Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
7b751b12e1ba5957b750deee88c76556.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7b751b12e1ba5957b750deee88c76556.exe
Resource
win10v2004-20231215-en
General
-
Target
7b751b12e1ba5957b750deee88c76556.exe
-
Size
297KB
-
MD5
7b751b12e1ba5957b750deee88c76556
-
SHA1
c00cc6033fc686d60a8731f5f9fef47c9b9dd6e6
-
SHA256
88694f8e030e9d1ef06c16419ae18bd428c1e6907d191e20679f36734b2fe22b
-
SHA512
f2f707e7268056c6107944b9cccca80925ed54551cb16308bc2f3b2f97f9cae4f18dbe65e7f8ee0fc5b2ecc608fe6e25efc51ed681c4e192dcc2bdb7ebf3507f
-
SSDEEP
6144:F2OO3dRD1tAJRn3EdJgq9RN/7581IWrAL7qHJKeQNCE:8VfDPenWJgqdTqI0AL7qEeQNCE
Malware Config
Extracted
warzonerat
graceandfavour.ddns.net:5522
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2664-2-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2664-5-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2664-6-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2664-7-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2528 set thread context of 2664 2528 7b751b12e1ba5957b750deee88c76556.exe 28 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2528 7b751b12e1ba5957b750deee88c76556.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2664 2528 7b751b12e1ba5957b750deee88c76556.exe 28 PID 2528 wrote to memory of 2664 2528 7b751b12e1ba5957b750deee88c76556.exe 28 PID 2528 wrote to memory of 2664 2528 7b751b12e1ba5957b750deee88c76556.exe 28 PID 2528 wrote to memory of 2664 2528 7b751b12e1ba5957b750deee88c76556.exe 28 PID 2528 wrote to memory of 2664 2528 7b751b12e1ba5957b750deee88c76556.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"C:\Users\Admin\AppData\Local\Temp\7b751b12e1ba5957b750deee88c76556.exe"2⤵PID:2664
-