Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 12:41

General

  • Target

    Kavipsz.exe

  • Size

    10KB

  • MD5

    c2962aaa2e45754c27cfd561af655a64

  • SHA1

    738bd61ccaad6cdba0e0c73241c57e936096fdc1

  • SHA256

    29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908

  • SHA512

    e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03

  • SSDEEP

    192:xd5UZeTU9CIji4dcgh8V2PnHujraKj9Q:xdyZeUXj35SV2vHuraKj9

Malware Config

Extracted

Family

warzonerat

C2

bossnew.ddns.net:1001

Signatures

  • Detect ZGRat V1 35 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Warzone RAT payload 4 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe
    "C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe
      C:\Users\Admin\AppData\Local\Temp\Kavipsz.exe
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\ProgramData\bab.exe
        "C:\ProgramData\bab.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\ProgramData\bab.exe
          C:\ProgramData\bab.exe
          4⤵
          • Executes dropped EXE
          PID:1316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab7023.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar713F.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bqkmarzra.vbs

    Filesize

    84B

    MD5

    b5b2159f4db9cb17c5d801aa106174e1

    SHA1

    8b01d233e6539b548aeb2122399eea41f3b4d1a9

    SHA256

    540af60ccce7a285c71fecd5c09597a1604abe734731488e00498188a2ab5361

    SHA512

    84346d164bd46fb9efda40cca63c1a31d4799e0ef5ee42e094833eeb3a71596309dfc3585b7626fe7e68cddaa94937b1cfa8ae89ff9858bbbf0cd067b7c9e09d

  • \ProgramData\bab.exe

    Filesize

    10KB

    MD5

    c2962aaa2e45754c27cfd561af655a64

    SHA1

    738bd61ccaad6cdba0e0c73241c57e936096fdc1

    SHA256

    29d974ba2b643abaea7868127dcd6cfd068242dda52dd816432448c862649908

    SHA512

    e939b3115bc87c504b15473b1ff667d28b6eed376ad5511dca3ffe27a94b41b750a5b12b06f5df3e437b63bed539c0befcfc28963afb17985601dfe337d42e03

  • memory/544-1001-0x00000000055A0000-0x0000000005646000-memory.dmp

    Filesize

    664KB

  • memory/544-999-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

  • memory/544-998-0x00000000008F0000-0x00000000008F8000-memory.dmp

    Filesize

    32KB

  • memory/544-1000-0x0000000004D70000-0x0000000004DB0000-memory.dmp

    Filesize

    256KB

  • memory/544-1954-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

  • memory/544-1935-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

  • memory/544-1934-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

  • memory/1316-1956-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/1316-1957-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/2256-997-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/2256-990-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

  • memory/2504-97-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-79-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-61-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-51-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-49-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-47-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-45-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-69-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-67-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-71-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-87-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-89-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-95-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-57-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-99-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-101-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-93-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-91-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-85-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-83-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-81-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-59-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-77-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-75-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-73-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-65-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-63-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-970-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

  • memory/2504-971-0x0000000004B20000-0x0000000004B5C000-memory.dmp

    Filesize

    240KB

  • memory/2504-972-0x0000000004BB0000-0x0000000004BFC000-memory.dmp

    Filesize

    304KB

  • memory/2504-53-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-55-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-43-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-41-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-39-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-38-0x0000000005270000-0x000000000530F000-memory.dmp

    Filesize

    636KB

  • memory/2504-37-0x0000000005270000-0x0000000005316000-memory.dmp

    Filesize

    664KB

  • memory/2504-2-0x0000000000690000-0x00000000006D0000-memory.dmp

    Filesize

    256KB

  • memory/2504-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2504-0-0x00000000002F0000-0x00000000002F8000-memory.dmp

    Filesize

    32KB

  • memory/2504-973-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2504-974-0x0000000000690000-0x00000000006D0000-memory.dmp

    Filesize

    256KB

  • memory/2504-988-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB