a23c5344ecb9f63ef84a42d081d146b8553736f03b301ad7dcf2187d98b4ff7a63a972eb54c4e87b7d86d74ccd2368c73

    • memory/868-94-0x0000000007B20000-0x0000000007B34000-memory.dmp

      Filesize

      80KB

    • memory/868-74-0x0000000006B90000-0x0000000006BAE000-memory.dmp

      Filesize

      120KB

    • memory/868-15-0x0000000005010000-0x0000000005046000-memory.dmp

      Filesize

      216KB

    • memory/868-93-0x0000000007B10000-0x0000000007B1E000-memory.dmp

      Filesize

      56KB

    • memory/868-79-0x0000000007B60000-0x0000000007BF6000-memory.dmp

      Filesize

      600KB

    • memory/868-18-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/868-19-0x0000000005130000-0x0000000005140000-memory.dmp

      Filesize

      64KB

    • memory/868-20-0x0000000005130000-0x0000000005140000-memory.dmp

      Filesize

      64KB

    • memory/868-78-0x0000000007950000-0x000000000795A000-memory.dmp

      Filesize

      40KB

    • memory/868-23-0x0000000005770000-0x0000000005D98000-memory.dmp

      Filesize

      6.2MB

    • memory/868-77-0x00000000078E0000-0x00000000078FA000-memory.dmp

      Filesize

      104KB

    • memory/868-76-0x0000000007F20000-0x000000000859A000-memory.dmp

      Filesize

      6.5MB

    • memory/868-75-0x00000000077A0000-0x0000000007843000-memory.dmp

      Filesize

      652KB

    • memory/868-80-0x0000000007AE0000-0x0000000007AF1000-memory.dmp

      Filesize

      68KB

    • memory/868-29-0x0000000005E20000-0x0000000005E42000-memory.dmp

      Filesize

      136KB

    • memory/868-95-0x0000000007C20000-0x0000000007C3A000-memory.dmp

      Filesize

      104KB

    • memory/868-30-0x0000000005EC0000-0x0000000005F26000-memory.dmp

      Filesize

      408KB

    • memory/868-36-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

    • memory/868-41-0x00000000060A0000-0x00000000063F4000-memory.dmp

      Filesize

      3.3MB

    • memory/868-42-0x00000000065D0000-0x00000000065EE000-memory.dmp

      Filesize

      120KB

    • memory/868-43-0x0000000006610000-0x000000000665C000-memory.dmp

      Filesize

      304KB

    • memory/868-64-0x0000000070FE0000-0x000000007102C000-memory.dmp

      Filesize

      304KB

    • memory/868-96-0x0000000007C00000-0x0000000007C08000-memory.dmp

      Filesize

      32KB

    • memory/868-59-0x0000000006BB0000-0x0000000006BE2000-memory.dmp

      Filesize

      200KB

    • memory/868-50-0x0000000005130000-0x0000000005140000-memory.dmp

      Filesize

      64KB

    • memory/868-99-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/1044-52-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/1044-81-0x0000000002620000-0x0000000002630000-memory.dmp

      Filesize

      64KB

    • memory/1044-83-0x0000000070FE0000-0x000000007102C000-memory.dmp

      Filesize

      304KB

    • memory/1044-53-0x0000000002620000-0x0000000002630000-memory.dmp

      Filesize

      64KB

    • memory/1044-82-0x000000007EFB0000-0x000000007EFC0000-memory.dmp

      Filesize

      64KB

    • memory/1044-103-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/1132-142-0x00000000075D0000-0x00000000075E1000-memory.dmp

      Filesize

      68KB

    • memory/1132-131-0x0000000075500000-0x000000007554C000-memory.dmp

      Filesize

      304KB

    • memory/1132-130-0x0000000002740000-0x0000000002750000-memory.dmp

      Filesize

      64KB

    • memory/1132-129-0x0000000006610000-0x000000000665C000-memory.dmp

      Filesize

      304KB

    • memory/1132-112-0x0000000005A00000-0x0000000005D54000-memory.dmp

      Filesize

      3.3MB

    • memory/1132-141-0x0000000007350000-0x00000000073F3000-memory.dmp

      Filesize

      652KB

    • memory/1132-143-0x0000000007620000-0x0000000007634000-memory.dmp

      Filesize

      80KB

    • memory/1132-107-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/1132-109-0x0000000002740000-0x0000000002750000-memory.dmp

      Filesize

      64KB

    • memory/1632-126-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

    • memory/1632-116-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

    • memory/1936-160-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

      Filesize

      4KB

    • memory/2888-4-0x0000000005870000-0x0000000005880000-memory.dmp

      Filesize

      64KB

    • memory/2888-0-0x0000000000D60000-0x0000000000DEC000-memory.dmp

      Filesize

      560KB

    • memory/2888-5-0x0000000005840000-0x000000000584A000-memory.dmp

      Filesize

      40KB

    • memory/2888-1-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/2888-3-0x00000000056A0000-0x0000000005732000-memory.dmp

      Filesize

      584KB

    • memory/2888-7-0x0000000005A50000-0x0000000005A5A000-memory.dmp

      Filesize

      40KB

    • memory/2888-6-0x0000000007190000-0x00000000071B0000-memory.dmp

      Filesize

      128KB

    • memory/2888-28-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/2888-8-0x0000000006C30000-0x0000000006C3E000-memory.dmp

      Filesize

      56KB

    • memory/2888-9-0x000000000CA60000-0x000000000CABC000-memory.dmp

      Filesize

      368KB

    • memory/2888-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

      Filesize

      5.6MB

    • memory/2888-10-0x0000000010130000-0x00000000101CC000-memory.dmp

      Filesize

      624KB

    • memory/2888-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/2888-21-0x0000000005870000-0x0000000005880000-memory.dmp

      Filesize

      64KB

    • memory/3552-145-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

    • memory/3760-104-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/3760-49-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/3760-127-0x0000000074CA0000-0x0000000075450000-memory.dmp

      Filesize

      7.7MB

    • memory/3760-105-0x0000000004F40000-0x0000000004F50000-memory.dmp

      Filesize

      64KB

    • memory/3760-51-0x0000000004F40000-0x0000000004F50000-memory.dmp

      Filesize

      64KB

    • memory/4116-26-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

    • memory/4116-27-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

    • memory/4116-22-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB

    • memory/4116-48-0x0000000000400000-0x0000000000554000-memory.dmp

      Filesize

      1.3MB