Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 12:41
Static task
static1
Behavioral task
behavioral1
Sample
Kavipsz.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kavipsz.exe
Resource
win10v2004-20231215-en
General
-
Target
Kavipsz.exe
-
Size
10KB
-
MD5
c2962aaa2e45754c27cfd561af655a64
-
SHA1
738bd61ccaad6cdba0e0c73241c57e936096fdc1
-
SHA256
29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908
-
SHA512
e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03
-
SSDEEP
192:xd5UZeTU9CIji4dcgh8V2PnHujraKj9Q:xdyZeUXj35SV2vHuraKj9
Malware Config
Extracted
warzonerat
bossnew.ddns.net:1001
Signatures
-
Detect ZGRat V1 35 IoCs
resource yara_rule behavioral1/memory/2504-37-0x0000000005270000-0x0000000005316000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-38-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-39-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-41-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-43-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-55-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-53-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-57-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-59-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-61-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-51-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-49-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-47-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-45-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-69-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-67-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-71-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-87-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-89-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-95-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-97-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-99-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-101-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-93-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-91-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-85-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-83-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-81-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-79-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-77-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-75-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-73-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-65-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/2504-63-0x0000000005270000-0x000000000530F000-memory.dmp family_zgrat_v1 behavioral1/memory/544-1001-0x00000000055A0000-0x0000000005646000-memory.dmp family_zgrat_v1 -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2256-990-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2256-997-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1316-1956-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/1316-1957-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bqkmarzra.vbs Kavipsz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bqkmarzra.vbs bab.exe -
Executes dropped EXE 2 IoCs
pid Process 544 bab.exe 1316 bab.exe -
Loads dropped DLL 1 IoCs
pid Process 2256 Kavipsz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bab = "C:\\ProgramData\\bab.exe" Kavipsz.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2504 set thread context of 2256 2504 Kavipsz.exe 30 PID 544 set thread context of 1316 544 bab.exe 32 -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 bab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 bab.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 bab.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 bab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2504 Kavipsz.exe Token: SeDebugPrivilege 544 bab.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2504 wrote to memory of 2256 2504 Kavipsz.exe 30 PID 2256 wrote to memory of 544 2256 Kavipsz.exe 31 PID 2256 wrote to memory of 544 2256 Kavipsz.exe 31 PID 2256 wrote to memory of 544 2256 Kavipsz.exe 31 PID 2256 wrote to memory of 544 2256 Kavipsz.exe 31 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32 PID 544 wrote to memory of 1316 544 bab.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe"C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\Kavipsz.exeC:\Users\Admin\AppData\Local\Temp\Kavipsz.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\ProgramData\bab.exe"C:\ProgramData\bab.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544 -
C:\ProgramData\bab.exeC:\ProgramData\bab.exe4⤵
- Executes dropped EXE
PID:1316
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
84B
MD5b5b2159f4db9cb17c5d801aa106174e1
SHA18b01d233e6539b548aeb2122399eea41f3b4d1a9
SHA256540af60ccce7a285c71fecd5c09597a1604abe734731488e00498188a2ab5361
SHA51284346d164bd46fb9efda40cca63c1a31d4799e0ef5ee42e094833eeb3a71596309dfc3585b7626fe7e68cddaa94937b1cfa8ae89ff9858bbbf0cd067b7c9e09d
-
Filesize
10KB
MD5c2962aaa2e45754c27cfd561af655a64
SHA1738bd61ccaad6cdba0e0c73241c57e936096fdc1
SHA25629d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908
SHA512e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03