Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 07:47

General

  • Target

    7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

  • Size

    536KB

  • MD5

    56e8402d0a1e55ebf85b38aab8fdcee1

  • SHA1

    0114708fadf2499b4ab2a8b35899ba9516287bc6

  • SHA256

    7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c

  • SHA512

    f888b3001768b46cd0dfa497f4dc063475371df14b899d025b230bf21c921ba00207a4a80e4243f05881b662be5b5ecd301f1b30ca62792a6885c370c0de1716

  • SSDEEP

    12288:nKymomWOHSCqk6WHUeqw+YFPn2swvTtwa2f2g7IH/od34/bW:Xb/Bf5wU/2Z2bV2f2Zgx4/

Malware Config

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
    "C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmp563B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2604
    • C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
      "C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"
      2⤵
        PID:2584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp563B.tmp

      Filesize

      1KB

      MD5

      8799976004a4621dac11fd523e8ff5d7

      SHA1

      1e196a06adfb9f77355563f2bd378687a1cfb814

      SHA256

      e7c959277c76c61fcd8c31c06ed4a54c99dcae7955fa7986a8e40b61bb0d5a0f

      SHA512

      f1a2ffd5bc321109adcb7a6deacaf43dd5e4a9742c63ec1416c7cb284e171bfc79dd69d52f403c839c81092fe4f6f9b0af8903fd4db6cc44abca4abece1d6617

    • memory/1936-32-0x0000000004E20000-0x0000000004E60000-memory.dmp

      Filesize

      256KB

    • memory/1936-18-0x0000000074990000-0x000000007507E000-memory.dmp

      Filesize

      6.9MB

    • memory/1936-3-0x0000000000210000-0x0000000000224000-memory.dmp

      Filesize

      80KB

    • memory/1936-4-0x0000000000250000-0x000000000025A000-memory.dmp

      Filesize

      40KB

    • memory/1936-5-0x00000000002E0000-0x00000000002EE000-memory.dmp

      Filesize

      56KB

    • memory/1936-6-0x00000000020C0000-0x0000000002122000-memory.dmp

      Filesize

      392KB

    • memory/1936-2-0x0000000004E20000-0x0000000004E60000-memory.dmp

      Filesize

      256KB

    • memory/1936-1-0x0000000074990000-0x000000007507E000-memory.dmp

      Filesize

      6.9MB

    • memory/1936-0-0x0000000000AA0000-0x0000000000B2C000-memory.dmp

      Filesize

      560KB

    • memory/2092-30-0x0000000002AC0000-0x0000000002B00000-memory.dmp

      Filesize

      256KB

    • memory/2092-33-0x000000006ED50000-0x000000006F2FB000-memory.dmp

      Filesize

      5.7MB

    • memory/2092-27-0x000000006ED50000-0x000000006F2FB000-memory.dmp

      Filesize

      5.7MB

    • memory/2092-31-0x0000000002AC0000-0x0000000002B00000-memory.dmp

      Filesize

      256KB

    • memory/2092-29-0x0000000002AC0000-0x0000000002B00000-memory.dmp

      Filesize

      256KB

    • memory/2092-28-0x000000006ED50000-0x000000006F2FB000-memory.dmp

      Filesize

      5.7MB

    • memory/2584-19-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/2584-25-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/2584-23-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/2584-21-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/2584-20-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/2584-16-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB

    • memory/2584-14-0x0000000000400000-0x000000000055A000-memory.dmp

      Filesize

      1.4MB