Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
order 2344536523465.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
order 2344536523465.exe
Resource
win10v2004-20231222-en
General
-
Target
order 2344536523465.exe
-
Size
655KB
-
MD5
ffc87746179f68d3e1a29144880c4fb7
-
SHA1
8fe2fab9866d4a679012d5191633363a6353b25a
-
SHA256
5823abce8aee97ca3b5178ea0bdddd88b23533397bbd3a29ae31dd44eb89feff
-
SHA512
e28f1b934548c74a841379da2578b6ad7e9902554e3e3c0e6bf86607551764f8a82dbf14d7bf7a87091198ca4f840492fe453e4d29b5b99a959d9e984c04e8f9
-
SSDEEP
12288:FW0/+MEFDmAwyAlaA31L1a6NDWxuW90dkLo/xhvyNP06BJI3:40GDo8A31L1f6xuTdkLeTvyNP04u
Malware Config
Extracted
warzonerat
84.38.132.126:59937
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 5 IoCs
resource yara_rule behavioral2/memory/636-11-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/636-14-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/636-16-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/636-20-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat behavioral2/memory/636-48-0x0000000000400000-0x000000000055E000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat order 2344536523465.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start order 2344536523465.exe -
Loads dropped DLL 6 IoCs
pid Process 636 order 2344536523465.exe 636 order 2344536523465.exe 636 order 2344536523465.exe 636 order 2344536523465.exe 636 order 2344536523465.exe 636 order 2344536523465.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 order 2344536523465.exe Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 order 2344536523465.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3548 set thread context of 636 3548 order 2344536523465.exe 98 -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData:ApplicationData order 2344536523465.exe File opened for modification C:\ProgramData:ApplicationData order 2344536523465.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 PID 3548 wrote to memory of 636 3548 order 2344536523465.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 order 2344536523465.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 order 2344536523465.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order 2344536523465.exe"C:\Users\Admin\AppData\Local\Temp\order 2344536523465.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\order 2344536523465.exe"C:\Users\Admin\AppData\Local\Temp\order 2344536523465.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- NTFS ADS
- outlook_office_path
- outlook_win_path
PID:636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD5ef12ab9d0b231b8f898067b2114b1bc0
SHA16d90f27b2105945f9bb77039e8b892070a5f9442
SHA2562b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7
SHA5122aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193
-
Filesize
133KB
MD575f8cc548cabf0cc800c25047e4d3124
SHA1602676768f9faecd35b48c38a0632781dfbde10c
SHA256fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0
SHA512ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.1MB
MD5dc8827baaee94a625c6e563e5a2029fc
SHA17c22371987acf8b3f7c9834a7e89d5b279fbb931
SHA2564712c51107d786d45fee8189a28468f21eb9fef6b6905a3169411438f18cf603
SHA512214c02af8765fc3e45f7ccc5753e09f92ce548a89d9a03fc0b3fef2c3925f9a7aba7f5ab42cfe57508424607407b7edc7f27730e5f4884481ba6c09a9c88fbfd
-
Filesize
141KB
MD5471c983513694ac3002590345f2be0da
SHA16612b9af4ff6830fa9b7d4193078434ef72f775b
SHA256bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f
SHA512a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f