Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
7a1a1c22194467c8c74bcbda6cbd34b9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a1a1c22194467c8c74bcbda6cbd34b9.exe
Resource
win10v2004-20231215-en
General
-
Target
7a1a1c22194467c8c74bcbda6cbd34b9.exe
-
Size
846KB
-
MD5
7a1a1c22194467c8c74bcbda6cbd34b9
-
SHA1
89fe782d41d53e095df7caa7ad02b9b3e83a0a6a
-
SHA256
4ff1a30034dbe892cf2e7d6cea3fb4529c51808dd9341e5b653a3bc2857fa31c
-
SHA512
f54898bd002be6229d56652638e7135fc48a8c30a880e53b6edd5df8ef8b2cef26d82bc88afd2e5ce17f8e717b513af70d4d8823066dfd8378bbe2675d03c862
-
SSDEEP
12288:c+m5GlBZnSf37NmpPk7HXk/U1Ck5Y0CjB+qpUkxcE3v0afRD:Vm56ZAmpPQXkM1Cf0CjB+qpVJvHJD
Malware Config
Extracted
warzonerat
194.5.97.21:3650
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral2/memory/3920-17-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3920-20-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3920-21-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral2/memory/3920-76-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 7a1a1c22194467c8c74bcbda6cbd34b9.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start 7a1a1c22194467c8c74bcbda6cbd34b9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat 7a1a1c22194467c8c74bcbda6cbd34b9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3108 set thread context of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 820 schtasks.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData:ApplicationData 7a1a1c22194467c8c74bcbda6cbd34b9.exe File opened for modification C:\ProgramData:ApplicationData 7a1a1c22194467c8c74bcbda6cbd34b9.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 5040 powershell.exe 5040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe Token: SeDebugPrivilege 5040 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3108 wrote to memory of 820 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 97 PID 3108 wrote to memory of 820 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 97 PID 3108 wrote to memory of 820 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 97 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3108 wrote to memory of 3920 3108 7a1a1c22194467c8c74bcbda6cbd34b9.exe 98 PID 3920 wrote to memory of 5040 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 100 PID 3920 wrote to memory of 5040 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 100 PID 3920 wrote to memory of 5040 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 100 PID 3920 wrote to memory of 2620 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 102 PID 3920 wrote to memory of 2620 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 102 PID 3920 wrote to memory of 2620 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 102 PID 3920 wrote to memory of 2620 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 102 PID 3920 wrote to memory of 2620 3920 7a1a1c22194467c8c74bcbda6cbd34b9.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YSRfcsouWuAP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B4.tmp"2⤵
- Creates scheduled task(s)
PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"C:\Users\Admin\AppData\Local\Temp\7a1a1c22194467c8c74bcbda6cbd34b9.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵PID:2620
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82