Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
7a1a1c22194467c8c74bcbda6cbd34b9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a1a1c22194467c8c74bcbda6cbd34b9.exe
Resource
win10v2004-20231215-en
General
-
Target
7a1a1c22194467c8c74bcbda6cbd34b9.exe
-
Size
846KB
-
MD5
7a1a1c22194467c8c74bcbda6cbd34b9
-
SHA1
89fe782d41d53e095df7caa7ad02b9b3e83a0a6a
-
SHA256
4ff1a30034dbe892cf2e7d6cea3fb4529c51808dd9341e5b653a3bc2857fa31c
-
SHA512
f54898bd002be6229d56652638e7135fc48a8c30a880e53b6edd5df8ef8b2cef26d82bc88afd2e5ce17f8e717b513af70d4d8823066dfd8378bbe2675d03c862
-
SSDEEP
12288:c+m5GlBZnSf37NmpPk7HXk/U1Ck5Y0CjB+qpUkxcE3v0afRD:Vm56ZAmpPQXkM1Cf0CjB+qpVJvHJD
Malware Config
Extracted
warzonerat
194.5.97.21:3650
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 8 IoCs
resource yara_rule behavioral1/memory/2660-18-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-24-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-21-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-20-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-19-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-27-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-28-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2660-44-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 7a1a1c22194467c8c74bcbda6cbd34b9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 7a1a1c22194467c8c74bcbda6cbd34b9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2600 schtasks.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData:ApplicationData 7a1a1c22194467c8c74bcbda6cbd34b9.exe File opened for modification C:\ProgramData:ApplicationData 7a1a1c22194467c8c74bcbda6cbd34b9.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 2836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe Token: SeDebugPrivilege 2836 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2284 wrote to memory of 2600 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 30 PID 2284 wrote to memory of 2600 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 30 PID 2284 wrote to memory of 2600 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 30 PID 2284 wrote to memory of 2600 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 30 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2284 wrote to memory of 2660 2284 7a1a1c22194467c8c74bcbda6cbd34b9.exe 31 PID 2660 wrote to memory of 2836 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 33 PID 2660 wrote to memory of 2836 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 33 PID 2660 wrote to memory of 2836 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 33 PID 2660 wrote to memory of 2836 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 33 PID 2660 wrote to memory of 2956 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 35 PID 2660 wrote to memory of 2956 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 35 PID 2660 wrote to memory of 2956 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 35 PID 2660 wrote to memory of 2956 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 35 PID 2660 wrote to memory of 2956 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 35 PID 2660 wrote to memory of 2956 2660 7a1a1c22194467c8c74bcbda6cbd34b9.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YSRfcsouWuAP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD411.tmp"2⤵
- Creates scheduled task(s)
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2956
-
-