Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    127s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 07:47

General

  • Target

    7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe

  • Size

    536KB

  • MD5

    56e8402d0a1e55ebf85b38aab8fdcee1

  • SHA1

    0114708fadf2499b4ab2a8b35899ba9516287bc6

  • SHA256

    7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c

  • SHA512

    f888b3001768b46cd0dfa497f4dc063475371df14b899d025b230bf21c921ba00207a4a80e4243f05881b662be5b5ecd301f1b30ca62792a6885c370c0de1716

  • SSDEEP

    12288:nKymomWOHSCqk6WHUeqw+YFPn2swvTtwa2f2g7IH/od34/bW:Xb/Bf5wU/2Z2bV2f2Zgx4/

Malware Config

Extracted

Family

warzonerat

C2

74.50.93.170:4040

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
    "C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4840
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2688
    • C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
      "C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"
      2⤵
        PID:1196
      • C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe
        "C:\Users\Admin\AppData\Local\Temp\7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c.exe"
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • NTFS ADS
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath C:\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4848
        • C:\Users\Admin\Documents\Bins.exe
          "C:\Users\Admin\Documents\Bins.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hDGbEat.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1396
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hDGbEat" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF211.tmp"
            4⤵
            • Creates scheduled task(s)
            PID:4820
          • C:\Users\Admin\Documents\Bins.exe
            "C:\Users\Admin\Documents\Bins.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4800
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Add-MpPreference -ExclusionPath C:\
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3712
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe"
              5⤵
                PID:1804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        dcfe886df91924bd87a9f6455b0cbbc8

        SHA1

        701d179ddc4aebb8ace4af908d4f13a7b85db9a7

        SHA256

        7229005ba03c8e5b45aa6b50eced069e916272c0c54b97feca52784c18afe65b

        SHA512

        7eb19235fbbed1c071ae6f8ada3d2e08f89d398f9cf4aba7f6c57e908fedeab5b55366c60c790b2c77a5d5a9eb23947e316838bbf9ba9083e164e3f1255fa601

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        18KB

        MD5

        1b4073b55d8750eb32ecc705efd0711d

        SHA1

        47cc101e4e5d7c180f98adce4795f397d1a593ef

        SHA256

        f40c878ffad3e8ba21243c3514cf13c50067cb1d9b6ba650101b5f9b7af9af90

        SHA512

        4e64fbd757d27dd7779efe8c544bcb52c6f9c0d85945defeaf2f3c20f8a7347552095f0b01dbc3cdd3213bb1cd8c11342f7e6646ae8b5eaf20c7616d2005f14b

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gl1ehsr5.2jo.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\tmp95B8.tmp

        Filesize

        1KB

        MD5

        3715384c43cc348d40a6da3deee9cacb

        SHA1

        efb1d500950e50aac89a36d5352e3b3e4bb9d459

        SHA256

        f5bafa3c9b6938a503f2482bae44b31d48a2a030c66cbe910fbd02a71bb3e171

        SHA512

        0b2c63175d6b82d200f9008e08614d8ec83803814c5e2b4e0f392174fb05d372e212d36f252f2c5465a8ba5f42ae6f1ef13b2b62d7722a62a811da48f3104a9d

      • C:\Users\Admin\Documents\Bins.exe

        Filesize

        536KB

        MD5

        56e8402d0a1e55ebf85b38aab8fdcee1

        SHA1

        0114708fadf2499b4ab2a8b35899ba9516287bc6

        SHA256

        7c8df85e9bea7559e0addd33afc5273e49eb863c4c15f6c4c7d3fbae3eb3c55c

        SHA512

        f888b3001768b46cd0dfa497f4dc063475371df14b899d025b230bf21c921ba00207a4a80e4243f05881b662be5b5ecd301f1b30ca62792a6885c370c0de1716

      • C:\Users\Admin\Documents\Bins.exe

        Filesize

        436KB

        MD5

        c2e3c74dd0281dabef41195925dcc5be

        SHA1

        3093ff72756f0d6774136a8ec5bef33a01ca215f

        SHA256

        da59dd8cfeb73d2498303dbe4142c230923c7aa6032e92cf9411338e54ccb01e

        SHA512

        5eb745a1e163bb0de311f7b7bda0b6fc69984879438e968f0e1c153f8a7946ba24e16332e2eb0f3ae0210afcfe26e37c52fbc41208e537070387d86aab717afd

      • memory/1356-5-0x00000000057B0000-0x00000000057BA000-memory.dmp

        Filesize

        40KB

      • memory/1356-39-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/1356-9-0x00000000069C0000-0x0000000006A22000-memory.dmp

        Filesize

        392KB

      • memory/1356-10-0x00000000090F0000-0x000000000918C000-memory.dmp

        Filesize

        624KB

      • memory/1356-7-0x0000000005B10000-0x0000000005B1A000-memory.dmp

        Filesize

        40KB

      • memory/1356-16-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/1356-6-0x00000000058E0000-0x00000000058F4000-memory.dmp

        Filesize

        80KB

      • memory/1356-8-0x0000000005B20000-0x0000000005B2E000-memory.dmp

        Filesize

        56KB

      • memory/1356-4-0x0000000005910000-0x0000000005920000-memory.dmp

        Filesize

        64KB

      • memory/1356-3-0x0000000005710000-0x00000000057A2000-memory.dmp

        Filesize

        584KB

      • memory/1356-22-0x0000000005910000-0x0000000005920000-memory.dmp

        Filesize

        64KB

      • memory/1356-2-0x0000000005E10000-0x00000000063B4000-memory.dmp

        Filesize

        5.6MB

      • memory/1356-0-0x0000000000C90000-0x0000000000D1C000-memory.dmp

        Filesize

        560KB

      • memory/1356-1-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/1396-135-0x000000007F210000-0x000000007F220000-memory.dmp

        Filesize

        64KB

      • memory/1396-134-0x0000000006660000-0x00000000066AC000-memory.dmp

        Filesize

        304KB

      • memory/1396-132-0x0000000005C10000-0x0000000005F64000-memory.dmp

        Filesize

        3.3MB

      • memory/1396-113-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/1396-114-0x0000000002850000-0x0000000002860000-memory.dmp

        Filesize

        64KB

      • memory/1396-136-0x0000000075640000-0x000000007568C000-memory.dmp

        Filesize

        304KB

      • memory/1396-115-0x0000000002850000-0x0000000002860000-memory.dmp

        Filesize

        64KB

      • memory/1396-146-0x0000000007360000-0x0000000007403000-memory.dmp

        Filesize

        652KB

      • memory/1804-183-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

      • memory/2964-23-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/2964-108-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/2964-40-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/2964-32-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/4336-130-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/4336-109-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/4336-110-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

      • memory/4800-131-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/4800-129-0x0000000000400000-0x000000000055A000-memory.dmp

        Filesize

        1.4MB

      • memory/4840-33-0x0000000006050000-0x00000000060B6000-memory.dmp

        Filesize

        408KB

      • memory/4840-59-0x0000000007700000-0x00000000077A3000-memory.dmp

        Filesize

        652KB

      • memory/4840-44-0x000000007FCA0000-0x000000007FCB0000-memory.dmp

        Filesize

        64KB

      • memory/4840-65-0x0000000007C50000-0x0000000007C5E000-memory.dmp

        Filesize

        56KB

      • memory/4840-66-0x0000000007C60000-0x0000000007C74000-memory.dmp

        Filesize

        80KB

      • memory/4840-15-0x0000000002DF0000-0x0000000002E26000-memory.dmp

        Filesize

        216KB

      • memory/4840-17-0x0000000005910000-0x0000000005F38000-memory.dmp

        Filesize

        6.2MB

      • memory/4840-79-0x0000000007D60000-0x0000000007D7A000-memory.dmp

        Filesize

        104KB

      • memory/4840-18-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/4840-80-0x0000000007D40000-0x0000000007D48000-memory.dmp

        Filesize

        32KB

      • memory/4840-83-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/4840-20-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

        Filesize

        64KB

      • memory/4840-21-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

        Filesize

        64KB

      • memory/4840-30-0x0000000005F80000-0x0000000005FA2000-memory.dmp

        Filesize

        136KB

      • memory/4840-38-0x0000000006230000-0x0000000006296000-memory.dmp

        Filesize

        408KB

      • memory/4840-58-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

        Filesize

        64KB

      • memory/4840-42-0x0000000006700000-0x000000000671E000-memory.dmp

        Filesize

        120KB

      • memory/4840-56-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

        Filesize

        64KB

      • memory/4840-43-0x0000000006740000-0x000000000678C000-memory.dmp

        Filesize

        304KB

      • memory/4840-45-0x0000000006CE0000-0x0000000006D12000-memory.dmp

        Filesize

        200KB

      • memory/4840-63-0x0000000007CA0000-0x0000000007D36000-memory.dmp

        Filesize

        600KB

      • memory/4840-46-0x00000000755F0000-0x000000007563C000-memory.dmp

        Filesize

        304KB

      • memory/4840-41-0x0000000006300000-0x0000000006654000-memory.dmp

        Filesize

        3.3MB

      • memory/4840-62-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

        Filesize

        40KB

      • memory/4840-60-0x0000000008070000-0x00000000086EA000-memory.dmp

        Filesize

        6.5MB

      • memory/4840-64-0x0000000007C20000-0x0000000007C31000-memory.dmp

        Filesize

        68KB

      • memory/4840-61-0x0000000007A20000-0x0000000007A3A000-memory.dmp

        Filesize

        104KB

      • memory/4840-57-0x00000000076E0000-0x00000000076FE000-memory.dmp

        Filesize

        120KB

      • memory/4848-100-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/4848-95-0x0000000004D30000-0x0000000004D40000-memory.dmp

        Filesize

        64KB

      • memory/4848-96-0x0000000004D30000-0x0000000004D40000-memory.dmp

        Filesize

        64KB

      • memory/4848-85-0x00000000755F0000-0x000000007563C000-memory.dmp

        Filesize

        304KB

      • memory/4848-84-0x000000007F360000-0x000000007F370000-memory.dmp

        Filesize

        64KB

      • memory/4848-67-0x0000000074D60000-0x0000000075510000-memory.dmp

        Filesize

        7.7MB

      • memory/4848-68-0x0000000004D30000-0x0000000004D40000-memory.dmp

        Filesize

        64KB

      • memory/4848-69-0x0000000004D30000-0x0000000004D40000-memory.dmp

        Filesize

        64KB