Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 10:14
Static task
static1
Behavioral task
behavioral1
Sample
7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe
Resource
win10v2004-20231215-en
General
-
Target
7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe
-
Size
594KB
-
MD5
7cdbaac6ce5de3023ac8b8ebf17cbb1f
-
SHA1
6afb2bcf49cdca85a4781ffe7816a2551329e41e
-
SHA256
a98237e2ebf6a05173e905842d88a2fa8e721b1cff76942ff3bd99176a35c18f
-
SHA512
ba6fde3df44ee3bfccdc95000769f5544f98d2f9fc5eb8c8032d533c952c2d08e4cec7aa54e76adf06c4375f0d1d00a6b3d3292762d14a6dadd1069b2c944451
-
SSDEEP
12288:tGHDaMeQpcG3QqawUHpaUPZmCS6QfDLEILJuw0WV/K475xQD:t41eQpcGgqgaUPZmFxf8I1ue
Malware Config
Extracted
warzonerat
20.150.137.35:7400
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2700-19-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2700-27-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2700-25-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2700-21-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2700-17-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2700-16-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2360 set thread context of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2564 2700 WerFault.exe 29 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2604 schtasks.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2604 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 28 PID 2360 wrote to memory of 2604 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 28 PID 2360 wrote to memory of 2604 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 28 PID 2360 wrote to memory of 2604 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 28 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2360 wrote to memory of 2700 2360 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 29 PID 2700 wrote to memory of 2564 2700 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 31 PID 2700 wrote to memory of 2564 2700 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 31 PID 2700 wrote to memory of 2564 2700 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 31 PID 2700 wrote to memory of 2564 2700 7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe"C:\Users\Admin\AppData\Local\Temp\7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AGZlgTRPpoZZj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC88D.tmp"2⤵
- Creates scheduled task(s)
PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe"C:\Users\Admin\AppData\Local\Temp\7cdbaac6ce5de3023ac8b8ebf17cbb1f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 2003⤵
- Program crash
PID:2564
-
-